Http Unsafe Inline In Script Src
Description
Detects when a website's Content Security Policy (CSP) allows unsafe inline JavaScript execution by having 'unsafe-inline' in the script-src directive. This creates a security risk by allowing potential cross-site scripting (XSS) attacks through inline script injection.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Examines the Content-Security-Policy HTTP response header
• Checks if the script-src directive contains 'unsafe-inline'
• Reports a vulnerability if 'unsafe-inline' is found in script-src, as it weakens XSS protections
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.