Most of our detection algorithm are implemented in JavaScript plugin system, and it runs seamlessly on all supported platforms. A plugin method is called when a specific checkpoint is triggered in the agent, e.g SQL query, Directory discovery, File read/write/remove,/include File Upload, WebDAV, Load XML, OGNL execution, Command execution, Deserialization, HTTP Request.
A plugin should be placed in the following directory:
Java / Scala / Kotlin / Clojure / JS / TS agents: <app_home>/rasp/plugins
PHP / .NET / Python agents: <rasp_rootdir>/rasp/plugins
Since directory monitoring in Java agent, we will load/unload the plugin immediately when you add/remove a plugin. Also, only files with .js
extension is accepted.
A minimized plugin looks like the following:
const plugin_version = '2018-1000-1000' const plugin_name = 'test-plugin' 'use strict' var plugin = new RASP(plugin_name) const clean = { action: 'ignore', message: 'Looks fine to me', confidence: 0 } plugin.register('sql', function (params, context) { plugin.log('SQL query: ' + params.query) return clean }) plugin.log('plugin-demo: plugin loaded')
In the example above,
We've register a callback with
plugin.register
. The agent will pass in two parameters:params
: checkpoint parameters, complete SQL query, filename to read, ...context
: current HTTP request parameters, headers, url, ...
We logged the SQL query to
rasp/logs/plugin.log
We didn't block the request in the callback. Supported actions are:
block
: block and redirect the requestlog
: log the request and let it goignore
: ignore the request and don't log it
Available checkpoints and parameters
SQL query
type = sql params = { "server": "mysql / oracle / pgsql / mssql / sqlite", "query": "select * from users", }
Reading directory contents
type = directory params = { "path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/", "realpath": "/etc/", "stack": [ "java.lang.ProcessBuilder.start", "sun.reflect.NativeMethodAccessorImpl.invoke0", "sun.reflect.NativeMethodAccessorImpl.invoke", "sun.reflect.DelegatingMethodAccessorImpl.invoke", ... ] }
Reading files
type = readFile params = { "path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/hosts", "realpath": "/etc/hosts" }
Writing files
type = writeFile params = { "path": "abc.jsp", "realpath": "/home/tomcat/webapps/ROOT/abc.jsp", "stack": [ ... ] }
Including files
# Java include type = include, params = { url: "file:///etc/passwd", function: "jstl_import", realpath: "/etc/passwd" } # PHP include type = include, params = { url: "/home/webroot/footer/../../../../../../../../../etc/passwd", function: "require_once", realpath: "/etc/passwd" }
WebDAV requests (Java only)
type = webdav, params = { "source": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.txt", "dest": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.jsp" }
File uploading
type = fileUpload params = { "name": "file", "filename": "a.jsp", "content": "<% ... %>" }
Renaming files
type = rename, params = { "source": "/var/www/html/uploads/hello.txt", "dest": "/var/www/html/uploads/hello.php" }
Command execution
type = command, params = { "stack": [ "java.lang.ProcessBuilder.start", "sun.reflect.NativeMethodAccessorImpl.invoke0", "sun.reflect.NativeMethodAccessorImpl.invoke", "sun.reflect.DelegatingMethodAccessorImpl.invoke", ... ] "command": "/bin/sh -c 'whoami; ls; '" }
Loading XML entities
type = xxe params = { "entity": "file:///etc/passwd" }
OGNL execution
type = ognl params = { "expression": "_memberAccess" }
Deserialization
type = deserialization params = { "clazz": "InvokerTransformer" }
HTTP request
type = ssrf params = { "url": "http://0x7f.0x0.0x0.0x1:8080/v1/api/get", "hostname": "0x7f.0x0.0x0.0x1" "ip": ["1.1.1.1", "2.2.2.2"] "port": "8080", "function": "commons_http_client" }
COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.