CSP Parameter script-src includes unsafe-inline

Report details

• Submitted

  25 Apr 2021 02:24:43 UTC

• Target Location

  asana.com

• Target category

  Web App

• VRT

  Server Security Misconfiguration > Lack of Security Headers > X-Webkit-CSP

• Priority

  P5

• Bug URL

  https://asana.com/

• Description

  Hello,
  I found a script-src parameter which includes unsafe-inline in Content-Security-Policy.
  This can be misused by attackers to perform an XSS Attack, Basically allowing injection of user passed values.

  Reproduction steps:

  1. Send a curl request to the website
  2. Go at Content-Security-Policy Header
  3. Search for script-src parameter, It will have unsafe-inline and unsafe-eval.

  Reference (Request recieved by me):

  Connection: keep-alive
  Content-Length: 62623
  Content-Type: text/html; charset=utf-8
  X-Powered-By: Next.js
  ETag: "52de5-GnCMoLVzNPFB+E9pPC/voYCZLlY"
  Cache-Control: s-maxage=1800, stale-while-revalidate
  Content-Encoding: gzip
  Accept-Ranges: bytes
  Date: Sun, 25 Apr 2021 02:07:11 GMT
  Via: 1.1 varnish
  Age: 1514
  X-Served-By: cache-ewr18131-EWR
  X-Cache: HIT
  X-Cache-Hits: 2
  X-Timer: S1619316431.086045,VS0,VE0
  Vary: Accept-Encoding
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  X-Frame-Options: DENY
  Content-Security-Policy: worker-src blob:; frame-ancestors https://www.surveymonkey.com https://google.com https://app.asana.com https://blog.asana.com https://academy.asana.com; report-uri https://app.asana.com/-/csp_report; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://static.ads-twitter.com https://ajax.aspnetcdn.com https://bat.bing.com https://sjs.bizographics.com https://ct.capterra.com https://reveal.clearbit.com https://googleads.g.doubleclick.net https://ethn.io https://connect.facebook.net https://tracking.g2crowd.com https://www.google-analytics.com https://apis.google.com https://www.googleadservices.com https://*.googleapis.com https://tpc.googlesyndication.com https://www.googletagmanager.com https://ssl.gstatic.com https://script.hotjar.com https://static.hotjar.com https://cdn.jotfor.ms https://form.jotform.us https://snap.licdn.com https://px.ads.linkedin.com https://www.linkedin.com https://accounts.livechatinc.com https://cdn.livechatinc.com https://secure.livechatinc.com https://luna1.co https://js.recurly.com https://search-api.swiftype.com https://s.swiftypecdn.com https://analytics.twitter.com https://platform.twitter.com https://fast.wistia.com https://fast.wistia.net https://www.youtube.com https://s.ytimg.com https://*.marketo.com https://*.marketo.net https://js.driftt.com https://www.googleoptimize.com https://cdnjs.cloudflare.com https://api.ipify.org https://cdn.pdst.fm https://*.vimeocdn.com https://js.driftt.com https://widget.drift.com https://resources.asana.com https://w58858w0sjxx.statuspage.io https://optimize.google.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://*.logs.datadoghq.com https://www.datadoghq-browser-agent.com https://tagmanager.google.com/debug https://t.contentsquare.net/uxa/bfee6356fc77e.js
  X-Content-Type-Options: nosniff
  Set-Cookie: user_geo=US; Max-Age=2592000; path=/; Secure
  

  Site used for API Testing: reqbin.com/curl
  I sent a curl request and went to headers tab, Here we can see all the headers.

  

  Best regards,
  Shivansh Malik

• HTTP request

  Connection: keep-alive
  Content-Length: 62623
  Content-Type: text/html; charset=utf-8
  X-Powered-By: Next.js
  ETag: "52de5-GnCMoLVzNPFB+E9pPC/voYCZLlY"
  Cache-Control: s-maxage=1800, stale-while-revalidate
  Content-Encoding: gzip
  Accept-Ranges: bytes
  Date: Sun, 25 Apr 2021 02:07:11 GMT
  Via: 1.1 varnish
  Age: 1514
  X-Served-By: cache-ewr18131-EWR
  X-Cache: HIT
  X-Cache-Hits: 2
  X-Timer: S1619316431.086045,VS0,VE0
  Vary: Accept-Encoding
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  X-Frame-Options: DENY
  Content-Security-Policy: worker-src blob:; frame-ancestors https://www.surveymonkey.com https://google.com https://app.asana.com https://blog.asana.com https://academy.asana.com; report-uri https://app.asana.com/-/csp_report; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://static.ads-twitter.com https://ajax.aspnetcdn.com https://bat.bing.com https://sjs.bizographics.com https://ct.capterra.com https://reveal.clearbit.com https://googleads.g.doubleclick.net https://ethn.io https://connect.facebook.net https://tracking.g2crowd.com https://www.google-analytics.com https://apis.google.com https://www.googleadservices.com https://*.googleapis.com https://tpc.googlesyndication.com https://www.googletagmanager.com https://ssl.gstatic.com https://script.hotjar.com https://static.hotjar.com https://cdn.jotfor.ms https://form.jotform.us https://snap.licdn.com https://px.ads.linkedin.com https://www.linkedin.com https://accounts.livechatinc.com https://cdn.livechatinc.com https://secure.livechatinc.com https://luna1.co https://js.recurly.com https://search-api.swiftype.com https://s.swiftypecdn.com https://analytics.twitter.com https://platform.twitter.com https://fast.wistia.com https://fast.wistia.net https://www.youtube.com https://s.ytimg.com https://*.marketo.com https://*.marketo.net https://js.driftt.com https://www.googleoptimize.com https://cdnjs.cloudflare.com https://api.ipify.org https://cdn.pdst.fm https://*.vimeocdn.com https://js.driftt.com https://widget.drift.com https://resources.asana.com https://w58858w0sjxx.statuspage.io https://optimize.google.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://*.logs.datadoghq.com https://www.datadoghq-browser-agent.com https://tagmanager.google.com/debug https://t.contentsquare.net/uxa/bfee6356fc77e.js
  X-Content-Type-Options: nosniff
  Set-Cookie: user_geo=US; Max-Age=2592000; path=/; Secure