Cover Scene Description

1. Database: SQL injection

Covering the scene:

SQL injection from GET, POST, Header, JSON, Multipart and other parameters
Other types of SQL injection, such as secondary injection, RPC interface SQL injection

Coverage type:

Blind injection, UNION injection, time difference injection, error injection, multi-statement injection
SQL exception monitoring: such as syntax errors, password errors

2. Database: slow query (moved to APM)

Explanation: When obtaining data in SQL, it is more difficult to obtain SQL statements at the same time. At present, this detection point has been abandoned. In addition, we cannot distinguish between network time and SQL execution time, and it is difficult to confirm whether slow queries are really slow queries. This feature was moved to APM module

Expect to cover the scene

SELECT statement takes longer than N seconds
SELECT statement reads more than N data at a time (easy to false positive, such as data export)

3. Arbitrary file upload

Overlay scene

Upload script files by HTTP PUT, such as CVE-2017-12615
HTTP PUT + MOVE method, upload ordinary file first, and then rename it to script file
Upload script files using standard multipart
- Supports Java struts, spring, common.io and other frameworks
- Support PHP$_FILESway
- Support .NET

4. Download sensitive files, read arbitrary files

Overlay scene

Using any file download vulnerability, try to jump out of the web directory to download system files, eg/download.jsp?path=/../././//./.././/../../etc/hosts
Sensitive files such as .tar / .sql / .log / ... exist under PHP webroot (only baseline detection, no interception)
Executable files (Linux, Windows or Mac)

5. File directory listing

Overlay scene

Using PHP WebShell to view the file directory of the server
Enableddirectory indexso that users can directly see files in a directory (this check is not enabled by default)
Use../won other variations out of the current directory, view other contents of the directory
Enable directoryBrowse enabled="true" in Web.Config (.NET)

6. Scanner detection behavior

Explanation: In most cases, the discovery of scanner behavior does not indicate a vulnerability. This feature is not in line with the original intention of RASP, so we turn off this feature by default., but you can configure to enable it

Overlay scene

Use well-known scanners to detect website vulnerabilities, such as SQLMap, WVS, and more

7. CSRF

Description

IAST is able to detect CSRF. Even RASP can protect from CRSF, such vulnerabilities should be completed by the development framework. RASP can be implemented by inserting JS, that is, monitoring form creation in JS, inserting csrf token, and performing token verification on the server.

Overlay scene

Useimg/video/frame/.., etc., trigger type GET CSRF
Form automatic submission
XHR submission form

Overlay scene

Modify cookies to gain administrator rights

9. CRLF

Explanation: Most of the HTTP header CRLF injection vulnerabilities have been fixed at the API level; however, it still exists in some non-HTTP protocols, such as the recently released Java/Scala/Kotlin/Clojure FTP protocol CRLF injection.

Overlay scene

When setting the HTTP header or processing other TCP streams (such as the FTP protocol), insert newlines

10. XXE

Explanation: PHP cannot hook xml detection points, it is only supported in JAVA/Scala/Kotlin/Clojure, Node.js and .NET

Overlay scene

Byorg.apache.xercesreference to an external entity
- Accessftp/dict/gopher/expect/..and other less common protocol to implement OOB attack
- Usefileprotocol to read sensitive documents

11. Deserialization Vulnerability

Overlay scene

Java/Scala/Kotlin/Clojure
- fastjson
- transformer
- xstream (such as S2-052)
- ... (Other unknown types, see the detection plugin command_reflect algorithm for details)
PHP
- To be sorted
.NET
- Not vulnerable

12. Struts OGNL code execution

Overlay scene

Struts OGNL Series All Code Execution Vulnerability
OGNL statement injection attack

13. WebShell behavior

Overlay scene

Accessing the database using SQL Manager
Download sensitive files using file manager
Use a Chinese kitchen knife to execute commands
... Other unknown types, see the detection plugin webshell_reflect algorithm for details)

14. Remote command execution

Overlay scene

UseRuntime.exec()the class command execution
Usesystem/passthru/shell_exec/proc_open/pcntl_exec/..other functions execute command
Execute commands through deserialization, etc.

15. Command injection

Overlay scene

Use&,|,;and other symbols cut, splice command
$(xxx)Inject commands using, backticks, etc.
Syntax error during command injection attack

16. XSS: Reflected

Overlay scene

Output GPC directly using PHP echo function
User input content with HTML tags and output directly to the page

17. XSS: Stored

Overlay scene

Backstage Blind

18. LDAP injection [commercial version only]

Overlay scene

Modify LDAP query logic by injection

19. DOS: Regex Group Attack

Overlay scene

Common Regex DoS attacks, eg(a+)+,(a|aa)+

20. Printing sensitive log information

Overlay scene

Use log4j, java.util.logging or Log4Net to print sensitive information such as ID cards, bank cards, credit cards, etc.
HTTP response (html / json / xml / etc.) returned uncoded sensitive information

21. File contains

Overlay scene

PHP useinclude|include_once|require|require_onceand other ways, including log, pictures, text files, etc.
Java uses jstl to include files
ASP/ASP.NET include

22. NTLM Information Disclosure Attack

Overwrite scene (Windows only)

MySQL DNS way off
Use302 redirection
file/smb/scp
leak NTLM key

23. SSRF

Overlay scene

Bypass
- Use10.10.10.10.xip.io / *.vcap.meand other network resources within a known domain names
- Use 302 redirection to access resources in the file: /// domain
- Try to obfuscate the destination address of the visit, and it is the internal IP, eghttp://0x7f001, http://0x7f.0x0.0x0.0x1
- Access reserved address, eghttp://0/
Common scenarios
- Try to access aws metadata, eghttp://169.254.169.254/latest/meta-data/
- Try to access a known echo service, eg*.burpcollaborator.net, requestb.in
- Try to usegopher://,dictetc. uncommon protocols
- (Java) Use JSTL import to access intranet resources

24. Asset weakness identification

Overlay scene

Collect composer / pom / Web.Config information
Using a 3rd-party library with known vulnerabilities

25. Background Blasting Identification

Overlay scene

Background explosion without verification code

1. Database: SQL injection

2. Database: slow query (moved to APM)

3. Arbitrary file upload

4. Download sensitive files, read arbitrary files

5. File directory listing

6. Scanner detection behavior

7. CSRF

8. Cookie tampering

9. CRLF

10. XXE

11. Deserialization Vulnerability

12. Struts OGNL code execution

13. WebShell behavior

14. Remote command execution

15. Command injection

16. XSS: Reflected

17. XSS: Stored

18. LDAP injection [commercial version only]

19. DOS: Regex Group Attack

20. Printing sensitive log information

21. File contains

22. NTLM Information Disclosure Attack

23. SSRF

24. Asset weakness identification

25. Background Blasting Identification