Content Security Policy as malware detector

Content Security Policy not only protects websites that use it, but also to some extent helps in detecting malware and adware programs installed on client computers.

A while ago I have built CspBuilder.info website that collect CSP report sent from websites that use it. The main purpose was to automate debugging and fine-tuning of CSP on production websites, but soon it became apparent that the reports are getting clogged with rejected content that never appeared on the original website.

The explanation for that is that end user browsers are frequently equipped with a wide range of 3rd software that perform various HTTP requests to 3rd sites when their users browse legitimate websites — and these 3rd requests are reported by CSP.

  • Browser add-ons. Adware and spyware add-ons will attempt to inject HTML content into currently viewed website's HTML content. If the website is using CSP, the browser will reject 3rd party content loaded this way. Examples: LuckyLeap, ShopperPro, PC Gizmos, Ciuvo.
  • Wireless access points, hot-spots and other paid Internet gateways. When not paid, they typically capture HTTP requests and redirect them to operator's gateway for registration and payment. If the user runs a browser with previously opened websites, they might attempt to refresh some of the dynamic content. As these requests will be redirected to 3rd URLs, CSP will block them. Examples: a433.com.

Here's a sample of what I have seen and identified so far:

Type Domains
Wifi injected http://a433.com
http://1.1.1.1
Spyware/Adware http://static.luckyleap.net
http://54.221.210.134 (ShopperPro)
www.pc-gizmos-ssl.com
p.txtsrving.info
Ciuvo
http://anchorfree.net
https://api.jollywallet.com
Browser plugins safari-extension://com.wotservicesoy.wot-ff6ww26hl3
safari-extension://com.evernote.safari.clipper-q79wdw8yh9
chromeinvoke://a098026cb201305a98195dde02da3806

If you have some malware infected clients, you can experiment with CSP detection by pointing them to CspBuilder.info and then reviewing the resulting reports at this page.