A sophisticated new technique has been discovered that bypasses Content Security Policy protections using HTML injection and cache manipulation. It specifically targets the back/forward cache and the disk cache systems used by many popular web browsers. This research demonstrates how attackers can circumvent one of the web’s most important security mechanisms. This potentially exposes countless web applications to Cross-Site Scripting attacks that were previously thought to be well protected.
The attack methodology centers on exploiting the reuse of CSP nonce values through different browser caching mechanisms. This multi-stage approach begins with CSS injection to leak the secret nonce values from the target web application. The technique utilizes CSS attribute selectors to extract nonce values from meta tags containing the CSP headers. The research team discovered that while nonce attributes in script tags are protected, the same values remain accessible. This allows attackers to systematically leak the nonce values using CSS injection techniques that generate multiple background requests.
The method exploits the interaction between nonce-based CSP implementations and also modern browser caching mechanisms.
The attack also leverages Cross-Site Request Forgery vulnerabilities to update the injected payload while maintaining access. By exploiting a login endpoint’s lack of CSRF protection, attackers can modify the stored malicious payload. The breakthrough lies in manipulating browser cache partitioning and the interaction between the bfcache and disk cache. When bfcache conditions fail, the browser falls back to disk cache, which preserves the original page. This allows the known nonce to be preserved while also allowing for dynamic content updates from the attacker.
This research reveals significant implications for web application security, as many applications rely on nonce-based CSP.
This technique works across modern browsers and requires only two preconditions for it to be successful. Security professionals must now consider cache behavior when implementing CSP protections on their web applications. This may require additional safeguards such as cache-control headers and improved nonce generation strategies to be implemented. This vulnerability serves as a call to reassess how effectively security investments are surfacing these latent risks.
Reference:
