Content Security Policy (CSP) is an effective security mechanism that prevents the exploitation of Cross-Site Scripting (XSS) vulnerabilities on websites by specifying the sources from which their web pages can load resources, such as scripts and styles. CSP nonces enable websites to allow the execution of specific inline scripts and styles without relying on a whitelist. In this study, we measure and analyze the use of CSP nonces in the wild, specifically looking for nonce reuse, short nonces, and invalid nonces. We find that, of the 2271 sites that deploy a nonce-based policy, 598 of them reuse the same nonce value in more than one response, potentially enabling attackers to bypass protection offered by the CSP against XSS attacks. We analyze the causes of the nonce reuses to identify whether they are introduced by the server-side code or if the nonces are being cached by web caches. Moreover, we investigate whether nonces are only reused within the same session or for different sessions, as this impacts the effectiveness of CSP in preventing XSS attacks. Finally, we discuss the possibilities for attackers to bypass the CSP and achieve XSS in different nonce reuse scenarios.

翻译：内容安全策略（CSP）是一种有效的安全机制，通过指定网页可加载资源（如脚本和样式）的来源，来防止跨站脚本（XSS）漏洞的利用。CSP nonce使得网站无需依赖白名单即可允许特定内联脚本和样式的执行。本研究对实际部署中CSP nonce的使用情况进行测量与分析，重点关注nonce重用、短nonce及无效nonce三类问题。我们发现，在2271个部署基于nonce策略的网站中，有598个网站在多个响应中重复使用相同的nonce值，这可能使攻击者绕过CSP对XSS攻击的防护。我们分析了nonce重用的成因，以确定问题源于服务端代码引入还是Web缓存机制。此外，我们探究了nonce是否仅在相同会话内重用，或跨不同会话被重用——这一差异直接影响CSP阻止XSS攻击的有效性。最后，我们讨论了攻击者在不同nonce重用场景下绕过CSP实现XSS攻击的可行性。