(c) 2019 Fred Morris Tacoma WA USA. Apache Licence
This is a very simple Proof of Concept demonstrating how to use a Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to silently audit all assets loaded by a web page. I'm not saying you should do this, just that you can. Given that we're talking about the internet, somebody probably is doing it. Think of it as an illustration of unintended consequences.
- You're using the Apache web server.
- The Apache icons directory is served from
icons/on the server. - Apache directive
*.conffiles can be installed in/etc/apache2/vhosts.d/. - You are installing under
/srv/www/. -
- CGI will be installed in
/srv/www/csp/.
- CGI will be installed in
-
- Data (log) directory will be created as
/srv/www/data/.
- Data (log) directory will be created as
- Uses the fully qualified domain name
does-not-exist.m3047as a domain name which should not exist! - You have
rootaccess. python3is located at/usr/bin/python3.bashis/bin/bash(needed to run the installation script).- This is a throwaway Apache context. (Use a throwaway VM.)
The following Python3 modules are installed:
wsgirefjsonflask
Edit the file install.sh and note the symbols defined at the beginning. Change any that
need changing, in particular note:
WWW_USERCGI_DIRECTORYDATA_DIRECTORY
This POC was originally developed on SuSE Leap 15.0. For Debian:
- You may need to create the
/srv/wwwdirectory. - You may need to run
a2enmod cgito enable CGI.
NOTE: if you change DATA_DIRECTORY you will need to edit csp.py and if you change CGI_DIRECTORY
you will need to edit csp.conf.
Run ./install.sh as root. Now restart Apache, e.g. systemctl restart apache2.
You should now be able to hit /csp/ (note the trailing slash) on the server
and the IMG load should be logged to $DATA_DIRECTORY/log.json.