Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.
The Nonce-nce of Web Security: an Investigation of CSP Nonces Reuse / Golinelli, Matteo; Bonomi, Francesco; Crispo, Bruno. - 14399:(2024), pp. 459-475. (Intervento presentato al convegno Workshop on Attacks and Software Protection @ ESORICS 2023 tenutosi a The Hague, The Netherlands nel 25th Sep-29th Sep 2023) [10.1007/978-3-031-54129-2_27].
The Nonce-nce of Web Security: an Investigation of CSP Nonces Reuse
Golinelli, Matteo
;Crispo, Bruno
2024-01-01
Abstract
Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.| File | Dimensione | Formato | |
|---|---|---|---|
|
_WASP__The_Nonce_nce_of_Security__an_Investigation_of_CSP_Nonces_Reuse-5.pdf
Solo gestori archivio
Tipologia:
Pre-print non referato (Non-refereed preprint)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
400.2 kB
Formato
Adobe PDF
|
400.2 kB | Adobe PDF | Visualizza/Apri |
|
The Nonce-nce of Web Security_ an Investigation of CSP Nonces Reuse.pdf
Solo gestori archivio
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
242.15 kB
Formato
Adobe PDF
|
242.15 kB | Adobe PDF | Visualizza/Apri |
|
The_Nonce_nce_of_Security__an_Investigation_of_CSP_Nonces_Reuse_postprint.pdf
embargo fino al 12/03/2025
Tipologia:
Post-print referato (Refereed author’s manuscript)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
400.2 kB
Formato
Adobe PDF
|
400.2 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
