The application’s Content Security Policy (CSP) is misconfigured. The ‘object-src‘ directive is missing, allowing injection of plugins that can execute malicious JavaScript. The ‘script-src‘ directive is also missing, leaving the application vulnerable to script injection attacks.
Location
Web Application Header
Impact
Attackers could exploit CSP misconfiguration to perform script injection attacks, leading to unau- thorized actions or data theft.
Recommendation
Implement a strict Content Security Policy that includes the following directives:
Set ‘object-src‘ to ’none’
Properly configure ‘script-src‘ to mitigate JavaScript injection risks
