CSP report proxy : retrofitting web applications with a CSP-injection proxy

Content Security Policy (CSP) is a content-restriction mechanism used by web applications to mitigate Cross-site scripting (XSS), which is one the most widespread class of vulnerabilities. Many other techniques have been devised to defeat XSS vulnerabilities but, due to the complexity of encoding and validation, they are often bypassed. Despite CSP is an innovative and promising approach, it is currently used by only the 1.2% of the Top 1 Million Alexa websites. As recent studies has proved, due to the complexity of usage, most of the policies found in the wild are too permissive, thus easily bypassable. Our study focuses on the analysis on the issues of the CSP deployment, proposing an approach, called CSP Report Proxy (CSPRP), to retrofit existing web applications with CSP support, automatically generate and deploy CSP policies without the need of using unsafe and easily bypassable policies (e.g., “unsafe eval”) and without the need to change the source code. Because many techniques exist to bypass the most of the CSP policies, we have devised the approach in order to extend the protection of CSP, creating in real-time specific dynamic policies for each page. We have implemented a prototype of CSPRP and created an overall evaluation on the Alexa Top 100 websites, to test if CSPRP can maintains the original functionality of the web application, covering the 81.5 % of them. We conducted an extensive evaluation on the Alexa Top 10 website to test if CSPRP can properly generate CSP policies for websites with strongly dynamic behaviors, achieving a success rate of 60 %. Finally, we have created seven scenarios of CSP bypasses to test against CSPRP, covering six of these scenarios, and proving that CSPRP can actually be used to generate more secure CSP policies.