Active Scan

When the application server starts, a security configuration specification check is performed. If security.enforce_policy set true, the configuration found to be unsafe, it will throw SecurityException and deny the application service starts.

Alarm will only print a specific reference format Security Configuration check alarm logs related documents

  • 3001-Whether the key cookie is on httpOnly

  • 3002-Process start account check

  • 3003-Background weak password check

  • 3004-Unsafe default application check

  • 3005-Directory Listing check

  • 3006-Database connection account audit

  • 3007-JBoss HTMLAdaptor certification check

  • 3009-There are sensitive files in the web root directory

  • 4001-allow_url_include configuration audit

  • 4002-expose_php configuration audit

  • 4003-display_errors configuration audit

  • 4004-yaml.decode_php configuration audit

Supported servers

tomcat

Strategy description

Under the tomcat server, check whether the httpOnly switch is enabled in JSESSIONID

After opening, it will have a certain ability to prevent XSS attacks, which can avoid some problems

Repair method

If tomcat 7 the following versions, open CATALINA_HOME/conf/context.xml, will useHttpOnlybe changed true, you can restart the application server

3002-Process start account check

Supported servers

tomcat, jetty, jboss, resin, springboot and all other java servers

Strategy description

Check the startup account of the application server. When starting with the following account, it is considered that it does not comply with the safety regulations:

  • Linux system rootaccounts

  • Windows system Administratoror systemaccount

When the application server has a security vulnerability, starting with a high-privilege account will bring greater security risks. For example, uploading the webshell to obtain the highest permission, and using the struts vulnerability to directly obtain root permissions

Repair method

Use a low-privilege user to start the application server

3003-Background weak password check

Supported servers

tomcat

Strategy description

In tomcat, check $CATALINA_HOME/conf/tomcat-users.xmlthe following configuration of the user, if you have admin,manager,admin-gui,manager-guione authority, that is considered to be an administrator. Then for all administrator users, check the robustness of the password.

The current strategy is very simple, when the username and password are one of the following, it is considered a weak password

1 2 3 4 both tomcat admin 123456

Repair method

Use strong passwords, eg use passwords with more than 10 digits, and include numbers, letters, and special symbols

3004-Unsafe default application check

Supported servers

tomcat

Strategy description

In tomcat, check ROOT、manager、host-manager、docsfour webapps whether to delete

The default application will more or less leak sensitive information or cause the risk of external exposure of the management background

Repair method

delete all

3005-Directory Listing check

Supported servers

tomcat

Strategy description

In tomcat detect $CATALINA_HOME/conf/web.xmlwhether a global function opens the Directory Listing of default servlet

Opening the Directory Listing function will reveal the directory structure of the project and the version information of the server. The dangerous configuration is as follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <!-- default servlet Directory Listing --> <param-name>listings</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>

Repair method

Open $CATALINA_HOME/conf/web.xmlthe xml configuration as the name for the listing of the init-param delete, or change the param-value to false

3006-Database connection account audit

Supported servers

All servers using JDBC, PHP server

Strategy description

Check whether root (mysql)sa (mssql)sys (oracle)high-privilege account database connection

When there is a SQL injection vulnerability, using a high-privilege account to connect to the database will bring greater risks and leak more data; when the server is hacked, using a high-privilege account may also cause the database server to fall

If the security.enforce_policyoption is set true, regardless of the database connection is successful or not, we will intercept and generate an alarm; if set false(默认值), only the successful connection will alarm, and for each JDBC URL, the same alarm is printed only once a day.

Repair method

Create a new account and grant minimum permissions; different server clusters use different database accounts to connect

3007-JBoss HTMLAdaptor certification check

Supported servers

JBoss 4-6

Strategy description

Checking /jmx-console/HTMLAdaptoris turned on certification

Repair method

  1. Editor $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml, open the security-constraintconfiguration

  2. Editor $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml, open the security-domainconfiguration

3009-There are sensitive files in the web root directory

Supported servers

PHP

Strategy description

Regular scans webroot, check if the suffix is present sql、tar、rar、...in the file

Repair method

  1. Delete these files

  2. Filter these extensions from the nginx and apache levels to prevent them from being downloaded by the outside world

4001-allow_url_include configuration audit

Supported servers

PHP server

Strategy description

Checking allow_url_includeis turned on. After opening, will allow the inclusion of remote files, eg

1 include("http://xxxxx")

When the application contains file inclusion, arbitrary file reading and other vulnerabilities, enabling this configuration will make the application more vulnerable to intrusion.

Repair method

Ini configuration modification, the allow_url_includesetOff

4002-expose_php configuration audit

Supported servers

PHP server

Strategy description

Checking expose_phpis turned on. If enabled, the full version number of PHP can be seen in the request response, eg

1 X-Powered-By: PHP/5.1.2-1

Repair method

Ini configuration modification, the expose_phpsetOff

4003-display_errors configuration audit

Supported servers

PHP server

Strategy description

Checking display_errorsis turned on. When this option is turned on, users can see the error message inside the PHP program on the front end, eg

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\post\includes\pm_send.php on line 12

When the application has vulnerabilities, combined with these error messages, the attacker can obtain the path of the application, perform SQL error injection attacks, etc.

Repair method

Ini configuration modification, the display_errorssetOff

4004-yaml.decode_php configuration audit

Supported servers

PHP server

Strategy description

Checking yaml.decode_phpis turned on. When this option is turned on, when loading the yaml file, it will allow the deserialization of PHP objects, possibly executing arbitrary code. In addition, if the yaml extension is not installed, it will not alarm even if yaml.decode_php=On is configured.

Repair method

Ini configuration modification, the yaml.decode_phpsetOff

Log description
Storage path
Log type
Log format

  1. Attack log format

  2. Security baseline check log
    Storage path
    Dynamic Reviewer will open the file log by default, and the storage path is as follows:

Java version: <app_home>/rasp/logs/alarm/.log
PHP version: <rasp_rootdir>/logs/alarm/*.log
It is worth noting that the current alarms in the Java version do not have a date, and there will be a date only after rotate

/tomcat/rasp/logs/alarm/alarm.log
/tomcat/rasp/logs/alarm/alarm.log.2018-12-04
...
For the PHP version, the alarm log will always have a date, eg

/opt/rasp/logs/alarm/alarm.log.2018-12-16
However, due to the limitations of PHP itself, some logs will still be printed to the PHP error log, such as INI configuration errors.

Log type
Dynamic Reviewer contains four types of logs,

file name document content
plugin/plugin-DATE.log Check the plug-in log, eg plug-in exception, plug-in debugging output
rasp/rasp-DATE.log rasp agent debug log
alarm/alarm-DATE.log Attack alarm log, JSON format, one per line
policy_alarm/policy_alarm-DATE.log Security baseline check alarm log, JSON format, one per line
Log format

  1. Attack log format
    When an attack occurs, Dynamic Reviewer will record the following information,

Field Explanation
rasp_id RASP agent id
app_id Application ID
event_type Log type, fixed attackwords
event_time Event time
request_id Current request ID
request_method Request method
intercept_state Interception status
attack_source Attack source IP
target Attacked domain name
server_hostname The host name of the attacked server
server_ip Target IP
server_type Application server type
server_version Application server version
path Current URL, without parameters
url Current URL, including full GET parameters
attack_type Attack type
attack_params Attack parameters
attack_source Request source
client_ip The client real IP address, please refer to the additional configuration options to configure
plugin_name Report attack plug-in name
plugin_confidence Reliability of test results, plug-in returns
plugin_message Test result information
plugin_algorithm Plug-in detection algorithm
header Request header information
stack_trace Current call stack
body The body of the current request, if any
A complete JSON log sample is as follows:

{
"attack_type": "xss_userinput",
"request_method": "get",
"server_version": "7.0.78.0",
"path": "/vulns/017-xss.jsp",
"event_type": "attack",
"attack_params": {
"name": "input",
"value": "<script>alert(1)</script>"
},
"server_ip": "127.0.0.1",
"client_ip": "",
"attack_source": "127.0.0.1",
"app_id": "1e46d1ae2cec7966343c1c1455cdb9ea3c356662",
"server_nic": [
{
"name": "eth0",
"ip": "172.24.172.168"
}
],
"intercept_state": "log",
"plugin_confidence": 100,
"plugin_algorithm": "xss_userinput",
"plugin_name": "java_builtin_plugin",
"server_hostname": "devnull",
"url": "http://127.0.0.1:8080/vulns/017-xss.jsp?input=<script>alert(1)<%2Fscript>",
"target": "127.0.0.1",
"header": {
"referer": "http://127.0.0.1:8080/vulns/017-xss.jsp",
"accept-language": "en-US,en;q=0.9,fr;q=0.8,zh-CN;q=0.7,zh;q=0.6,zh-TW;q=0.5,hr;q=0.4,ja;q=0.3,pt;q=0.2,la;q=0.1",
"cookie": "JSESSIONID=E51A4982D9E62B1C49F1B522404C6AA7; 89facc616a91c8542b4120d0985ae97c=r7f62uq42ihucmdt4j53kufepj",
"host": "127.0.0.1:8080",
"upgrade-insecure-requests": "1",
"connection": "keep-alive",
"cache-control": "no-cache",
"pragma": "no-cache",
"accept-encoding": "gzip, deflate, br",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.1453.93 Safari/537.36",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3"
},
"stack_trace": "org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java)\norg.apache.catalina.connector.Response.finishResponse(Response.java:537)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:483)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748)",
"rasp_id": "18619d5f553f0fc31a4e4f0eb96b2564",
"request_id": "3ff7d8cae4d3441e927433a1161be89c",
"source_code": [
"",
"this.outputBuffer.close();",
"",
"this.adapter.service(this.request, this.response);",
"",
"state = this.this$0.handler.process(this.socket, this.status);",
"runnable.run();",
"this.this$0.runWorker(this);",
"this.wrappedRunnable.run();",
"this.target.run();"
],
"event_time": "2019-05-27T14:36:42+0800",
"plugin_message": "Reflected XSS attack detected, parameter name: input",
"server_type": "tomcat"
}
2. Security baseline check log
When a configuration that does not comply with security specifications is detected, Dynamic Reviewer will log the following information:

Field Explanation
event_type Log type, fixed security_policywords
event_time Event time
server_hostname Server host name
server_nic Server IP
server_type Application server type
server_version Application server version
policy_id Matching strategy number
policy_params Baseline alarm additional parameters, such as PID
message Non-compliant configuration instructions
stack_trace Current call stack, may be empty in some cases
A complete JSON log sample is as follows:

{
"event_type": "security_policy",
"event_time" : "2017-04-01T08:00:00Z",
"policy_id": "3002",
"server_hostname": "my-bloodly-hostname",
"server_nic": {
{
"name": "eth0",
"ip": "10.10.1.131"
},
{
"name": "eth0",
"ip": "192.168.1.150"
}
},
"server_type": "Tomcat",
"stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
"server_version": "7.0.15",
"message": "Tomcat message",
"policy_params": {
"pid": 1023
}
}

COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.