# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|web application|compliancecow|OWASP|To ensure that the Content Security Policy (CSP) implemented on a website or web application is configured correctly and adheres to best practices|

```
RecomendedEvidenceName: CSPVulnerabilityReport
```

# Step 2: Define the System Specific Data

In [None]:
{
    "InvalidDirectives": [],
    "UnsafeDirectives": [
        {
            "script-src": [
                "unsafe-inline",
                "unsafe-eval"
            ]
        }
    ],
    "DeprecatedDirectives": [
        "report-uri"
    ],
    "CSPHeaderPresent" : "true",
    "InvalidDirectivesPresent" : "false",
    "UnsafeDirectivesPresent" : "true",
    "DeprecatedDirectivesPresent" :"true"
}

# Step 3: Define the Standard Schema

In [None]:
{
    # Meta
    "System": "web application",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6LcOdtsZAAAAAM6nliHfnrGYhvRBtuxIhaeFA6YC&co=aHR0cHM6Ly93d3cubmV0ZmxpeC5jb206NDQz&hl=en&v=DH3nyJMamEclyfe-nztbfV8S&size=invisible&cb=33b3wzowdtwc",
    "ResourceName": "www.google.com",
    "ResourceType": "http transaction",
    "ResourceTags": {},

    #Data
    "InvalidDirectives": [],
    "UnsafeDirectives": [
        {
            "script-src": [
                "unsafe-inline",
                "unsafe-eval"
            ]
        }
    ],
    "DeprecatedDirectives": [
        "report-uri"
    ],
    "CSPHeaderPresent" : "true",
    "InvalidDirectivesPresent" : "false",
    "UnsafeDirectivesPresent" : "true",
    "DeprecatedDirectivesPresent" :"true",



    # Compliance details
    "ValidationStatusCode": "IN_CSP_HED_CF",
    "ValidationStatusNotes": "Configured CSP header has deprecated and unsafe directives",
    "ComplianceStatus": "NON_COMPLIANT",
    "ComplianceStatusReason": "The missing Content-Security-Policy header leaves the web page vulnerable to cross-site scripting (XSS) attacks, as there are no restrictions on the resources that can be loaded.",
    "EvaluatedTime": "2024-06-24T08:19:50.304403Z",

    # User editable data
     "UserAction":"",

    # Action editable data
     "ActionStatus":"",
     "ActionResponseURL":""

}

|System|Source|ResourceID|ResourceName|ResourceType|ResourceTags|InvalidDirectives|UnsafeDirectives|DeprecatedDirectives|CSPHeaderPresent|InvalidDirectivesPresent|UnsafeDirectivesPresent|DeprecatedDirectivesPresent|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|anthem|compliancecow|https://www.google.com/recaptcha/enterprise/anchor?ar=1&k=6LcOdtsZAAAAAM6nliHfnrGYhvRBtuxIhaeFA6YC&co=aHR0cHM6Ly93d3cubmV0ZmxpeC5jb206NDQz&hl=en&v=DH3nyJMamEclyfe-nztbfV8S&size=invisible&cb=33b3wzowdtwc|www.google.com|http transaction|{}|[]|[{'script-src': ['unsafe-inline', 'unsafe-eval']}]|['report-uri']|true|false|true|true|IN_CSP_HED_CF|Configured csp header has deprecated and unsafe directives|NON_COMPLIANT|The missing Content-Security-Policy header leaves the web page vulnerable to cross-site scripting (XSS) attacks, as there are no restrictions on the resources that can be loaded.|2024-06-24T08:19:50.304403Z||||

# Step 4: Describe the Compliance Taxonomy

| CSPHeaderPresent | InvalidDirectivesPresent | UnsafeDirectivesPresent | DeprecatedDirectivesPresent | ValidationStatusCode | ValidationStatusNotes | ComplianceStatus | ComplianceReason |
|------------------|--------------------------|-------------------------|-----------------------------|----------------------|----------------------|------------------|------------------|
| false            | NA                       | NA                      | NA                          | CH_NP                | CSP header not present | NON_COMPLIANT    | The absence of CSP (Content-Security-Policy) is non-compliant as it exposes the web application to potential security risks, lacking essential protection against various web-based attacks like XSS (Cross-Site Scripting). |
| true             | false                    | false                   | false                       | CH_P_ID_NP_UD_NP_DD_NP | CSP header present. Invalid directive Not Present. Unsafe directive Not Present. Deprecated directive Not Present. | COMPLIANT         | The Content-Security-Policy header is present and correctly configured without invalid, unsafe, or deprecated directives, ensuring the website adheres to current security best practices and mitigates risks associated with unauthorized resource loading and deprecated security policies. |
| true             | false                    | false                   | true                        | CH_P_ID_NP_UD_NP_DD_P   | CSP header present. Invalid directive Not Present. Unsafe directive Not Present. Deprecated directive Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, and while it does not contain invalid or unsafe directives, the presence of deprecated directives indicates an outdated security configuration. Compliance standards recommend avoiding deprecated directives to maintain robust security practices and reduce risks associated with outdated security policies. Therefore, this configuration is marked as non-compliant due to the use of deprecated directives. |
| true             | false                    | true                    | false                       | CH_P_ID_NP_UD_P_DD_NP   | CSP header present. Invalid directive Not Present. Unsafe directive Present. Deprecated directive Not Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, and while it does not contain invalid directives, the presence of unsafe directives poses a security risk. Compliance standards emphasize the exclusion of unsafe directives to mitigate vulnerabilities such as cross-site scripting (XSS) attacks. Therefore, this configuration is marked as non-compliant due to the presence of unsafe directives. |
| true             | false                    | true                    | true                        | CH_P_ID_NP_UD_P_DD_P    | CSP header present. Invalid directive Not Present. Unsafe directive Present. Deprecated directive Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, but it contains both unsafe and deprecated directives. This configuration is considered non-compliant because using unsafe directives can lead to security vulnerabilities, and employing deprecated directives is discouraged as they may not offer effective protection against modern threats. Compliance standards recommend removing unsafe and deprecated directives to maintain a secure web environment. Therefore, this configuration is marked as non-compliant due to the presence of unsafe and deprecated directives simultaneously. |
| true             | true                     | false                   | false                       | CH_P_ID_P_UD_NP_DD_NP   | CSP header present. Invalid directive Present. Unsafe directive Not Present. Deprecated directive Not Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, but it contains invalid directives. Invalid directives indicate that the CSP is not correctly configured according to the CSP specification, potentially allowing unintended resource loading or execution, which can lead to security vulnerabilities such as XSS (Cross-Site Scripting) attacks. Compliance standards require removing invalid directives to ensure the CSP effectively mitigates these risks. Therefore, this configuration is marked as non-compliant due to the presence of invalid directives. |
| true             | true                     | false                   | true                        | CH_P_ID_P_UD_NP_DD_P    | CSP header present. Invalid directive Present. Unsafe directive Not Present. Deprecated directive Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, but it contains both invalid and deprecated directives. Invalid directives indicate that the CSP is not correctly configured according to the CSP specification, potentially allowing unintended resource loading or execution, which can lead to security vulnerabilities such as XSS (Cross-Site Scripting) attacks. Additionally, using deprecated directives is discouraged as they may not offer effective protection against modern threats. Compliance standards require removing invalid and deprecated directives to ensure the CSP effectively mitigates these risks. Therefore, this configuration is marked as non-compliant due to the presence of both invalid and deprecated directives simultaneously. |
| true             | true                     | true                    | false                       | CH_P_ID_P_UD_P_DD_NP    | CSP header present. Invalid directive Present. Unsafe directive Present. Deprecated directive Not Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, but it contains both invalid and unsafe directives. Invalid directives indicate that the CSP is not correctly configured according to the CSP specification, potentially allowing unintended resource loading or execution, which can lead to security vulnerabilities such as XSS (Cross-Site Scripting) attacks. Additionally, the presence of unsafe directives poses a direct security risk by allowing potentially harmful scripts or resources to be loaded. Compliance standards require removing invalid and unsafe directives to ensure the CSP effectively mitigates these risks. Therefore, this configuration is marked as non-compliant due to the presence of both invalid and unsafe directives simultaneously. |
| true             | true                     | true                    | true                        | CH_P_ID_P_UD_P_DD_P     | CSP header present. Invalid directive Present. Unsafe directive Present. Deprecated directive Present. | NON_COMPLIANT     | The Content-Security-Policy header is present, but it contains invalid, unsafe, and deprecated directives simultaneously. Invalid directives indicate that the CSP is not correctly configured according to the CSP specification, potentially allowing unintended resource loading or execution, which can lead to security vulnerabilities such as XSS (Cross-Site Scripting) attacks. Additionally, the presence of unsafe directives poses a direct security risk by allowing potentially harmful scripts or resources to be loaded. Using deprecated directives is discouraged as they may not offer effective protection against modern threats. Compliance standards require removing invalid, unsafe, and deprecated directives to ensure the CSP effectively mitigates these risks. Therefore, this configuration is marked as non-compliant due to the presence of invalid, unsafe, and deprecated directives together. |


# Step 5: Calculation for Compliance Percentage and Status



In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0%>=status<100%
NOT_DETERMINED - If no records are found in the account

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

Follow the below remediation steps for CSP (Content Security Policy) status:

**Verify CSP Presence:** Confirm that the Content-Security-Policy header is present in the response to ensure a CSP is being enforced.

**Remove Unsafe and Invalid Directives:** Eliminate any unsafe directives (e.g., unsafe-inline, unsafe-eval) found in the script-src or other relevant CSP directives to strengthen security.

**Update Deprecated Directives:** Replace deprecated directives (e.g., report-uri) with current standards (e.g., report-to) to maintain compliance with modern CSP practices.

**Test Changes:** Verify that the CSP changes do not disrupt the website’s functionality and conduct security tests to ensure the policy effectively mitigates risks.

**Document and Communicate:** Update internal documentation to reflect the changes and inform relevant stakeholders about the CSP adjustments and their implications.

# Step 7. Control Setup Details

| Control Details               |                                  |
|-------------------------------|----------------------------------|
| **RuleName**                  | PrivacyBisonCSPVulnerabilityCheck|
| **PreRequisiteRuleNames**     |             N/A                  |
| **ExtendedSchemaRuleNames**   |             N/A                  |
| **ApplicationClassName**      |privacybisonconnector             |
