Mind the Gap - The Case for Strong Content Security Policy

February 11th, 2020

Strong Content Security Policy

Recent revelations of a significant vulnerability in WhatsApp’s Content Security Policy underline the importance of getting CSP right, says Tala’s Surabhi Sinha.

Recently, security researchers surfaced an alarming gap in WhatsApp’s Content Security Policy. The high-severity gap could have enabled malicious code injection and remote code execution, opening the way for an attacker to exploit local information in the browser. Malware, phishing or ransomware attacks could be launched via seemingly innocuous notifications to the platform’s 1.5 billion active users. All that would be needed to execute the entire attack is one click from the user.

The vulnerability has been fixed but the lesson is clear: You cannot over-emphasize the urgency of implementing a content security policy and implementing it right.

Getting CSP right, every time

Tala’s technologies are built on years of developing full coverage for client-side attacks. Here’s why it’s so important to get CSP right:

  1. Directives: While most companies implement the CSP directive ‘script-src’ that lets you control valid sources for JavaScript, we increasingly see attackers exploiting other sources like ‘object-src’ in case of WhatsApp. A 2016 study by Google across 1 billion domains revealed that 95% of deployed CSP policies are ineffective as a protection against XSS. It’s extremely easy for an attacker to evaluate your CSP directives and exploit any gaps to inject malicious content or execute remote code.
  2. Noncing: A nonce-based CSP will enable the execution of scripts with the correct nonce attribute only. This makes reflected/persistent XSS virtually impossible.
  3. Scale: Large organizations also struggle with implementing CSP across hundreds of web assets. Implementation at scale requires them to spend several man-weeks studying their web applications in order to craft and fine-tune the policy.
  4. Reporting: While implementing a robust CSP policy is a great first step, the major challenge lies in constantly updating it and monitoring it. Millions of violation reports come in daily and it’s difficult to classify legitimate sources. This is where Tala’s policy automation and AI driven analytics can play a leading role and ease your concerns with minimum involvement from your side.

Standards-based security at the heart of CSP

As application functionality has increased, so too has the attack surface. What attackers want to see is more functionality and less security; there’s a gap there they can exploit. Tala, uniquely, leverages browser-native controls and standards such as CSP to bridge that gap without impacting site performance.

Standards-based security, which is at the core of our solution, is arguably the most efficient and elegant way to safeguard your website from data breaches. Act fast and defend your website now.