JavaScript plugin system

Most of our detection algorithm are implemented in JavaScript plugin system, and it runs seamlessly on all supported platforms. A plugin method is called when a specific checkpoint is triggered in the agent, e.g SQL query, Directory discovery, File read/write/remove,/include File Upload, WebDAV, Load XML, OGNL execution, Command execution, Deserialization, HTTP Request.

A plugin should be placed in the following directory:

  • Java / Scala / Kotlin / Clojure / JS / TS agents: <app_home>/rasp/plugins

  • PHP / .NET / Python agents: <rasp_rootdir>/rasp/plugins

Since directory monitoring in Java agent, we will load/unload the plugin immediately when you add/remove a plugin. Also, only files with .js extension is accepted.

A minimized plugin looks like the following:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 const plugin_version = '2018-1000-1000' const plugin_name = 'test-plugin' 'use strict' var plugin = new RASP(plugin_name) const clean = { action: 'ignore', message: 'Looks fine to me', confidence: 0 } plugin.register('sql', function (params, context) { plugin.log('SQL query: ' + params.query) return clean }) plugin.log('plugin-demo: plugin loaded')

In the example above,

  1. We've register a callback with plugin.register. The agent will pass in two parameters:

    • params: checkpoint parameters, complete SQL query, filename to read, ...

    • context: current HTTP request parameters, headers, url, ...

  2. We logged the SQL query to rasp/logs/plugin.log

  3. We didn't block the request in the callback. Supported actions are:

    • block: block and redirect the request

    • log: log the request and let it go

    • ignore: ignore the request and don't log it

Available checkpoints and parameters

SQL query

1 2 3 4 5 type = sql params = { "server": "mysql / oracle / pgsql / mssql / sqlite", "query": "select * from users", }

Reading directory contents

1 2 3 4 5 6 7 8 9 10 11 12 type = directory params = { "path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/", "realpath": "/etc/", "stack": [ "java.lang.ProcessBuilder.start", "sun.reflect.NativeMethodAccessorImpl.invoke0", "sun.reflect.NativeMethodAccessorImpl.invoke", "sun.reflect.DelegatingMethodAccessorImpl.invoke", ... ] }

Reading files

1 2 3 4 5 type = readFile params = { "path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/hosts", "realpath": "/etc/hosts" }

Writing files

1 2 3 4 5 6 7 8 type = writeFile params = { "path": "abc.jsp", "realpath": "/home/tomcat/webapps/ROOT/abc.jsp", "stack": [ ... ] }

Including files

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 # Java include type = include, params = { url: "file:///etc/passwd", function: "jstl_import", realpath: "/etc/passwd" } # PHP include type = include, params = { url: "/home/webroot/footer/../../../../../../../../../etc/passwd", function: "require_once", realpath: "/etc/passwd" }

WebDAV requests (Java only)

1 2 3 4 5 type = webdav, params = { "source": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.txt", "dest": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.jsp" }

File uploading

1 2 3 4 5 6 type = fileUpload params = { "name": "file", "filename": "a.jsp", "content": "<% ... %>" }

Renaming files

1 2 3 4 5 type = rename, params = { "source": "/var/www/html/uploads/hello.txt", "dest": "/var/www/html/uploads/hello.php" }

Command execution

1 2 3 4 5 6 7 8 9 10 11 type = command, params = { "stack": [ "java.lang.ProcessBuilder.start", "sun.reflect.NativeMethodAccessorImpl.invoke0", "sun.reflect.NativeMethodAccessorImpl.invoke", "sun.reflect.DelegatingMethodAccessorImpl.invoke", ... ] "command": "/bin/sh -c 'whoami; ls; '" }

Loading XML entities

1 2 3 4 type = xxe params = { "entity": "file:///etc/passwd" }

OGNL execution

1 2 3 4 type = ognl params = { "expression": "_memberAccess" }

Deserialization

1 2 3 4 type = deserialization params = { "clazz": "InvokerTransformer" }

HTTP request

1 2 3 4 5 6 7 8 type = ssrf params = { "url": "http://0x7f.0x0.0x0.0x1:8080/v1/api/get", "hostname": "0x7f.0x0.0x0.0x1" "ip": ["1.1.1.1", "2.2.2.2"] "port": "8080", "function": "commons_http_client" }

COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.