Unpkg Hyperscript Content-Security-Policy Bypass Scanner

Unpkg Hyperscript is a library that developers use for frontend scripting tasks, typically included through the Unpkg CDN. It is leveraged in web development projects, allowing developers to incorporate dynamic client-side scripting features into web applications. By utilizing raw scripting capabilities, developers can enhance interactivity, running scripts responsively within browsers.

The vulnerability that this scanner detects involves a bypass of Content-Security-Policy (CSP) controls when Unpkg Hyperscript is implemented incorrectly. A compromised CSP can allow attackers to perform Cross-Site Scripting (XSS) attacks. Such attacks enable malicious scripts to execute in browsers, potentially leading to unauthorized data access or site manipulation.

Technically, this vulnerability centers around improper inclusion and handling of hyperscript.org scripts from the unpkg.com CDN without adequate CSP restrictions. The use of the `<script>` HTML tag in conjunction with unbounded CSP rules allows adversaries to execute arbitrary JavaScript payloads. Key elements include scripting from unpkg.com inadvertently relaxing security postures meant to block untrusted scripts.

The exploitation of this vulnerability can lead to several adverse effects, primarily involving unauthorized script execution. By exploiting CSP deficiencies, attackers could hijack user sessions, deface websites, or exfiltrate sensitive information. Moreover, the lack of proper CSP controls could expose web applications to further injection-based vulnerabilities that threaten both data integrity and confidentiality.

REFERENCES

• https://github.com/renniepak/CSPBypass/blob/main/data.tsv