Skip to content

Injection: CSP Bypass via Input Injection

Identifier: improper_input_csp_bypass

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Content Security Policy bypass via input injection occurs when user-supplied data is reflected in the page or response headers without adequate sanitization, allowing attackers to inject a weakened CSP policy via meta tags or overwrite existing CSP headers.

How we test: We inject CSP bypass payloads into available form inputs on the active page state, then inspect the response HTML for injected meta CSP tags and monitor response headers via network listeners for weakened or overwritten Content-Security-Policy values.

References:

Configuration

Example

Example configuration:

---
security_tests:
  improper_input_csp_bypass:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.