Cover Scene Description
1. Database: SQL injection
Covering the scene:
SQL injection from GET, POST, Header, JSON, Multipart and other parameters
Other types of SQL injection, such as secondary injection, RPC interface SQL injection
Coverage type:
Blind injection, UNION injection, time difference injection, error injection, multi-statement injection
SQL exception monitoring: such as syntax errors, password errors
2. Database: slow query (moved to APM)
Explanation: When obtaining data in SQL, it is more difficult to obtain SQL statements at the same time. At present, this detection point has been abandoned. In addition, we cannot distinguish between network time and SQL execution time, and it is difficult to confirm whether slow queries are really slow queries. This feature was moved to APM module
Expect to cover the scene
SELECT statement takes longer than N seconds
SELECT statement reads more than N data at a time (easy to false positive, such as data export)
3. Arbitrary file upload
Overlay scene
Upload script files by HTTP PUT, such as CVE-2017-12615
HTTP PUT + MOVE method, upload ordinary file first, and then rename it to script file
Upload script files using standard multipart
Supports Java struts, spring, common.io and other frameworks
Support PHP
$_FILES
waySupport .NET
4. Download sensitive files, read arbitrary files
Overlay scene
Using any file download vulnerability, try to jump out of the web directory to download system files, eg
/download.jsp?path=/../././//./.././/../../etc/hosts
Sensitive files such as .tar / .sql / .log / ... exist under PHP webroot (only baseline detection, no interception)
Executable files (Linux, Windows or Mac)
5. File directory listing
Overlay scene
Using PHP WebShell to view the file directory of the server
Enabled
directory index
so that users can directly see files in a directory (this check is not enabled by default)Use
../
won other variations out of the current directory, view other contents of the directoryEnable directoryBrowse enabled="true" in Web.Config (.NET)
6. Scanner detection behavior
Explanation: In most cases, the discovery of scanner behavior does not indicate a vulnerability. This feature is not in line with the original intention of RASP, so we turn off this feature by default., but you can configure to enable it
Overlay scene
Use well-known scanners to detect website vulnerabilities, such as SQLMap, WVS, and more
7. CSRF
Description
IAST is able to detect CSRF. Even RASP can protect from CRSF, such vulnerabilities should be completed by the development framework. RASP can be implemented by inserting JS, that is, monitoring form creation in JS, inserting csrf token, and performing token verification on the server.
Overlay scene
Use
img/video/frame/..
, etc., trigger type GET CSRFForm automatic submission
XHR submission form
8. Cookie tampering
Overlay scene
Modify cookies to gain administrator rights
9. CRLF
Explanation: Most of the HTTP header CRLF injection vulnerabilities have been fixed at the API level; however, it still exists in some non-HTTP protocols, such as the recently released Java/Scala/Kotlin/Clojure FTP protocol CRLF injection.
Overlay scene
When setting the HTTP header or processing other TCP streams (such as the FTP protocol), insert newlines
10. XXE
Explanation: PHP cannot hook xml detection points, it is only supported in JAVA/Scala/Kotlin/Clojure, Node.js and .NET
Overlay scene
By
org.apache.xerces
reference to an external entityAccess
ftp/dict/gopher/expect/..
and other less common protocol to implement OOB attackUse
file
protocol to read sensitive documents
11. Deserialization Vulnerability
Overlay scene
Java/Scala/Kotlin/Clojure
fastjson
transformer
xstream (such as S2-052)
... (Other unknown types, see the detection plugin command_reflect algorithm for details)
PHP
To be sorted
.NET
Not vulnerable
12. Struts OGNL code execution
Overlay scene
Struts OGNL Series All Code Execution Vulnerability
OGNL statement injection attack
13. WebShell behavior
Overlay scene
Accessing the database using SQL Manager
Download sensitive files using file manager
Use a Chinese kitchen knife to execute commands
... Other unknown types, see the detection plugin webshell_reflect algorithm for details)
14. Remote command execution
Overlay scene
Use
Runtime.exec()
the class command executionUse
system/passthru/shell_exec/proc_open/pcntl_exec/..
other functions execute commandExecute commands through deserialization, etc.
15. Command injection
Overlay scene
Use
&
,|
,;
and other symbols cut, splice command$(xxx)
Inject commands using, backticks, etc.Syntax error during command injection attack
16. XSS: Reflected
Overlay scene
Output GPC directly using PHP echo function
User input content with HTML tags and output directly to the page
17. XSS: Stored
Overlay scene
Backstage Blind
18. LDAP injection [commercial version only]
Overlay scene
Modify LDAP query logic by injection
19. DOS: Regex Group Attack
Overlay scene
Common Regex DoS attacks, eg
(a+)+
,(a|aa)+
20. Printing sensitive log information
Overlay scene
Use log4j, java.util.logging or Log4Net to print sensitive information such as ID cards, bank cards, credit cards, etc.
HTTP response (html / json / xml / etc.) returned uncoded sensitive information
21. File contains
Overlay scene
PHP use
include|include_once|require|require_once
and other ways, including log, pictures, text files, etc.Java uses jstl to include files
ASP/ASP.NET include
22. NTLM Information Disclosure Attack
Overwrite scene (Windows only)
MySQL DNS way off
Use
302 redirection
file/smb/scp
leak NTLM key
23. SSRF
Overlay scene
Bypass
Use
10.10.10.10.xip.io / *.vcap.me
and other network resources within a known domain namesUse 302 redirection to access resources in the file: /// domain
Try to obfuscate the destination address of the visit, and it is the internal IP, eg
http://0x7f001
,http://0x7f.0x0.0x0.0x1
Access reserved address, eg
http://0/
Common scenarios
Try to access aws metadata, eg
http://169.254.169.254/latest/meta-data/
Try to access a known echo service, eg
*.burpcollaborator.net
,requestb.in
Try to use
gopher://
,dict
etc. uncommon protocols(Java) Use JSTL import to access intranet resources
24. Asset weakness identification
Overlay scene
Collect composer / pom / Web.Config information
Using a 3rd-party library with known vulnerabilities
25. Background Blasting Identification
Overlay scene
Background explosion without verification code
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.