Content Security Policy as malware detector

Content Security Policy not only protects websites that use it, but also to some extent helps in detecting malware and adware programs installed on client computers. A while ago I have built CspBuilder.info website that collect CSP report sent from websites that use it. The main purpose was to automate debugging and fine-tuning of CSP on production websites, but soon it became apparent that the reports are getting clogged with rejected content that never appeared on the original website.

The explanation for that is that end user browsers are frequently equipped with a wide range of 3^rd software that perform various HTTP requests to 3^rd sites when their users browse legitimate websites — and these 3^rd requests are reported by CSP.

• Browser add-ons. Adware and spyware add-ons will attempt to inject HTML content into currently viewed website's HTML content. If the website is using CSP, the browser will reject 3^rd party content loaded this way. Examples: LuckyLeap, ShopperPro, PC Gizmos, Ciuvo.
• Wireless access points, hot-spots and other paid Internet gateways. When not paid, they typically capture HTTP requests and redirect them to operator's gateway for registration and payment. If the user runs a browser with previously opened websites, they might attempt to refresh some of the dynamic content. As these requests will be redirected to 3^rd URLs, CSP will block them. Examples: a433.com. </ul> Here's a sample of what I have seen and identified so far:

  Type	Domains
  Wifi injected	http://a433.com http://1.1.1.1
  Spyware/Adware	http://static.luckyleap.net http://54.221.210.134 (ShopperPro) www.pc-gizmos-ssl.com p.txtsrving.info Ciuvo http://anchorfree.net https://api.jollywallet.com
  Browser plugins	safari-extension://com.wotservicesoy.wot-ff6ww26hl3 safari-extension://com.evernote.safari.clipper-q79wdw8yh9 chromeinvoke://a098026cb201305a98195dde02da3806 </table> If you have some malware infected clients, you can experiment with CSP detection by pointing them to CspBuilder.info and then reviewing the resulting reports at this page.