Active Scan
When the application server starts, a security configuration specification check is performed. If security.enforce_policy set true
, the configuration found to be unsafe, it will throw SecurityException
and deny the application service starts.
Alarm will only print a specific reference format Security Configuration check alarm logs related documents
3001-Whether the key cookie is on httpOnly
3002-Process start account check
3003-Background weak password check
3004-Unsafe default application check
3005-Directory Listing check
3006-Database connection account audit
3007-JBoss HTMLAdaptor certification check
3009-There are sensitive files in the web root directory
4001-allow_url_include configuration audit
4002-expose_php configuration audit
4003-display_errors configuration audit
4004-yaml.decode_php configuration audit
3001-Whether the key cookie is on httpOnly
Supported servers
tomcat
Strategy description
Under the tomcat server, check whether the httpOnly switch is enabled in JSESSIONID
After opening, it will have a certain ability to prevent XSS attacks, which can avoid some problems
Repair method
If tomcat 7 the following versions, open CATALINA_HOME/conf/context.xml
, will useHttpOnly
be changed true
, you can restart the application server
3002-Process start account check
Supported servers
tomcat, jetty, jboss, resin, springboot and all other java servers
Strategy description
Check the startup account of the application server. When starting with the following account, it is considered that it does not comply with the safety regulations:
Linux system
root
accountsWindows system
Administrator
orsystem
account
When the application server has a security vulnerability, starting with a high-privilege account will bring greater security risks. For example, uploading the webshell to obtain the highest permission, and using the struts vulnerability to directly obtain root permissions
Repair method
Use a low-privilege user to start the application server
3003-Background weak password check
Supported servers
tomcat
Strategy description
In tomcat, check $CATALINA_HOME/conf/tomcat-users.xml
the following configuration of the user, if you have admin,manager,admin-gui,manager-gui
one authority, that is considered to be an administrator. Then for all administrator users, check the robustness of the password.
The current strategy is very simple, when the username and password are one of the following, it is considered a weak password
both
tomcat
admin
123456
Repair method
Use strong passwords, eg use passwords with more than 10 digits, and include numbers, letters, and special symbols
3004-Unsafe default application check
Supported servers
tomcat
Strategy description
In tomcat, check ROOT、manager、host-manager、docs
four webapps whether to delete
The default application will more or less leak sensitive information or cause the risk of external exposure of the management background
Repair method
delete all
3005-Directory Listing check
Supported servers
tomcat
Strategy description
In tomcat detect $CATALINA_HOME/conf/web.xml
whether a global function opens the Directory Listing of default servlet
Opening the Directory Listing function will reveal the directory structure of the project and the version information of the server. The dangerous configuration is as follows:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<!-- default servlet Directory Listing -->
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Repair method
Open $CATALINA_HOME/conf/web.xml
the xml configuration as the name for the listing of the init-param delete, or change the param-value to false
3006-Database connection account audit
Supported servers
All servers using JDBC, PHP server
Strategy description
Check whether root (mysql)
, sa (mssql)
, sys (oracle)
high-privilege account database connection
When there is a SQL injection vulnerability, using a high-privilege account to connect to the database will bring greater risks and leak more data; when the server is hacked, using a high-privilege account may also cause the database server to fall
If the security.enforce_policy
option is set true
, regardless of the database connection is successful or not, we will intercept and generate an alarm; if set false(默认值)
, only the successful connection will alarm, and for each JDBC URL, the same alarm is printed only once a day.
Repair method
Create a new account and grant minimum permissions; different server clusters use different database accounts to connect
3007-JBoss HTMLAdaptor certification check
Supported servers
JBoss 4-6
Strategy description
Checking /jmx-console/HTMLAdaptor
is turned on certification
Repair method
Editor
$JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
, open thesecurity-constraint
configurationEditor
$JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
, open thesecurity-domain
configuration
3009-There are sensitive files in the web root directory
Supported servers
PHP
Strategy description
Regular scans webroot, check if the suffix is present sql、tar、rar、...
in the file
Repair method
Delete these files
Filter these extensions from the nginx and apache levels to prevent them from being downloaded by the outside world
4001-allow_url_include configuration audit
Supported servers
PHP server
Strategy description
Checking allow_url_include
is turned on. After opening, will allow the inclusion of remote files, eg
include("http://xxxxx")
When the application contains file inclusion, arbitrary file reading and other vulnerabilities, enabling this configuration will make the application more vulnerable to intrusion.
Repair method
Ini configuration modification, the allow_url_include
setOff
4002-expose_php configuration audit
Supported servers
PHP server
Strategy description
Checking expose_php
is turned on. If enabled, the full version number of PHP can be seen in the request response, eg
Repair method
Ini configuration modification, the expose_php
setOff
4003-display_errors configuration audit
Supported servers
PHP server
Strategy description
Checking display_errors
is turned on. When this option is turned on, users can see the error message inside the PHP program on the front end, eg
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\post\includes\pm_send.php on line 12
When the application has vulnerabilities, combined with these error messages, the attacker can obtain the path of the application, perform SQL error injection attacks, etc.
Repair method
Ini configuration modification, the display_errors
setOff
4004-yaml.decode_php configuration audit
Supported servers
PHP server
Strategy description
Checking yaml.decode_php
is turned on. When this option is turned on, when loading the yaml file, it will allow the deserialization of PHP objects, possibly executing arbitrary code. In addition, if the yaml extension is not installed, it will not alarm even if yaml.decode_php=On is configured.
Repair method
Ini configuration modification, the yaml.decode_php
setOff
Log description
Storage path
Log type
Log format
Attack log format
Security baseline check log
Storage path
Dynamic Reviewer will open the file log by default, and the storage path is as follows:
Java version: <app_home>/rasp/logs/alarm/.log
PHP version: <rasp_rootdir>/logs/alarm/*.log
It is worth noting that the current alarms in the Java version do not have a date, and there will be a date only after rotate
/tomcat/rasp/logs/alarm/alarm.log
/tomcat/rasp/logs/alarm/alarm.log.2018-12-04
...
For the PHP version, the alarm log will always have a date, eg
/opt/rasp/logs/alarm/alarm.log.2018-12-16
However, due to the limitations of PHP itself, some logs will still be printed to the PHP error log, such as INI configuration errors.
Log type
Dynamic Reviewer contains four types of logs,
file name document content
plugin/plugin-DATE.log Check the plug-in log, eg plug-in exception, plug-in debugging output
rasp/rasp-DATE.log rasp agent debug log
alarm/alarm-DATE.log Attack alarm log, JSON format, one per line
policy_alarm/policy_alarm-DATE.log Security baseline check alarm log, JSON format, one per line
Log format
Attack log format
When an attack occurs, Dynamic Reviewer will record the following information,
Field Explanation
rasp_id RASP agent id
app_id Application ID
event_type Log type, fixed attackwords
event_time Event time
request_id Current request ID
request_method Request method
intercept_state Interception status
attack_source Attack source IP
target Attacked domain name
server_hostname The host name of the attacked server
server_ip Target IP
server_type Application server type
server_version Application server version
path Current URL, without parameters
url Current URL, including full GET parameters
attack_type Attack type
attack_params Attack parameters
attack_source Request source
client_ip The client real IP address, please refer to the additional configuration options to configure
plugin_name Report attack plug-in name
plugin_confidence Reliability of test results, plug-in returns
plugin_message Test result information
plugin_algorithm Plug-in detection algorithm
header Request header information
stack_trace Current call stack
body The body of the current request, if any
A complete JSON log sample is as follows:
{
"attack_type": "xss_userinput",
"request_method": "get",
"server_version": "7.0.78.0",
"path": "/vulns/017-xss.jsp",
"event_type": "attack",
"attack_params": {
"name": "input",
"value": "<script>alert(1)</script>"
},
"server_ip": "127.0.0.1",
"client_ip": "",
"attack_source": "127.0.0.1",
"app_id": "1e46d1ae2cec7966343c1c1455cdb9ea3c356662",
"server_nic": [
{
"name": "eth0",
"ip": "172.24.172.168"
}
],
"intercept_state": "log",
"plugin_confidence": 100,
"plugin_algorithm": "xss_userinput",
"plugin_name": "java_builtin_plugin",
"server_hostname": "devnull",
"url": "http://127.0.0.1:8080/vulns/017-xss.jsp?input=<script>alert(1)<%2Fscript>",
"target": "127.0.0.1",
"header": {
"referer": "http://127.0.0.1:8080/vulns/017-xss.jsp",
"accept-language": "en-US,en;q=0.9,fr;q=0.8,zh-CN;q=0.7,zh;q=0.6,zh-TW;q=0.5,hr;q=0.4,ja;q=0.3,pt;q=0.2,la;q=0.1",
"cookie": "JSESSIONID=E51A4982D9E62B1C49F1B522404C6AA7; 89facc616a91c8542b4120d0985ae97c=r7f62uq42ihucmdt4j53kufepj",
"host": "127.0.0.1:8080",
"upgrade-insecure-requests": "1",
"connection": "keep-alive",
"cache-control": "no-cache",
"pragma": "no-cache",
"accept-encoding": "gzip, deflate, br",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.1453.93 Safari/537.36",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3"
},
"stack_trace": "org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java)\norg.apache.catalina.connector.Response.finishResponse(Response.java:537)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:483)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748)",
"rasp_id": "18619d5f553f0fc31a4e4f0eb96b2564",
"request_id": "3ff7d8cae4d3441e927433a1161be89c",
"source_code": [
"",
"this.outputBuffer.close();",
"",
"this.adapter.service(this.request, this.response);",
"",
"state = this.this$0.handler.process(this.socket, this.status);",
"runnable.run();",
"this.this$0.runWorker(this);",
"this.wrappedRunnable.run();",
"this.target.run();"
],
"event_time": "2019-05-27T14:36:42+0800",
"plugin_message": "Reflected XSS attack detected, parameter name: input",
"server_type": "tomcat"
}
2. Security baseline check log
When a configuration that does not comply with security specifications is detected, Dynamic Reviewer will log the following information:
Field Explanation
event_type Log type, fixed security_policywords
event_time Event time
server_hostname Server host name
server_nic Server IP
server_type Application server type
server_version Application server version
policy_id Matching strategy number
policy_params Baseline alarm additional parameters, such as PID
message Non-compliant configuration instructions
stack_trace Current call stack, may be empty in some cases
A complete JSON log sample is as follows:
{
"event_type": "security_policy",
"event_time" : "2017-04-01T08:00:00Z",
"policy_id": "3002",
"server_hostname": "my-bloodly-hostname",
"server_nic": {
{
"name": "eth0",
"ip": "10.10.1.131"
},
{
"name": "eth0",
"ip": "192.168.1.150"
}
},
"server_type": "Tomcat",
"stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
"server_version": "7.0.15",
"message": "Tomcat message",
"policy_params": {
"pid": 1023
}
}
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.