A sophisticated technique to bypass Content Security Policy (CSP) protections using a combination of HTML injection and browser cache manipulation. This research demonstrates how attackers can circumvent one of the web’s most important security mechanisms by leveraging the inherent caching behavior of modern browsers, potentially exposing countless web applications to Cross-Site Scripting (XSS) attacks that were previously thought to be protected. When bfcache conditions fail, such as maintaining window references, the browser falls back to disk cache, which preserves the original page with the known nonce while allowing dynamic content updates. The technique involves loading the target page with a unique parameter (/dashboard?xss), leaking the nonce, updating the payload via CSRF, loading the same endpoint without parameters to update the profile cache, and finally navigating back to trigger the cached page with the new payload. According to the Jorian Woltjer Report, the attack methodology centers on exploiting the reuse of CSP nonce values through browser caching mechanisms. This allows attackers to systematically leak nonce values using CSS injection techniques that generate multiple background requests, effectively reconstructing the complete nonce through overlapping character sequences. Researchers exploit browser caching to bypass Content Security Policy protections. The researchers identified that cache entries are keyed using Network Isolation Keys, comprising both the top-level site and current-frame site, enabling selective cache manipulation. Browser cache manipulation reuses pages with known nonces for malicious payloads.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Jul 2025 09:30:18 +0000