Kotlin Csp Unsafe Inline
Description
Detects insecure Content Security Policy (CSP) configurations that allow unsafe inline scripts in Kotlin applications. Using 'unsafe-inline' in CSP headers weakens the application's defense against Cross-Site Scripting (XSS) attacks by allowing potentially malicious inline scripts to execute.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Identifies response.setHeader method calls in Kotlin code
• Verifies if the header being set is 'Content-Security-Policy'
• Checks if the CSP value contains 'unsafe-inline' directive
• Reports a vulnerability when CSP is configured to allow unsafe inline scripts
Vulnerable code example
import javax.servlet.http.HttpServletResponse
fun setInsecureCSP(response: HttpServletResponse) {
// Vulnerable: 'unsafe-inline' allows execution of inline scripts, bypassing CSP protections
response.setHeader("Content-Security-Policy", "script-src 'self' 'unsafe-inline'")
}✅ Secure code example
import javax.servlet.http.HttpServletResponse
import java.security.SecureRandom
import java.util.Base64
fun setSecureCSP(response: HttpServletResponse) {
// Generate cryptographically secure nonce for script execution
val nonce = generateNonce()
// Secure: Uses nonce and strict-dynamic instead of unsafe-inline...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.