I know that using strict values for default-src and scripts-src are a popular way to prevent (or at least limit the impact) of XSS attacks. But I was just wondering it CSPs can be used to stop attackers/pentesters from hooking browsers using the BeEF framework.
Asked
Active
Viewed 926 times
5
-
Do I understand you correctly, that you want to stop someone from using the BeEF framework against your website by sending a CSP directive? – Arminius Apr 07 '18 at 22:52
1 Answers
2
Yes. The Beef hook is just an advanced payload for an XSS attack that relies upon the script-src tag. If you have a healthy Content-Security-Policy, victims browser will refuse to load the external beef hook.
CSP is a secondary line of defense in case you have a HTML-injection vulnerability.
Dog eat cat world
- 5,759
- 1
- 27
- 46
-
well, except for bypasses to CSP, such as -- http://ruxcon.org.au/assets/slides/CSP-kuza55.pptx -- and the more-recent work on the subject. – atdre May 11 '18 at 22:14
-
1@atdre Bypasses to CSP are actually security bugs in the browser in some cases or just an incorrectly implemented CSP on the web application. The defense mechanism is there, whether it's well implemented is a different problem – Mr. E Aug 09 '18 at 18:26