Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ASM][ATO] Collect session id at all times #6623

Merged
merged 13 commits into from
Feb 20, 2025
Merged

[ASM][ATO] Collect session id at all times #6623

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
73f324d
Add session id in the main `RunWaf` method and a function to not over…
anna-git Feb 13, 2025
003d3bb
Take session id into account when used with sdk
anna-git Feb 13, 2025
b4b2d55
Collect the actual SessionId
anna-git Feb 13, 2025
8e7ae22
Scrub session fingerprint when no authentication
anna-git Feb 13, 2025
bef3d69
Adapt Rasp snapshots
anna-git Feb 13, 2025
9a5b174
Adapt rasp iast snapshots
anna-git Feb 13, 2025
4ff5982
Adapt security snapshots
anna-git Feb 13, 2025
061a364
Answer to comment on confusing methods signatures and add documentation
anna-git Feb 19, 2025
c9a71ab
Answer to comment on If userRecord.HasValue is false, could we just r…
anna-git Feb 19, 2025
af317c5
Change comment erroneous about tfm
anna-git Feb 19, 2025
6fd2f47
remove old comment
anna-git Feb 19, 2025
1c80b17
Reuse ISessionFeature as we're testing its existence
anna-git Feb 19, 2025
97afde5
Answer to comment on falling back on false instead of testing for act…
anna-git Feb 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Adapt Rasp snapshots
  • Loading branch information
@anna-git
anna-git committed Feb 13, 2025
commit bef3d6938ec5b135d7010122a835155c8fc66d22
2 changes: 1 addition & 1 deletion ...Command-file=-bin-rebootCommand&argumentLine=-f&fromShell=false_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-110","name":"OS command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"cmdi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/bin/rebootCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...shots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
span.kind: server,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...Command-file=-bin-rebootCommand&argumentLine=-f&fromShell=false_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-110","name":"OS command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"cmdi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/bin/rebootCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...pNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
_dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...asp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
_dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...NetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
_dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
_dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...Command-file=-bin-rebootCommand&argumentLine=-f&fromShell=false_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-110","name":"OS command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"cmdi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/bin/rebootCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
_dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell command injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...tMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ....AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
_dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...Mvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
_dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-,
_dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
2 changes: 1 addition & 1 deletion ...-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
_dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03,
_dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down
4 changes: 2 additions & 2 deletions ...able.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
_dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
_dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down Expand Up @@ -176,7 +176,7 @@
_dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
_dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
_dd.appsec.fp.http.network: net-1-1000000000,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-,
_dd.appsec.fp.session: ssn--bd9bce81-d0fff5a7-<SessionFp>,
_dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
_dd.origin: appsec,
_dd.runtime_family: dotnet
Expand Down