-
Notifications
You must be signed in to change notification settings - Fork 609
JavaScript plugin development
Aaron Lewis edited this page Jun 9, 2019
·
6 revisions
Most of our detection algorithm are implemented in our JavaScript plugin system, and it runs seamlessly on all supported platforms. A plugin method is called when a specific checkpoint is triggered in the agent, e.g SQL query, file read or write.
A minimized plugin looks like the following:
const plugin_version = '2018-1000-1000'
const plugin_name = 'test-plugin'
'use strict'
var plugin = new RASP(plugin_name)
const clean = {
action: 'ignore',
message: 'Looks fine to me',
confidence: 0
}
plugin.register('sql', function (params, context) {
plugin.log('SQL query: ' + params.query)
return clean
})
plugin.log('plugin-demo: plugin loaded')
SQL query
type = sql
params = {
"server": "mysql / oracle / pgsql / mssql / sqlite",
"query": "select * from users",
}
Reading directory contents
type = directory
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/",
"realpath": "/etc/",
"stack": [
"java.lang.ProcessBuilder.start",
"sun.reflect.NativeMethodAccessorImpl.invoke0",
"sun.reflect.NativeMethodAccessorImpl.invoke",
"sun.reflect.DelegatingMethodAccessorImpl.invoke",
...
]
}
Reading files
type = readFile
params = {
"path": "/home/servers/tomcat/webapps/mywar/../../../../../../../../../etc/hosts",
"realpath": "/etc/hosts"
}
Writing files
type = writeFile
params = {
"path": "abc.jsp",
"realpath": "/home/tomcat/webapps/ROOT/abc.jsp",
"stack": [
...
]
}