Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Application Insights security and spoofing

Tags:

This may be a silly question but is client side application insights safe from spoofing? Microsoft ask you to add a bit of JavaScript to your HTML page that needs recording and part of this contains a hard coded instrumentation key (not a real key below!):

instrumentationKey: "3D486E8C-BDEF-43AB-B27A-9D3F9D42EC14"

There doesn't seem to be any other relationship between Url and key or any mechanism to prevent spoofing of this key client side (i.e. randomly generating the key with different numbers and submitting the page).

This wouldn't cause any damage, but it would be annoying to the receiver of the incorrect monitoring data, which may well be all someone wants to do "because they can".

Have I missed something fundamental as to why this is not possible?

like image 381
GrahamB Avatar asked Jan 07 '15 09:01

GrahamB


People also ask

What does application Insight do?

Application Insights is an extension of Azure Monitor and provides Application Performance Monitoring (also known as “APM”) features. APM tools are useful to monitor applications from development, through test, and into production in the following ways: Proactively understand how an application is performing.

Does application Insights use log analytics?

Data ingestion and retention for workspace-based Application Insights resources are billed through the Log Analytics workspace where the data is located. To learn more about billing for workspace-based Application Insights resources, see Azure Monitor Logs pricing details.

How do I see exceptions in application Insights?

Open the Application Insights Search telemetry window in Visual Studio. While debugging, select the Application Insights dropdown box. Select an exception report to show its stack trace. To open the relevant code file, select a line reference in the stack trace.

Is app Insights connection string a secret?

Is the connection string a secret? The connection string contains an ikey, which is a unique identifier used by the ingestion service to associate telemetry to a specific Application Insights resource. It's not considered a security token or key.


2 Answers

This is absolutely correct that anyone can log misleading or garbage data to anyone’s AI account if they know the instrumentation key. This is also correct for most web other analytics systems: the request to log information is sent unauthenticated and anyone with sufficient skill can emulate a valid user data. The fact that AI has instrumentation key embedded on the page does not make it easier because anyone using web traffic monitor tool like Fiddler can still intercept and emulate the requests, even if instrumentation key was not embedded on the page. If you suspect that a malicious user will purposefully log misleading data using your AI key, you should use caution and validate if the data makes sense before making your business decisions, for example from how many users was the data obtained and over what period of time, and whether your client-side page view data matches the server-side requests data.

like image 111
Alex Bulankou Avatar answered Sep 20 '22 03:09

Alex Bulankou


While not exactly a duplicate, i believe the answer is pretty much the same as this one:

How does Google Analytics prevent traffic spoofing

AI doesn't know how or where you're using your key, so how would they know which traffic is legitimate and which is not?

like image 43
John Gardner Avatar answered Sep 20 '22 03:09

John Gardner