Http Unsafe Wildcard In Directive
Description
Detects unsafe usage of wildcards (*) in Content Security Policy (CSP) directives that could weaken security protections. Overly permissive wildcards in CSP directives can allow malicious resources to be loaded, potentially enabling cross-site scripting (XSS) or other injection attacks.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Examines HTTP response headers for Content-Security-Policy headers
• Analyzes CSP directives for wildcard (*) patterns that create overly broad permissions
• Reports a vulnerability when CSP directives use wildcards in ways that significantly reduce security effectiveness
• Checks combined/multiple CSP headers if present in the response
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.