CWE-330

,

ISO27001-A.14.2.5

,

OWASP 2013-A5

,

OWASP 2017-A6

,

WASC-16

,

Weak Nonce Detected in Content Security Policy (CSP) Declaration

Severity:

Information

Summary

Invicti detected that a weak nonce value used in CSP declaration.

Impact

An attacker can carry out a successful Cross-site Scripting attack by predicting a valid nonce by exploiting this weakness.

Remediation

The application must generate a fresh value for the nonce-value directive at random and independently each time it transmits a policy. The value should be at least 128 bits long and should be generated using a cryptographically secure random number generator.

Required Skills for Successful Exploitation

Actions To Take

Classifications

,

ISO27001-A.14.2.5

,

,

,

,

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Select Vulnerability

Related Vulnerabilities

Version Disclosure (B2evolution)

Version Disclosure (Xoops)

Version Disclosure (Hiawatha)

Spring Boot Misconfiguration: H2 console enabled

PHP allow_url_include Is Enabled

Featured resources

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

View all resources

Build your resistance to threats. And save hundreds of hours each month.