Skip to content
Copyright Johan Kronberg 2009-2024 Latest posts RSS feed X: johankronberg LinkedIn Profile GitHub: krompaco
Solving problems
and sharing knowledge
on computer stuff. Hopefully helping out by blogging. Since 2009.

Using SQL to identify embedded resources for your CMS site's CSP

It's good practice these days to add a Content Security Policy and couple it with the consent dialog. Both should include all third parties a site might have embedded.

But especially if being too relaxed in the past and allowing for example a generic HTML block or similar; it's hard to overview and easy to miss external embedded resources that might reside in the content database.

Putting together a CSP and activating it in content-security-policy-report-only mode is a good way to start but I thought it also valuable to try to extract possible embeddings from CMS content.

To work in a more direct fashion I figured that using SQL queries would be nice.

This probably might have some holes but I thought that looking for src="// and src="http in LongString-based properties should give decent coverage.

A Stack Overflow answer from Darka had a smart function to involve so after downloading the production database from the self-service portal I added that function to my local copy.

I only needed to do a small modification to the extraction pattern to look for // only.

CREATE FUNCTION dbo.getLinksFromText (@Tekstas NVARCHAR(MAX))
RETURNS @Data TABLE(TheLink NVARCHAR(500))
AS
BEGIN
    DECLARE @FirstIndexOfChar INT,
            @LastIndexOfChar INT,
            @LengthOfStringBetweenChars INT,
            @String VARCHAR(MAX)

    SET @FirstIndexOfChar = CHARINDEX('//', @Tekstas, 0)

    WHILE @FirstIndexOfChar > 0
    BEGIN

        SET @String = ''
        SET @LastIndexOfChar = CHARINDEX('/', @Tekstas,@FirstIndexOfChar+7)
        SET @LengthOfStringBetweenChars = @LastIndexOfChar - @FirstIndexOfChar + 1

        SET @String = SUBSTRING(@Tekstas, @FirstIndexOfChar, @LengthOfStringBetweenChars)
        INSERT INTO @Data (TheLink) VALUES (@String);

        SET @Tekstas = SUBSTRING(@Tekstas, @LastIndexOfChar, LEN(@Tekstas))
        SET @FirstIndexOfChar = CHARINDEX('//', @Tekstas, 0)
    END

    RETURN
END

All results query

SELECT fkContentID, LongString, Extracted.*
FROM tblContentProperty
OUTER APPLY dbo.getLinksFromText(LongString) as Extracted
WHERE LongString LIKE '%src="http%'
OR LongString LIKE '%src="//%'
OR LongString LIKE '%src=http%'
OR LongString LIKE '%src=//%'
ORDER BY fkContentID

This gave me a good amount of rows with the property value included.

All results example

fkContentID LongString TheLink
202732 <iframe src="https://www.youtube-nocookie.com/embed/qda .. //www.youtube-nocookie.com/

Distinct results query

I also complemented the full report with a listing of the distinct host names.

SELECT DISTINCT TheLink FROM (
    SELECT fkContentID, Extracted.*
    FROM tblContentProperty
    OUTER APPLY dbo.getLinksFromText(LongString) as Extracted
    WHERE LongString LIKE '%src="http%'
    OR LongString LIKE '%src="//%'
    OR LongString LIKE '%src=http%'
    OR LongString LIKE '%src=//%'
) AS tbl
ORDER BY TheLink

Distinct results example

TheLink
//www.facebook.com/
//www.youtube-nocookie.com/

Comments?

Published and tagged with these categories: Optimizely, CMS, Microsoft SQL Server