JavaScript plugin system

Owned by Laura Mandolini
Last updated: Mar 17, 2022 by Marco Security
3 min read

Most of our detection algorithm are implemented in JavaScript plugin system, and it runs seamlessly on all supported platforms. A plugin method is called when a specific checkpoint is triggered in the agent, e.g SQL query, Directory discovery, File read/write/remove,/include File Upload, WebDAV, Load XML, OGNL execution, Command execution, Deserialization, HTTP Request.

A plugin should be placed in the following directory:

  • Java / Scala / Kotlin / Clojure / JS / TS agents: <app_home>/rasp/plugins

  • PHP / .NET / Python agents: <rasp_rootdir>/rasp/plugins

Since directory monitoring in Java agent, we will load/unload the plugin immediately when you add/remove a plugin. Also, only files with .js extension is accepted.

A minimized plugin looks like the following:

const plugin_version = '2018-1000-1000' const plugin_name = 'test-plugin' 'use strict' var plugin = new RASP(plugin_name) const clean = { action: 'ignore', message: 'Looks fine to me', confidence: 0 } plugin.register('sql', function (params, context) { plugin.log('SQL query: ' + params.query) return clean }) plugin.log('plugin-demo: plugin loaded')

In the example above,

  1. We've register a callback with plugin.register. The agent will pass in two parameters:

    • params: checkpoint parameters, complete SQL query, filename to read, ...

    • context: current HTTP request parameters, headers, url, ...

  2. We logged the SQL query to rasp/logs/plugin.log

  3. We didn't block the request in the callback. Supported actions are:

    • block: block and redirect the request

    • log: log the request and let it go

    • ignore: ignore the request and don't log it

Available checkpoints and parameters

SQL query

type = sql params = { "server": "mysql / oracle / pgsql / mssql / sqlite", "query": "select * from users", }

Reading directory contents

type = directory params = { "path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/", "realpath": "/etc/", "stack": [ "java.lang.ProcessBuilder.start", "sun.reflect.NativeMethodAccessorImpl.invoke0", "sun.reflect.NativeMethodAccessorImpl.invoke", "sun.reflect.DelegatingMethodAccessorImpl.invoke", ... ] }

Reading files

Writing files

Including files

WebDAV requests (Java only)

File uploading

Renaming files

Command execution

Loading XML entities

OGNL execution

Deserialization

HTTP request

COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.

COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.