Researchers Defeat Content Security Policy Protections via HTML Injection

Researchers Defeat Content Security Policy Protections via HTML Injection

In a breakthrough that challenges the perceived safety of nonce-based Content Security Policy (CSP), security researchers have demonstrated a practical method to bypass these protections by combining HTML injection, CSS-based nonce leakage, and browser cache manipulation.

The Setup: A Realistic XSS Challenge

The research centers on a minimal web application featuring a login form and a dashboard.

The dashboard is protected by a nonce-based CSP, which is widely considered a robust defense against cross-site scripting (XSS).

Each page load generates a unique nonce, embedded in both the CSP and the 

However, the application contains a subtle vulnerability: user input is inserted into the page using .innerHTML without proper sanitization.

While the CSP should block any injected scripts, the researchers found a way to circumvent this protection.

Step 1: Leaking the Nonce via CSS Injection

The first hurdle is obtaining the nonce value, which is required for any injected script to execute. The researchers exploited the fact that the CSP did not restrict 

By injecting carefully crafted CSS selectors, they were able to leak the nonce from the page’s  tag, which contains the CSP policy.

DevTools showing CSS is applied, but no request in Network tab

This technique, inspired by previous CTF challenges, involves using attribute selectors and background image requests to exfiltrate the nonce in small chunks, which are then reassembled server-side.

Step 2: Exploiting Browser Caching (bfcache and Disk Cache)

With the nonce in hand, the next challenge is to inject a payload that will be executed with the correct nonce.

With display: block, the content and the background is requested
With display: block, the content and the background is requested

Here, the researchers leveraged browser caching mechanisms—specifically, the back/forward cache (bfcache) and disk cache.

By manipulating navigation history and cache keys (using query parameters), they forced the browser to serve an old version of the dashboard page (with the known nonce) from disk cache, while simultaneously updating the user’s profile data with a new XSS payload via a CSRF attack.

This separation of the HTML (with the old nonce) and the dynamic data (with the new payload) allowed the injected script to execute successfully, bypassing the nonce-based CSP.

Step 3: Real-World Implications

This attack demonstrates that even well-configured nonce-based CSPs can be defeated if:

  • The nonce can be leaked through HTML or CSS injection.
  • The attacker can manipulate browser cache behavior to reuse a known nonce.
  • The application allows dynamic content updates (e.g., via fetch or AJAX) that are not tightly coupled to the nonce lifecycle.

The research highlights the importance of holistic web security. CSP nonces are a powerful tool, but they are not a silver bullet.

Developers must ensure that nonces cannot be leaked, that user input is properly sanitized, and that browser caching behaviors are understood and accounted for in their threat models.

This finding serves as a reminder: security is only as strong as its weakest link, and attackers will continue to find creative ways to exploit overlooked interactions between web technologies.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free


Source link