Chii chinonzi Content Security Policy (CSP) uye nei mapentester achifanira kuita hanya?

Content Security Policy ibrowser-side security mechanism inodzora zviwanikwa zvinogona kurodha peji rewebhu, zvichibatsira kudzivirira XSS, jekiseni redata, uye nekudzvanya kurwisa. MaPentesters anofanirwa kunzwisisa CSP nekuti ndeimwe yeanowanzo kurongeka zvisizvo zvidzoreso zvekuchengetedza - zvidzidzo zvinoratidza ingangoita 94% yemitemo yakatumirwa ine kushaya simba. Kuziva CSP zvakakosha kuno

Ndezvipi zvinonyanya kuwanikwa CSP misconfigurations pentesters inowanikwa?

Mamiriro ezvinhu eCSP anonyanyo zivikanwa anosanganisira kushandisa unsafe-inline uye unsafe-eval mirairo, yakanyanyisa kutendera wildcard manyuko, kushaikwa frame-madzitateguru mirairo inogonesa kubaya, uye whitelisting yese CDN domains inogamuchira anorwisa-anodzoreka zvemukati. MaPentesters anofanirwawo kutsvaga mirairo isipo senge base-uri uye form-action, iyo inogona kushandiswa pakubira uye

Mabhizinesi angachengetedza sei maapplication avo ewebhu aine misoro yeCSP yakakodzera?

Mabhizinesi anofanirwa kutanga neCSP yakasimba achishandisa non-based or hash-based script permitlisting pachinzvimbo chedomain whitelists. Isa mushumo-chete modhi kutanga kuti uone zvakaputsika usati wateedzera. Mapuratifomu akaita seMewayz, 207-module business OS kutanga pa$19/mo, anobatsira zvikwata kuronga kuvapo kwazvo pawebhu zvakachengetedzeka uku vachitevera nzira dzemazuva ano dzekuchenge

Ndeapi maturusi anoshandiswa nevapentester kuongorora kushanda kweCSP?

MaPentester anowanzo shandisa Google's CSP Evaluator, browser developer tools, uye Burp Suite extensions kuongorora misoro yeCSP kuti pane zvisina kusimba. Kuongororwa kwemanyorero kunoramba kwakakosha - maturusi otomatiki anopotsa mamiriro-anotsamira ekupfuura senge JSONP endpoints uye Angular template jekiseni pane whitelisted domains. Ongororo yakadzama inosanganisa otomatiki scanning nekuongor

CSP yePentesta: Kunzwisisa Zvinokosha

Comments

February 28, 2026 10 min read Via www.kayssel.com

Mewayz Team

Editorial Team

Hacker News

Nei Pentester Yese Ichifanira Kuziva Zvemukati Chekuchengetedza Policy

Content Security Policy (CSP) yave imwe yenzira dzakanyanya kukosha dzebrowser-side kudzivirira kurwisa kuyambuka-saiti scripting (XSS), jekiseni redata, uye nekudzvanya kurwisa. Zvakadaro mukupinda kwekuyedza kuita, CSP misoro inoramba iri imwe yeanowanzo kurongeka - uye kusanzwisiswa - kuchengetedza zvinodzora. Ongororo yakaitwa muna 2024 yakaongorora mawebhusaiti anopfuura miriyoni imwe chete yakaona kuti 12.8% chete ndivo vakaisa misoro yeCSP zvachose, uye pane idzo, dzinenge makumi mapfumbamwe neina muzana dzainge dziine hutera humwechete hwaigona kushandiswa. Kune vapentester, kunzwisisa CSP hakusi kwesarudzo - ndiwo mutsauko uripo pakati pekuongororwa kwepamusoro-soro uye mushumo unosimbisa kuchengetedzwa kwemutengi.

Kunyangwe urikuitisa bvunzo dzewebhu, kuvhima bug, kana kuvaka chengetedzo kuita bhizinesi chikuva chinobata data revatengi rinonzwisisika, ruzivo rweCSP ndohwaro. Gwaro iri rinoparura kuti CSP chii, kuti inoshanda sei pasi pehodhi, painokundikana, uye kuti mapentester angaongorora sei nekunzvenga mitemo isina kusimba.

Zvinonyatsoita Zvemukati Chekuchengetedza Policy

Pakati payo, CSP inzira inozivisa yekuchengetedza inounzwa kuburikidza neHTTP mhinduro musoro (kana kushoma, a tag). Inoraira bhurawuza kuti ndeapi masosi ezvinyorwa - zvinyorwa, masitayera, mifananidzo, mafonti, maferemu, nezvimwe - zvinotenderwa kurodha nekuita pane rakapihwa peji. Kana mudziyo ukatyora mutemo, bhurawuza inoivhara uye nesarudzo inoshuma kutyorwa kwacho kune imwe nzvimbo yakatarwa.

Kukurudzira kwekutanga kuseri kweCSP kwaive kudzikisira kurwiswa kweXSS. Dziviriro yechinyakare XSS senge yekuisa sanitization uye inobuda encoding inoshanda asi ine brittle - imwe chete yakarasika mamiriro kana kukanganisa encoding inogona kuunza kusagadzikana. CSP inowedzera dziviriro-yakadzama layer: kunyangwe munhu anorwisa akapinza script tag yakaipa muDOM, mutemo wakanyatsogadziriswa unodzivirira bhurawuza kuti isaite.

CSP inoshanda newhitelist model. Pane kuedza kuvhara zvinozivikanwa-zvakaipa, inotsanangura izvo zvinotenderwa. Zvimwe zvese zvinorambwa nekukasira. Uku kupindurudzwa kwemhando yechengetedzo kune simba mudzidziso, asi mukuita, kuchengetedza mitemo yakasimba pamishandisirwo yakaoma yewebhu - kunyanya mapuratifomu anodzora akawanda emamodule akabatanidzwa seCRM, invoice, analytics, uye mabhuki masisitimu - zvinozivikanwa zvakaomarara.

Anatomy yeCSP Header: Madhairekitori uye Kwakabva

Musoro weCSP wakaumbwa nemairairidzo, rimwe nerimwe richidzora mhando yezviwanikwa. Kunzwisisa mirairo iyi kwakakosha kune chero pentester inoongorora mutemo wechinangwa. Mirayiridzo inonyanya kukosha inosanganisira default-src (the fallback kune chero rairo isina kujekeswa), script-src (JavaScript execution), style-src (CSS), img-src (mifananidzo), connect-src, connect-src, src- fracket Ferc> (XHR> connection, WebSorc-Ferc>), (XHR> (maiframe akaiswa), uye chinhu-src (maplugins akaita seFlash kana Java applets).

Aya anobva pamazita ekugamuchira (https://cdn.example.com) kuenda kumazwi akakosha:

'self' - inobvumira zviwanikwa kubva kune imwe mavambo segwaro

'hapana' — inovharira zviwanikwa zvese zverudzi irworwo

'zvisina kuchengetedzeka-painline' — inobvumidza zvinyorwa kana masitaera emukati (zvinoita kuti XSS isadzivirire)

'unsafe-eval' — inobvumira eval(), setTimeout(string), uye zvakafanana dynamic code execution

'nonce-{random}' — inobvumira zvinyorwa zvemukati zvakaiswa nekriptographic nonce inoenderana

'strict-dynamic' — anovimba zvinyorwa zvakatakurwa neagara avimbwa zvinyorwa, uchifuratira matsamba ekubvumidza anotambira

data: — inobvumira maURIs edata sezvinobvamo

Musoro wepasi rose weCSP ungataridzika seizvi: Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.jsdelivr.net 'nonce-abc123'; style-src 'self' 'isina kuchengeteka-inline'; img-src *; object-src 'hapana'. Semupentester, basa rako nderekuverenga mutemo uyu wobva waona payakasimba, paisina kusimba, uye painoshandisika.
Zvakajairwa CSP Misconfigurations MaPentesta Anofanira Kunanga

Mukaha uripo pakati pekuisa musoro weCSP nekuisa unoshanda musoro weCSP wakakura. Mukuita, marongero mazhinji ane kusasimba kwakaunzwa nekureruka kwemugadziri, yechitatu-bato kubatanidzwa, kana kusanzwisisa kuri nyore. Panguva yekuongorora, mapentesters anofanira kutarisa kukundikana kwakajairika uku.

Chikonzero chinokanganisa zvakanyanya kuvepo kwe'unsafe-inline' muscript-src chirevo. Iri izwi rakakosha rinopa iyo yese anti-XSS bhenefiti yeCSP haina basa, nekuti inobvumira bhurawuza kuti iite chero inline

CSP yePentesta: Kunzwisisa Zvinokosha

Nei Pentester Yese Ichifanira Kuziva Zvemukati Chekuchengetedza Policy

Zvinonyatsoita Zvemukati Chekuchengetedza Policy

Anatomy yeCSP Header: Madhairekitori uye Kwakabva

Zvakajairwa CSP Misconfigurations MaPentesta Anofanira Kunanga

Try Mewayz — Live

Wait — don't leave empty-handed!

Check your inbox!

CSP yePentesta: Kunzwisisa Zvinokosha

Nei Pentester Yese Ichifanira Kuziva Zvemukati Chekuchengetedza Policy

Zvinonyatsoita Zvemukati Chekuchengetedza Policy

Anatomy yeCSP Header: Madhairekitori uye Kwakabva

Zvakajairwa CSP Misconfigurations MaPentesta Anofanira Kunanga

Change Language

Contact Us

Wait — don't leave empty-handed!

Check your inbox!