Zaproxy: Lack of CSP entirely is reported as 'Low (Medium)' but unsafe-inline reported as Medium
If you have no CSP at all, this is reported as Low (Medium).
But a CSP with unsafe-inline (in script-src or style-src) is reported with a higher severity (Medium).
This is maybe controversial but I would suggest that having no CSP at all, is either the same or a higher risk than having a CSP that is, for just some elements, too broadly scoped. In terms of attack surface it is arguably still slightly harder to exploit the rendering of a page that doesn't allow external javascript/css but does allow unsafe-inline, than one that allows javascript/css from anywhere, or allows from third parties that have become compromised (and where sha256 hashes are not being used to mitigate the latter).
IMO either unsafe-inline should be Low (Medium), or both the lack of CSP and the use of unsafe-inline should be Medium, but the entire lack of CSP should not be lower severity than the use of unsafe-inline.
mig5
All 3 comments
I forget if that was done on purpose or if it鈥檚 just a miss due to changes over time but I agree that it seems off.
kingthorin
on 17 Nov 2020
Agreed - rules tend to get implemented in isolation and we may well have other anomalies like this.
I'd say lack of CSP should be Medium. Part of me wants to say "High" but I know how painful CSP can be to retrofit to an existing app ...
psiinon
on 17 Nov 2020
This is now available via Check for Updates / Marketplace via v23 of the Passive Scan Rules Beta add-on.
kingthorin
on 18 Nov 2020
Related issues
shervyna
路
3Comments
g0rbe
路
4Comments
ossie-git
路
3Comments
bigteejay
路
3Comments
globeone
路
3Comments
Most helpful comment
Agreed - rules tend to get implemented in isolation and we may well have other anomalies like this.
I'd say lack of CSP should be Medium. Part of me wants to say "High" but I know how painful CSP can be to retrofit to an existing app ...