Skip to content

Instantly share code, notes, and snippets.

@oreoshake

oreoshake/gist:f27e3678ddca4d4a8fa9

Last active November 10, 2021 22:15
Show Gist options
  • Save oreoshake/f27e3678ddca4d4a8fa9 to your computer and use it in GitHub Desktop.
Save oreoshake/f27e3678ddca4d4a8fa9 to your computer and use it in GitHub Desktop.
Download ZIP
Splunk query for mixed content in CSP reports
Raw
gistfile1.txt
A csp report looks like
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/haxor.html",
"blocked-uri": "http://evil.example.com/image.png",
"violated-directive": "default-src 'self'",
"original-policy": "default-src 'self'; report-uri http://example.org/csp-report.cgi"
}
}
Throw away the outer "csp-report". Setup a splunk input, set type to json. Run query.
"document-uri"=https* "blocked-uri"=http://* | rex field="blocked-uri" "https?://(?<blocked_host>.*)" | top blocked_host
Fix mixed content.
@kumar303
Copy link

I figured out how to parse the payload into JSON. This queries csp-report POSTs, uses rex to isolate the JSON, uses spath to access some interesting JSON values, and puts it in a table...

index=* http_method="POST" "/csp-report*string-for-the-report-I-want"
| rex field=payload "csp-report=(?<raw_csp_report>.+)"
| spath input=raw_csp_report output=document_uri extra-fields.document-uri.host
| spath input=raw_csp_report output=user_agent client_info.user_agent
| spath input=raw_csp_report output=effective_directive csp-report.effective-directive
| table document_uri, effective_directive, user_agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment