Do Not Trust the Clouds Easily: The Insecurity of Content Security Policy Based on Object Storage

The content security policy (CSP) is a World Wide Web Consortium (W3C) standard, designed to prevent and mitigate security vulnerabilities, such as cross-site scripting (XSS) attacks, data injection attacks, and clickjacking attacks on websites. In this article, we present a newly discovered front-end Web attack that uses the current object storage services vulnerability of cloud vendors to bypass CSP. We selected the object storage services from two cloud vendors with the most users, i.e., Google and Amazon, to conduct systematic and large-scale research and analysis. Three cyberspace search engines are used to retrieve data, from which we analyze the consequence and damage range of this security breach. We focus on reporting four key aspects of this security breach: 1) how to use object storage services to bypass CSP; 2) analysis on the existence of such vulnerability in real-world websites; 3) analysis on the existing security vulnerabilities in current object storage services; and 4) the new strategy on object storage services that we propose to use to eliminate the discovered security threat.