Http Missing Object Src Attribute
Description
Detects when a web application's Content Security Policy (CSP) header is missing the object-src directive, which controls which sources can be used for embedded objects like <object>, <embed>, and <applet> elements. Without this directive, the page may be vulnerable to object injection attacks.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Inspects HTTP response headers for Content-Security-Policy headers
• Checks if the CSP header is present but missing the object-src directive
• Reports a vulnerability if object-src is not specified, since this could allow loading of malicious plugins or objects from any source
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.