-
Notifications
You must be signed in to change notification settings - Fork 606
JavaScript plugin development
Aaron Lewis edited this page Jun 9, 2019
·
6 revisions
Most of our detection algorithm are implemented in JavaScript plugin system, and it runs seamlessly on all supported platforms. A plugin method is called when a specific checkpoint is triggered in the agent, e.g SQL query, file read or write.
A plugin should be placed in the following directory:
- Java agents: <app_home>/rasp/plugins
- PHP agents: <openrasp_rootdir>/rasp/plugins
Since directory monitoring in Java agent, we will load/unload the plugin immediately when you add/remove a plugin. Also, only files with .js
extension is accepted.
A minimized plugin looks like the following:
const plugin_version = '2018-1000-1000'
const plugin_name = 'test-plugin'
'use strict'
var plugin = new RASP(plugin_name)
const clean = {
action: 'ignore',
message: 'Looks fine to me',
confidence: 0
}
plugin.register('sql', function (params, context) {
plugin.log('SQL query: ' + params.query)
return clean
})
plugin.log('plugin-demo: plugin loaded')
In the example above,
- We've register a callback with
plugin.register
. The agent will pass in two parameters:-
params
: checkpoint parameters, complete SQL query, filename to read, ... -
context
: current HTTP request parameters, headers, url, ...
-
- We logged the SQL query to
rasp/logs/plugin.log
- We didn't block the request in the callback
SQL query
type = sql
params = {
"server": "mysql / oracle / pgsql / mssql / sqlite",
"query": "select * from users",
}
Reading directory contents
type = directory
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/",
"realpath": "/etc/",
"stack": [
"java.lang.ProcessBuilder.start",
"sun.reflect.NativeMethodAccessorImpl.invoke0",
"sun.reflect.NativeMethodAccessorImpl.invoke",
"sun.reflect.DelegatingMethodAccessorImpl.invoke",
...
]
}
Reading files
type = readFile
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/hosts",
"realpath": "/etc/hosts"
}
Writing files
type = writeFile
params = {
"path": "abc.jsp",
"realpath": "/home/tomcat/webapps/ROOT/abc.jsp",
"stack": [
...
]
}
Including files
# Java 示例
type = include,
params = {
url: "file:///etc/passwd",
function: "jstl_import",
realpath: "/etc/passwd"
}
# PHP 示例
type = include,
params = {
url: "/home/webroot/footer/../../../../../../../../../etc/passwd",
function: "require_once",
realpath: "/etc/passwd"
}
WebDAV requests (Java only)
type = webdav,
params = {
"source": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.txt",
"dest": "/home/rsync/apache-tomcat-7.0.78/webapps/webdav/1.jsp"
}
File uploading
type = fileUpload
params = {
"name": "file",
"filename": "a.jsp",
"content": "<% ... %>"
}
Renaming files
type = rename,
params = {
"source": "/var/www/html/uploads/hello.txt",
"dest": "/var/www/html/uploads/hello.php"
}
Command execution
type = command,
params = {
"stack": [
"java.lang.ProcessBuilder.start",
"sun.reflect.NativeMethodAccessorImpl.invoke0",
"sun.reflect.NativeMethodAccessorImpl.invoke",
"sun.reflect.DelegatingMethodAccessorImpl.invoke",
...
]
"command": "/bin/sh -c 'whoami; ls; '"
}
Loading XML entities
type = xxe
params = {
"entity": "file:///etc/passwd"
}
OGNL execution
type = ognl
params = {
"expression": "_memberAccess"
}
Deserialization
type = deserialization
params = {
"clazz": "InvokerTransformer"
}
HTTP request
type = ssrf
params = {
"url": "http://0x7f.0x0.0x0.0x1:8080/v1/api/get",
"hostname": "0x7f.0x0.0x0.0x1"
"ip": ["1.1.1.1", "2.2.2.2"]
"port": "8080",
"function": "commons_http_client"
}