Home > Net >  CSP Alerts by OWASP even though CSP header is added
CSP Alerts by OWASP even though CSP header is added

Time:02-03

I am auto testing an ASP.NET web application for vulnerabilities using OWASP ZAP 2.12.0. It is raising some CSP alerts which I don't know why because CSP header is added in the Web.config. Need help to address raised alerts.

CSP Header

  <httpProtocol>
    <customHeaders>
    <add name="Content-Security-Policy" 
        value="default-src 'self' 'unsafe-inline' http://localhost:50/master/child/; 
            script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:50/master/child/;
            img-src 'self' data: http://localhost:50/master/child/; 
            style-src 'self' 'unsafe-inline' http://localhost:50/master/child/;
            object-src 'self' http://localhost:50/master/child/;
            font-src 'self' data:;
            media-src 'self';
            frame-ancestors 'self';
            upgrade-insecure-requests;
            connect-src 'self';
            frame-src 'self';" />
    </customHeaders>
  </httpProtocol>

Alerts

Alerts (14)
CSP: Wildcard Directive (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches

CSP: script-src unsafe-inline (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches

CSP: style-src unsafe-inline (8)
GET: http://localhost:50/Master/Child/UI/App_Themes/images/ajax-loader.gif
GET: http://localhost:50/Master/Child/UI/App_Themes/Login/css/style.css
GET: http://localhost:50/Master/Child/UI/App_Themes/Styles/HTMLStyle.css
GET: http://localhost:50/Master/Child/UI/Login.aspx
GET: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches
GET: http://localhost:50/Master/Child/UI/Scripts/jquery-ui-1.8.16.min.js
POST: http://localhost:50/Master/Child/UI/Login.aspx
POST: http://localhost:50/Master/Child/UI/Login.aspx/GetBranches

CodePudding user response:

As per the comments, always look at the ZAP alert details, they should explain exactly what the problem is. If its not clear then reach out to the ZAP team via the ZAP User Group - we should be able to explain what the problem is and improve the alert details if needed.

Page link:https//www.codepudding.com/net/691199.html

Prev:Want to show label 'Wait, reading data.....' in client after dropdownlist selection ASP NE
Next:Average and sort by this based on other conditional columns in a table
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding