"Remove CSP from target pages" doesn't appear to remove the Content-Security-Policy header #1099
Description
Describe the bug
Some sites set a Content-Security-Policy header to
Content-Security-Policy: default-src 'self';
In order to use the HUD the documentation
https://www.zaproxy.org/docs/desktop/addons/hud/options/#remove-csp-from-target-pages
suggests to turn on the Remove CSP from target pages.
Unfortunately this checkbox doesn't seem to change the state of the Content-Security-Policy header served to the browser.
Steps to reproduce the behavior
- Create a website with a
--Content-Security-Policy: default-src 'self'; - Start up ZAP
- Open Options
- HUD
- Turn on "Remove CSP from target pages"
- Go to manual explore
- Make sure the HUD checkbox is ticked
- Choose Chrome from the browser drop down
- Press the Launch Browser Button
- Observe that the HUD shows the Unhappy Document icon in the place that the HUD would have been
- Open the browser developer tools CTRL+Shift+i
- Click on the errors denoted by the x in a red circle
- Observe that the Content-Security-Policy is doing it's job by blocking HUD as a Frame when there is no frame-src set.
Expected behavior
Expected ZAP to disable the Content-Security-Policy header in line in order to use the HUD to scan the website when the "Remove CSP from target pages" is enabled.
Software versions
OWASP ZAP
Version: D-2022-04-05
Installed Add-ons: [[id=accessControl, version=8.0.0],
[id=alertFilters, version=14.0.0], [id=amf, version=3.0.0],
[id=ascanrules, version=47.0.0], [id=ascanrulesAlpha,
version=37.0.0], [id=ascanrulesBeta, version=41.0.0],
[id=attacksurfacedetector, version=1.1.4], [id=authstats,
version=2.0.0], [id=automation, version=0.14.0],
[id=browserView, version=5.0.0], [id=bruteforce,
version=12.0.0], [id=callgraph, version=5.0.0],
[id=callhome, version=0.4.0], [id=commonlib,
version=1.10.0], [id=coreLang, version=16.0.0],
[id=custompayloads, version=0.11.0], [id=diff,
version=12.0.0], [id=directorylistv1, version=6.0.0],
[id=directorylistv2_3, version=4.0.0],
[id=directorylistv2_3_lc, version=4.0.0], [id=domxss,
version=13.0.0], [id=encoder, version=0.7.0], [id=exim,
version=0.2.0], [id=fileupload, version=1.1.0],
[id=formhandler, version=5.0.0], [id=fuzz, version=13.7.0],
[id=fuzzdb, version=8.0.0], [id=gettingStarted,
version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql,
version=0.9.0], [id=help, version=15.0.0], [id=hud,
version=0.14.0], [id=imagelocationscanner, version=3.0.0],
[id=importurls, version=9.0.0], [id=invoke, version=12.0.0],
[id=jsonview, version=2.0.0], [id=jwt, version=1.0.2],
[id=network, version=0.2.0], [id=oast, version=0.11.0],
[id=onlineMenu, version=10.0.0], [id=openapi,
version=28.0.0], [id=plugnhack, version=13.0.0],
[id=portscan, version=10.0.0], [id=pscanrules,
version=40.0.0], [id=pscanrulesAlpha, version=35.0.0],
[id=pscanrulesBeta, version=29.0.0], [id=quickstart,
version=34.0.0], [id=reflect, version=0.0.11],
[id=regextester, version=2.0.0], [id=replacer,
version=10.0.0], [id=reports, version=0.13.0],
[id=requester, version=5.0.0], [id=retest, version=0.3.0],
[id=retire, version=0.11.0], [id=reveal, version=5.0.0],
[id=revisit, version=4.0.0], [id=saml, version=9.0.0],
[id=scripts, version=31.0.0], [id=selenium, version=15.9.0],
[id=sequence, version=7.0.0], [id=soap, version=14.0.0],
[id=spiderAjax, version=23.8.0], [id=sqliplugin,
version=15.0.0], [id=tips, version=10.0.0], [id=tokengen,
version=15.0.0], [id=treetools, version=8.0.0],
[id=viewstate, version=3.0.0], [id=wappalyzer,
version=21.9.0], [id=webdriverlinux, version=37.0.0],
[id=webdrivermacos, version=38.0.0], [id=webdriverwindows,
version=37.0.0], [id=websocket, version=26.0.0], [id=zest,
version=36.0.0]]
Operating System: Windows 10
Java Version: BellSoft 11.0.13
System's Locale: en_US
Display Locale: en_GB
Format Locale: en_US
ZAP Home Directory: C:\Users\$USER\OWASP ZAP_D\
ZAP Installation Directory: C:\Users\$USER\LocalPrograms\ZAPWeekly\ZAP_D-2022-04-05\.\
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
2022-04-11 09:33:08,942 [ZAP-IO-EventExecutor-3-4] WARN HudAPI - Failed to access script libraries/vue.js via the script extension
2022-04-11 09:33:08,950 [ZAP-IO-EventExecutor-3-3] WARN HudAPI - Failed to access script libraries/vue-i18n.js via the script extension
2022-04-11 09:33:08,950 [ZAP-IO-EventExecutor-3-4] ERROR HudAPI - No such file C:\Users\$USER\OWASP ZAP_D\hud\libraries\vue.js
java.io.FileNotFoundException: libraries/vue.js
at org.zaproxy.zap.extension.hud.HudAPI.getFile(HudAPI.java:429) ~[?:?]
at org.zaproxy.zap.extension.hud.HudFileProxy.handleCallBack(HudFileProxy.java:117) ~[?:?]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:380) ~[zap-D-2022-04-05.jar:D-2022-04-05]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleApiRequest(ZapApiHandler.java:93) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.ZapApiHandler.handleRequest(ZapApiHandler.java:67) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.HttpRequestHandler.handleMessage0(HttpRequestHandler.java:32) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.handlers.HttpIncludedMessageHandler.handleMessage(HttpIncludedMessageHandler.java:32) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.notifyMessageHandlers(MainServerHandler.java:118) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.processMessage(MainServerHandler.java:100) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.LocalServerHandler.processMessage(LocalServerHandler.java:63) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.process(MainServerHandler.java:83) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:72) ~[?:?]
at org.zaproxy.addon.network.internal.server.http.MainServerHandler.channelRead0(MainServerHandler.java:37) ~[?:?]
at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:61) ~[?:?]
at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:370) ~[?:?]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) ~[?:?]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Additional context
none
Would you like to help fix this issue?
- Yes