Logging CSP violations to Exceptionless with NWebsec

Logging CSP violations to Exceptionless with NWebsec

Anyone that creates web applications should use Content-Security-Policy (CSP) to protect their applications against injection attacks by specifying where content in the web pages can be loaded from.

If you’re unfamiliar with CSP you should read An Introduction to Content Security Policy by Mike West, one of the Chrome developers. You’ll also find information about CSP on the Mozilla Developer Network.

In this article we will look into how simple it is to log CSP Violations in order to find the correct settings for your application using NWebsec and Exceptionless.

NWebsec is a very nice security library by Andre Klingsheim that allows you to handle configuration of CSP in web.config or in code. Exceptionless is a real-time error, feature and log reporting for all kinds of applications and can either be hosted on-site og use the SAAS provisioning by Exceptionless.

Source code is available at https://github.com/jonnybee/CSPLogging

I start out by creating a new ASP.NET MVC project and add the following NuGet packages:

– NWebsec.Mvc
– Exceptionless.Mvc

Assuming you may already have your own webapplication already running, we will use the Content-Security-Policy-Report-Only to report CSP violiatins without actually making the browser enforce the CSP. When your baseline is set it is just a matter og changing the name in config to Content-Security-Policy and the browsers will now starte to
enforce the policies.

You may use both Content-Security-Policy and Content-Security-Police-Report-Only in parallel but only Content-Security-Policy will make the browsers enforce policies.

Note: Each violation in the users browser will be logged as a separate call back to your website (report-url).

Configure NWebsec

by adding this configuration section in web.config to confiure Content-Security-Policy-Report-Only.
Note that the configuration also sets the report-uri option to enable the builtin handler.

<securityHttpHeaders><content-Security-Policy-Report-Only enabled="true">
<default-src self="true"/>
<script-src self="true">
<add source="nwebsec.codeplex.com" />
<add source="scripts.nwebsec.com" />
</script-src>
<style-src unsafeInline="false" self="true" />
<img-src self="true">
<add source="images.nwebsec.com"/>
</img-src>
<object-src none="true" />
<media-src none="true" />
<frame-src none="true" />
<font-src none="true" />
<connect-src none="true" />
<frame-ancestors none="true" />
<report-uri enableBuiltinHandler="true"/>
</content-Security-Policy>
</securityHttpHeaders>

Configure Exceptionless

If you do not have an account on Exceptionless already head on to Exceptionless and create a free account and add a “Project”.

Follow the instructions and select your project type (ASP.NET MVC) and make sure to update the
the exceptionless apiKey=”API_KEY_HERE” section located in the project’s web.config with your Exceptionless API key.

Add logging to Exceptionless

So we now have the CSP configred along with Exceptionless and a corresponding “project” in Exceptionless.
To round up the logging part in code we need to add this in Global.asax.cs:

protected void NWebsecHttpHeaderSecurityModule_CspViolationReported(object sender, CspViolationReportEventArgs e)
{
var report = e.ViolationReport;
var directive = report.Details.ViolatedDirective.Split(' ').FirstOrDefault();

ExceptionlessClient.Default.CreateLog($"ContentSecurityPolicy:{directive}",
$"Violation:{report.Details.BlockedUri}", Exceptionless.Logging.LogLevel.Warn)
.AddObject(report.Details)
.Submit();
}

Run you application and open Exceptinless in a new tab , login and view the “Log messages” folder.
Exceptionless Log Messages

and when you use the detailed view you get the entire post details:
Exceptionless log detail view

Now we can start working on adding the necessary configurations in the config, rerun the application and then verify that the violations are gone. This is a great learning experience into what is beeing used in your application as well as a very efficient security practice to avoid f.ex spyware/adware in the users browser from injection content into your application on the client side.

For this sample MVC app the required configuration is:

<securityHttpHeaders>
<content-Security-Policy-Report-Only enabled="true">
<default-src none="true"/>
<script-src self="true">
<add source="ajax.googleapis.com"/>
<add source="ajax.aspnetcdn.com"/>
<add source="cdn.rawgit.com"/>
</script-src>
<style-src unsafeInline="true" self="true" />
<img-src self="true"/>
<object-src none="true" />
<media-src none="true" />
<frame-src none="true" />
<font-src self="true" />
<form-action self="true"/>
<connect-src self="true" />
<frame-ancestors none="true" />
<report-uri enableBuiltinHandler="true"/>
</content-Security-Policy>
</securityHttpHeaders>

This post has a good intro to CSP and MVC:
An introduction to Content Security Policy – Mike West

You may still see a violation from the Visual Studio Browser Link as this uses an arbitrary port number in development.

I hope this inspired you to start using Exceptionless for logging purposes. We use it when introducing CSP and setting the baseline for our web application and found it very useful. After the baseline was set we also get to see how much adware/spyware there is out there.

There is a lot more that you can use Nwebsec to strengthen the security of your website so if you are not using this already I recommend to take a deeper look into this library.

Reference links:

– Exceptionless
– NWebsec docs – Configuring CSP
NWebsec Demo
An introduction to Content Security Policy – Mike West
CSP – Mozilla Developer Network
– Content Security Policy (CSP) for ASP.NET MVC – Muhammad Rehan Saeed

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s