New Sophisticated Attack Bypasses Content Security Policy Using HTML-Injection Technique

A sophisticated technique to bypass Content Security Policy (CSP) protections using a combination of HTML injection and browser cache manipulation. 

The method exploits the interaction between nonce-based CSP implementations and browser caching mechanisms, specifically targeting the back/forward cache (bfcache) and disk cache systems. 

Key Takeaways
1. Researchers exploit browser caching to bypass Content Security Policy protections.
2. CSS techniques extract CSP nonce values from meta tags via background requests.
3. Browser cache manipulation reuses pages with known nonces for malicious payloads.
4. Vulnerability affects fundamental web security against Cross-Site Scripting attacks.

This research demonstrates how attackers can circumvent one of the web’s most important security mechanisms by leveraging the inherent caching behavior of modern browsers, potentially exposing countless web applications to Cross-Site Scripting (XSS) attacks that were previously thought to be protected.

CSS Injection with Cache Exploitation

According to the Jorian Woltjer Report, the attack methodology centers on exploiting the reuse of CSP nonce values through browser caching mechanisms. 

The multi-stage approach begins with CSS injection to leak nonce values from the target application. 

The technique utilizes CSS attribute selectors to extract nonce values from meta tags containing CSP headers, as demonstrated in the proof-of-concept code:

The research team discovered that while nonce attributes in script tags are protected from CSS selectors for security reasons, the same values reflected in meta tag content attributes remain accessible. 

This allows attackers to systematically leak nonce values using CSS injection techniques that generate multiple background requests, effectively reconstructing the complete nonce through overlapping character sequences.

The attack leverages Cross-Site Request Forgery (CSRF) vulnerabilities to update the injected payload while maintaining access to the previously leaked nonce. 

By exploiting the login endpoint’s lack of CSRF protection, attackers can modify the stored payload through form submissions:

The breakthrough lies in manipulating browser cache partitioning and the interaction between bfcache and disk cache. 

When bfcache conditions fail, such as maintaining window references, the browser falls back to disk cache, which preserves the original page with the known nonce while allowing dynamic content updates. 

The researchers identified that cache entries are keyed using Network Isolation Keys, comprising both the top-level site and current-frame site, enabling selective cache manipulation.

The exploit requires precise timing and cache management, utilizing different URL parameters to create distinct cache entries. 

The technique involves loading the target page with a unique parameter (/dashboard?xss), leaking the nonce, updating the payload via CSRF, loading the same endpoint without parameters to update the profile cache, and finally navigating back to trigger the cached page with the new payload.

This research reveals significant implications for web application security, as many applications rely on nonce-based CSP as a primary defense against XSS attacks. 

The technique works across modern browsers and requires only two preconditions: the ability to leak nonce values through HTML injection and separate payload delivery mechanisms. 

Security professionals must now consider cache behavior when implementing CSP protections, potentially requiring additional safeguards such as cache-control headers and improved nonce generation strategies that account for browser caching mechanisms.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now