From 355c559a4066ecc7a2efd3fe747075523739e68c Mon Sep 17 00:00:00 2001 From: Valentin Zakharov Date: Mon, 16 Sep 2024 22:59:32 +0200 Subject: [PATCH 1/2] Removed hardcoded WAF addresses --- .../datadog/appsec/powerwaf/PowerWAFModule.java | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java index b3a5d8fc2b3..c60e6072dba 100644 --- a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java +++ b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/powerwaf/PowerWAFModule.java @@ -389,22 +389,6 @@ private static Collection> getUsedAddresses(PowerwafContext ctx) { addressList.add(address); } } - - // TODO: get addresses dynamically when will it be implemented in waf - addressList.add(KnownAddresses.WAF_CONTEXT_PROCESSOR); - addressList.add(KnownAddresses.HEADERS_NO_COOKIES); - addressList.add(KnownAddresses.REQUEST_QUERY); - addressList.add(KnownAddresses.REQUEST_PATH_PARAMS); - addressList.add(KnownAddresses.REQUEST_COOKIES); - addressList.add(KnownAddresses.REQUEST_BODY_RAW); - addressList.add(KnownAddresses.RESPONSE_HEADERS_NO_COOKIES); - addressList.add(KnownAddresses.RESPONSE_BODY_OBJECT); - addressList.add(KnownAddresses.GRAPHQL_SERVER_ALL_RESOLVERS); - addressList.add(KnownAddresses.DB_TYPE); - addressList.add(KnownAddresses.DB_SQL_QUERY); - addressList.add(KnownAddresses.IO_NET_URL); - addressList.add(KnownAddresses.IO_FS_FILE); - return addressList; } From 848e0a8a37011dd8681049d716f46fce05eb4da0 Mon Sep 17 00:00:00 2001 From: Valentin Zakharov Date: Fri, 20 Sep 2024 17:00:03 +0200 Subject: [PATCH 2/2] Missing test --- .../PowerWAFModuleSpecification.groovy | 16 ++ .../src/test/resources/small_config.json | 181 ++++++++++++++++++ 2 files changed, 197 insertions(+) create mode 100644 dd-java-agent/appsec/src/test/resources/small_config.json diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy index 39b6dbe0219..aa272e505d8 100644 --- a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy +++ b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/powerwaf/PowerWAFModuleSpecification.groovy @@ -1533,6 +1533,22 @@ class PowerWAFModuleSpecification extends DDSpecification { ctx.derivativeKeys.contains('_dd.appsec.fp.session') } + void 'retrieve used addresses'() { + when: + setupWithStubConfigService('small_config.json') + def ctx0 = pwafModule.ctxAndAddresses.get().ctx + def addresses = pwafModule.getUsedAddresses(ctx0) + + then: + addresses.size() == 6 + addresses.contains(KnownAddresses.REQUEST_INFERRED_CLIENT_IP) + addresses.contains(KnownAddresses.REQUEST_QUERY) + addresses.contains(KnownAddresses.REQUEST_PATH_PARAMS) + addresses.contains(KnownAddresses.HEADERS_NO_COOKIES) + addresses.contains(KnownAddresses.REQUEST_URI_RAW) + addresses.contains(KnownAddresses.REQUEST_BODY_OBJECT) + } + private Map getDefaultConfig() { def service = new StubAppSecConfigService() service.init() diff --git a/dd-java-agent/appsec/src/test/resources/small_config.json b/dd-java-agent/appsec/src/test/resources/small_config.json new file mode 100644 index 00000000000..d57ed8c2406 --- /dev/null +++ b/dd-java-agent/appsec/src/test/resources/small_config.json @@ -0,0 +1,181 @@ +{ + "version": "2.1", + "metadata": { + "rules_version": "0.42.0" + }, + "actions": [ + { + "id": "block", + "type": "block_request", + "parameters": { + "status_code": 418, + "type": "html" + } + } + ], + "rules": [ + { + "id": "ip_match_rule", + "name": "rule1", + "tags": { + "type": "flow1", + "category": "category1" + }, + "conditions": [ + { + "operator": "ip_match", + "parameters": { + "inputs": [ + { + "address": "http.client_ip" + } + ], + "data": "ip_data" + } + } + ], + "on_match": ["block"] + }, + { + "id": "crs-913-110", + "name": "Found request header associated with Acunetix security scanner", + "tags": { + "type": "security_scanner", + "crs_id": "913110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "list": [ + "acunetix-product", + "(acunetix web vulnerability scanner", + "acunetix-scanning-agreement", + "acunetix-user-agreement" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-913-120", + "name": "Found request filename/argument associated with security scanner", + "tags": { + "type": "security_scanner", + "crs_id": "913120", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "list": [ + "/.adsensepostnottherenonobook", + "/hello.html", + "/actsensepostnottherenonotive", + "/acunetix-wvs-test-for-some-inexistent-file", + "/antidisestablishmentarianism", + "/appscan_fingerprint/mac_address", + "/arachni-", + "/cybercop", + "/nessus_is_probing_you_", + "/nessustest", + "/netsparker-", + "/rfiinc.txt", + "/thereisnowaythat-you-canbethere", + "/w3af/remotefileinclude.html", + "appscan_fingerprint", + "w00tw00t.at.isc.sans.dfind", + "w00tw00t.at.blackhats.romanian.anti-sec" + ] + }, + "operator": "phrase_match" + } + ], + "transformers": [ + "lowercase" + ] + }, + { + "id": "crs-920-260", + "name": "Unicode Full/Half Width Abuse Attack Attempt", + "tags": { + "type": "http_protocol_violation", + "crs_id": "920260", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.uri.raw" + } + ], + "regex": "\\%u[fF]{2}[0-9a-fA-F]{2}", + "options": { + "case_sensitive": true, + "min_length": 6 + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, + { + "id": "crs-921-110", + "name": "HTTP Request Smuggling Attack", + "tags": { + "type": "http_protocol_violation", + "crs_id": "921110", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + } + ], + "regex": "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\\s+[^\\s]+\\s+http/\\d", + "options": { + "case_sensitive": true, + "min_length": 12 + } + }, + "operator": "match_regex" + } + ], + "transformers": [ + "lowercase" + ] + } + ] +}