CSP Reporter - tool to analyse CSP logs

Posted on 07 December 2013 in misc

There are two things to facilitate implementation of Content Security Policy (CSP). The first one is special directive called report-uri which specifies a URI to which the browser sends reports (in JSON format) about policy violation. The second one is special mode Report-Only when browser only sends violation reports to a URI specified in the policy instead of blocking the evil script. So on the first steps of implementation of CSP you can switch it on in this mode:

Content-Security-Policy-Report-Only: default-src 'self'; ...; report-uri /csp-report

Here it is example of violation report from CSP W3C Candidate Recommendation document

      "csp-report": {
        "document-uri": "http://example.org/page.html",
        "referrer": "http://evil.example.com/haxor.html",
        "blocked-uri": "http://evil.example.com/image.png",
        "violated-directive": "default-src 'self'",
        "original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"

When logs has been collected you of course can use well-know tools like cat, grep, awk and so on. They are good. Really! But if you have a really big size logs it is better to use more complex tool.

Let me announce the first release of CSP Reporter. In a nutshell it is a parser for CSP reports. Main purpose is to create easy to read and understand report from big size logs. It is written in Python and has a plug-in architecture. So it is easy to extend it depending on your specific cases. There are three types of plugins in it:

  1. preprocessors - to prepare log lines for further analyse
  2. processors - main modules that make all the magic stuff
  3. output - for output in different formats

It requires Python ver. 3 and docutils module installed. You can run it with:

$ python3.3 ./csp-reporter.py -c config.ini -f sample-report.log 

If you specify HTML as output result will be like on the screenshot below.

Source code is available on GitHub https://github.com/oxdef/csp-reporter. License is GPLv2. Pull requests are welcomed! :-)