浅析IAST

测试前
扫描模块包括三个模块:预处理模块(Preprocessor)、扫描模块(Scanner)、监控模块(Monitor)
预处理模块即图中HTTPServer部分,用于接收agent插件的http请求,处理、存储、分发http请求信息
扫描模块用于运行扫描插件,执行漏洞扫描逻辑
监控模块用于定期获取其他模块的运行时信息,调整参数,提供控制台的HTTP服务等

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
{
"web_server": {
"host": "192.168.242.155",
"port": 8080
},
"context": {
"body": "",
"nic": [
{
"ip": "192.168.242.155",
"name": "ens33"
}
],
"header": {
"referer": "http://192.168.242.155:8080/vulns/002-file-read.jsp",
"accept-language": "zh-CN,zh;q=0.9",
"cookie": "JSESSIONID=FE0AE7BF17FBF3325D2F8CECD960CCB0; RASP_AUTH_ID=4fc15c2f1e1187173227ae9591dc2662",
"host": "192.168.242.155:8080",
"upgrade-insecure-requests": "1",
"connection": "keep-alive",
"accept-encoding": "gzip, deflate",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"
},
"parameter": {
"file": [
"../../../../../../../../../../../../../../../etc/passwd"
]
},
"server": {
"server": "tomcat",
"language": "java",
"os": "Linux",
"version": "8.5.47.0",
"extra": ""
},
"json": { },
"clientIp": "",
"target": "192.168.242.155",
"source": "192.168.242.1",
"hostname": "localhost.localdomain",
"raspId": "1d98a46921df6d1cffdd200c2f7b7e42",
"appId": "8559e338fa9d4cfce379d42f719876d919b155c0",
"requestId": "4ff1a4289ed847a8a6e4f8122c1177c4",
"appBasePath": "/work/apache-tomcat-8.5.47/webapps/vulns/",
"remoteAddr": "192.168.242.1",
"protocol": "http/1.1",
"querystring": "file=../../../../../../../../../../../../../../../etc/passwd",
"url": "http://192.168.242.155:8080/vulns/002-file-read.jsp",
"method": "get",
"path": "/vulns/002-file-read.jsp"
},
"hook_info": [
{
"path": "/work/apache-tomcat-8.5.47/webapps/vulns/reports/../../../../../../../../../../../../../../../etc/passwd",
"realpath": "/etc/passwd",
"stack": [
"java.io.FileInputStream.<init>",
"java.io.FileInputStream.<init>",
"org.apache.jsp._002_002dfile_002dread_jsp._jspService",
"org.apache.jasper.runtime.HttpJspBase.service",
"javax.servlet.http.HttpServlet.service",
"org.apache.jasper.servlet.JspServletWrapper.service",
"org.apache.jasper.servlet.JspServlet.serviceJspFile",
"org.apache.jasper.servlet.JspServlet.service",
"javax.servlet.http.HttpServlet.service",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter",
"org.apache.catalina.core.ApplicationFilterChain.doFilter",
"org.apache.tomcat.websocket.server.WsFilter.doFilter",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter",
"org.apache.catalina.core.ApplicationFilterChain.doFilter",
"org.apache.catalina.core.StandardWrapperValve.invoke",
"org.apache.catalina.core.StandardContextValve.invoke",
"org.apache.catalina.authenticator.AuthenticatorBase.invoke",
"org.apache.catalina.core.StandardHostValve.invoke",
"org.apache.catalina.valves.ErrorReportValve.invoke",
"org.apache.catalina.valves.AbstractAccessLogValve.invoke",
"org.apache.catalina.core.StandardEngineValve.invoke",
"org.apache.catalina.connector.CoyoteAdapter.service",
"org.apache.coyote.http11.Http11Processor.service",
"org.apache.coyote.AbstractProcessorLight.process",
"org.apache.coyote.AbstractProtocol$ConnectionHandler.process",
"org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun",
"org.apache.tomcat.util.net.SocketProcessorBase.run",
"java.util.concurrent.ThreadPoolExecutor.runWorker",
"java.util.concurrent.ThreadPoolExecutor$Worker.run",
"org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run",
"java.lang.Thread.run"
],
"hook_type": "readFile"
}
],
"plugin_version": "2019-1010-1640"
}

Baidu的官方流程

一个典型扫描流程,以SQL注入的扫描过程为例:
1、运行扫描器端,初始化所有模块
2、测试人员发送了一条HTTP请求到web server,产生请求及其对应的HOOK信息被OpenRASP插件获取,发送至http_server
3、http_server发现请求不是扫描器发出的,对其进行去重后写入数据库
4、扫描模块从数据库获取一条HOOK信息,下发到所有扫描插件
5、sql注入扫描插件分析HOOK信息发现用户输入参数拼接进了sql查询,运行对应扫描逻辑
6、扫描插件生成扫描请求,把原始请求进入query的输入参数替换为单引号
7、扫描插件在请求头添加用于识别扫描请求的scan_request_id,发送扫描请求给web server
10、web server处理请求并返回结果,扫描插件获得http response,同时OpenRASP插件获取到请求hook信息,发送至http_server
11、http_server发现请求是扫描器发出的,将其写入rasp_result_queue队列
12、扫描模块读取rasp_result_queue队列,将rasp_result传给对应的扫描插件
13、扫描插件检查收到的hook信息,发现query逻辑被改变,认为存在SQL注入,将漏洞信息写入数据库

测试前

核心检测代码分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
def mutant(self, rasp_result_ins):
"""
测试向量生成
“""
# 判断Hookinfo里是否包含了,ssrf标识,如果包含再进行扫描
if not rasp_result_ins.has_hook_type("ssrf"):
return


payload_list = [("http://127.1.2.3/", "127.1.2.3")]


# 获取所有待测试参数
request_data_ins = self.new_request_data(rasp_result_ins)
#默认获取的类型也是"get", "post", "json", "headers", "cookies"
test_params = self.mutant_helper.get_params_list(
request_data_ins, ["get", "post", "json", "headers", "cookies"])
# 只测试包含ssrf的hook请求
for param in test_params:
if not request_data_ins.is_param_concat_in_hook("ssrf", param["value"]):
continue
payload_seq = self.gen_payload_seq()
for payload in payload_list:
#生成一个模板 用于检测payload是否成功投放的特征
request_data_ins = self.new_request_data(
rasp_result_ins, payload_seq, payload[1])
#设置替换自己想要攻击的payload
request_data_ins.set_param(
param["type"], param["name"], payload[0])
request_data_list = [request_data_ins]
# 每次迭代返回的应该是一个由RequestData类的实例组成的list, 该list中的每个RequestData实例都会被作为测试请求依次发送
yield request_data_list
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
def check(self, request_data_list):
"""
请求结果检测
"""
request_data_ins = request_data_list[0]
#feature为我们自己预期的payload
feature = request_data_ins.get_payload_info()["feature”]
#rasp_result_ins 是hookinfo里的东西
rasp_result_ins = request_data_ins.get_rasp_result()
if rasp_result_ins is None:
return None
#进入漏洞检测模块
if self.checker.check_concat_in_hook(rasp_result_ins, "ssrf", feature):
return "访问url的host可被用户输入控制"
else:
return None

有几种检测模式,跟进咱们的ssrf检测模式
测试前

只要字符串相等,即可。也就是说hostname和咱们的预期相等即可
测试前

文章作者: Screw
文章链接: http://screwsec.com/2019/11/16/%E6%B5%85%E6%9E%90IAST/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Screw's blog