Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rasp command injection tests #3524

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open
2 changes: 1 addition & 1 deletion manifests/cpp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,8 @@ tests/:
test_path_parameter.py: irrelevant (ASM is not implemented in C++)
test_uri.py: irrelevant (ASM is not implemented in C++)
rasp/:
test_cmdi.py: irrelevant (ASM is not implemented in C++)
test_lfi.py: irrelevant (ASM is not implemented in C++)
test_libddwaf.py: irrelevant (ASM is not implemented in C++)
test_shi.py: irrelevant (ASM is not implemented in C++)
test_sqli.py: irrelevant (ASM is not implemented in C++)
test_ssrf.py: irrelevant (ASM is not implemented in C++)
Expand Down
20 changes: 18 additions & 2 deletions manifests/dotnet.yml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,19 @@ tests/:
test_uri.py:
TestURI: irrelevant
rasp/:
test_cmdi.py:
Test_Cmdi_BodyJson: missing_feature
Test_Cmdi_BodyUrlEncoded: missing_feature
Test_Cmdi_BodyXml: missing_feature
Test_Cmdi_Capability: missing_feature
Test_Cmdi_Mandatory_SpanTags: missing_feature
Test_Cmdi_Optional_SpanTags: missing_feature
Test_Cmdi_Rules_Version: missing_feature
Test_Cmdi_StackTrace: missing_feature
Test_Cmdi_Telemetry: missing_feature
Test_Cmdi_Telemetry_Variant_Tag: missing_feature
Test_Cmdi_UrlQuery: missing_feature
Test_Cmdi_Waf_Version: missing_feature
test_lfi.py:
Test_Lfi_BodyJson: v2.51.0
Test_Lfi_BodyUrlEncoded: v2.51.0
Expand All @@ -160,8 +173,7 @@ tests/:
Test_Lfi_StackTrace: v2.51.0
Test_Lfi_Telemetry: v2.51.0
Test_Lfi_UrlQuery: v2.51.0
test_libddwaf.py:
Test_Libddwaf_Version: v3.4.1
Test_Lfi_Waf_Version: v3.4.1
test_shi.py:
Test_Shi_BodyJson: v3.2.0
Test_Shi_BodyUrlEncoded: v3.2.0
Expand All @@ -172,7 +184,9 @@ tests/:
Test_Shi_Rules_Version: v3.5.0
Test_Shi_StackTrace: v3.2.0
Test_Shi_Telemetry: v3.3.0
Test_Shi_Telemetry_Variant_Tag: missing_feature
Test_Shi_UrlQuery: v3.2.0
Test_Shi_Waf_Version: v3.4.1
test_sqli.py:
Test_Sqli_BodyJson: v2.54.0
Test_Sqli_BodyUrlEncoded: v2.54.0
Expand All @@ -184,6 +198,7 @@ tests/:
Test_Sqli_StackTrace: v2.54.0
Test_Sqli_Telemetry: v2.54.0
Test_Sqli_UrlQuery: v2.54.0
Test_Sqli_Waf_Version: v3.4.1
test_ssrf.py:
Test_Ssrf_BodyJson: v2.51.0
Test_Ssrf_BodyUrlEncoded: v2.51.0
Expand All @@ -195,6 +210,7 @@ tests/:
Test_Ssrf_StackTrace: v2.51.0
Test_Ssrf_Telemetry: v2.51.0
Test_Ssrf_UrlQuery: v2.51.0
Test_Ssrf_Waf_Version: v3.4.1
waf/:
test_addresses.py:
Test_BodyJson: v2.8.0
Expand Down
4 changes: 3 additions & 1 deletion manifests/golang.yml
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,8 @@ tests/:
test_uri.py:
TestURI: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py: missing_feature
test_libddwaf.py: missing_feature
test_shi.py: irrelevant (there is no equivalent to system(3) in go)
test_sqli.py:
Test_Sqli_BodyJson: v1.66.0
Expand All @@ -170,6 +170,7 @@ tests/:
Test_Sqli_StackTrace: v1.66.0
Test_Sqli_Telemetry: missing_feature
Test_Sqli_UrlQuery: v1.66.0
Test_Sqli_Waf_Version: missing_feature
test_ssrf.py:
Test_Ssrf_BodyJson: v1.65.1
Test_Ssrf_BodyUrlEncoded: v1.65.1
Expand All @@ -181,6 +182,7 @@ tests/:
Test_Ssrf_StackTrace: v1.65.1
Test_Ssrf_Telemetry: missing_feature
Test_Ssrf_UrlQuery: v1.65.1
Test_Ssrf_Waf_Version: missing_feature
waf/:
test_addresses.py:
Test_BodyJson: v1.37.0
Expand Down
10 changes: 8 additions & 2 deletions manifests/java.yml
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,7 @@ tests/:
vertx3: missing_feature
vertx4: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py:
Test_Lfi_BodyJson:
'*': v1.40.0
Expand Down Expand Up @@ -605,8 +606,7 @@ tests/:
'*': v1.40.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
spring-boot-payara: missing_feature (APPSEC-54966)
test_libddwaf.py:
Test_Libddwaf_Version:
Test_Lfi_Waf_Version:
'*': v1.40.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
test_shi.py: irrelevant (Not support in Java)
Expand Down Expand Up @@ -664,6 +664,9 @@ tests/:
spring-boot-payara: missing_feature (APPSEC-54966)
vertx3: v1.40.0 # issue in context propagation in 1.39.0
vertx4: v1.40.0 # issue in context propagation in 1.39.0
Test_Sqli_Waf_Version:
'*': v1.40.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
test_ssrf.py:
Test_Ssrf_BodyJson:
'*': v1.39.0
Expand Down Expand Up @@ -716,6 +719,9 @@ tests/:
spring-boot-payara: missing_feature (APPSEC-54966)
vertx3: missing_feature (APPSEC-55781)
vertx4: missing_feature (APPSEC-55781)
Test_Ssrf_Waf_Version:
'*': v1.40.0
spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
waf/:
test_addresses.py:
Test_BodyJson:
Expand Down
8 changes: 6 additions & 2 deletions manifests/nodejs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,7 @@ tests/:
test_uri.py:
TestURI: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py:
Test_Lfi_BodyJson:
'*': *ref_5_24_0
Expand All @@ -297,8 +298,7 @@ tests/:
Test_Lfi_UrlQuery:
'*': *ref_5_24_0
nextjs: missing_feature
test_libddwaf.py:
Test_Libddwaf_Version: *ref_5_25_0
Test_Lfi_Waf_Version: *ref_5_25_0
test_shi.py:
Test_Shi_BodyJson:
'*': *ref_5_25_0
Expand All @@ -317,9 +317,11 @@ tests/:
Test_Shi_Telemetry:
'*': *ref_5_25_0
nextjs: missing_feature
Test_Shi_Telemetry_Variant_Tag: missing_feature
Test_Shi_UrlQuery:
'*': *ref_5_25_0
nextjs: missing_feature
Test_Shi_Waf_Version: *ref_5_25_0
test_sqli.py:
Test_Sqli_BodyJson:
'*': *ref_5_23_0
Expand All @@ -341,6 +343,7 @@ tests/:
Test_Sqli_UrlQuery:
'*': *ref_5_23_0
nextjs: missing_feature
Test_Sqli_Waf_Version: *ref_5_25_0
test_ssrf.py:
Test_Ssrf_BodyJson:
'*': *ref_5_20_0
Expand All @@ -362,6 +365,7 @@ tests/:
Test_Ssrf_UrlQuery:
'*': *ref_5_20_0
nextjs: missing_feature
Test_Ssrf_Waf_Version: *ref_5_25_0
waf/:
test_addresses.py:
Test_BodyJson:
Expand Down
2 changes: 1 addition & 1 deletion manifests/php.yml
Original file line number Diff line number Diff line change
Expand Up @@ -147,8 +147,8 @@ tests/:
test_uri.py:
TestURI: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py: missing_feature
test_libddwaf.py: missing_feature
test_shi.py: missing_feature
test_sqli.py: missing_feature
test_ssrf.py: missing_feature
Expand Down
8 changes: 6 additions & 2 deletions manifests/python.yml
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,7 @@ tests/:
test_uri.py:
TestURI: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py:
Test_Lfi_BodyJson: v2.10.0
Test_Lfi_BodyUrlEncoded: v2.10.0
Expand All @@ -248,8 +249,7 @@ tests/:
Test_Lfi_StackTrace: v2.10.0
Test_Lfi_Telemetry: v2.10.0
Test_Lfi_UrlQuery: v2.10.0
test_libddwaf.py:
Test_Libddwaf_Version: v2.15.0
Test_Lfi_Waf_Version: v2.15.0
test_shi.py:
Test_Shi_BodyJson: v2.11.0-rc2
Test_Shi_BodyUrlEncoded: v2.11.0-rc2
Expand All @@ -260,7 +260,9 @@ tests/:
Test_Shi_Rules_Version: v2.15.0
Test_Shi_StackTrace: v2.11.0-rc2
Test_Shi_Telemetry: v2.11.0-rc2
Test_Shi_Telemetry_Variant_Tag: missing_feature
Test_Shi_UrlQuery: v2.11.0-rc2
Test_Shi_Waf_Version: v2.15.0
test_sqli.py:
Test_Sqli_BodyJson: v2.10.0
Test_Sqli_BodyUrlEncoded: v2.10.0
Expand All @@ -272,6 +274,7 @@ tests/:
Test_Sqli_StackTrace: v2.10.0
Test_Sqli_Telemetry: v2.10.0
Test_Sqli_UrlQuery: v2.10.0
Test_Sqli_Waf_Version: v2.15.0
test_ssrf.py:
Test_Ssrf_BodyJson: v2.10.0
Test_Ssrf_BodyUrlEncoded: v2.10.0
Expand All @@ -283,6 +286,7 @@ tests/:
Test_Ssrf_StackTrace: v2.10.0
Test_Ssrf_Telemetry: v2.10.0
Test_Ssrf_UrlQuery: v2.10.0
Test_Ssrf_Waf_Version: v2.15.0
waf/:
test_addresses.py:
Test_BodyJson:
Expand Down
2 changes: 1 addition & 1 deletion manifests/ruby.yml
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,8 @@ tests/:
test_uri.py:
TestURI: missing_feature
rasp/:
test_cmdi.py: missing_feature
test_lfi.py: missing_feature
test_libddwaf.py: missing_feature
test_shi.py: missing_feature
test_sqli.py: missing_feature
test_ssrf.py: missing_feature
Expand Down
51 changes: 50 additions & 1 deletion tests/appsec/rasp/rasp_ruleset.json
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,55 @@
"on_match": [
"stack_trace", "block"
]
}
},
{
"id": "rasp-932-110",
"name": "OS command injection exploit",
"enabled": true,
"tags": {
"type": "command_injection",
"category": "vulnerability_trigger",
"cwe": "77",
"capec": "1000/152/248/88",
"confidence": "0",
"module": "rasp"
},
"conditions": [
{
"parameters": {
"resource": [
{
"address": "server.sys.exec.cmd"
}
],
"params": [
{
"address": "server.request.query"
},
{
"address": "server.request.body"
},
{
"address": "server.request.path_params"
},
{
"address": "grpc.server.request.message"
},
{
"address": "graphql.server.all_resolvers"
},
{
"address": "graphql.server.resolver"
}
]
},
"operator": "cmdi_detector"
}
],
"transformers": [],
"on_match": [
"stack_trace", "block"
]
}
]
}
Loading