Skip to content

feat: Support to generate HTTP Response Security Event #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat: Support to generate HTTP Response Security Event #260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
40c0d86
handling to generate response event
sumitsuthar Oct 16, 2024
63ad5c9
updated response transaction event
sumitsuthar Oct 17, 2024
2433bce
updated logic to enable response hook and processing of rxss on basis…
sumitsuthar Oct 21, 2024
a1b1f2c
minor fix
sumitsuthar Oct 21, 2024
e4fe5ca
minor fix
sumitsuthar Oct 28, 2024
7d3f31c
handling to generate reposne event only for vulnerable
sumitsuthar Oct 28, 2024
1493fbf
handling to truncate http response
sumitsuthar Oct 28, 2024
c45c366
Merge branch 'main' into response_event
sumitsuthar Oct 30, 2024
5eed03b
resolve merge conficts
sumitsuthar Jan 16, 2025
07ac9e3
minor fix
sumitsuthar Jan 16, 2025
0e8df87
minor fix
sumitsuthar Jan 16, 2025
a82873e
removed hardcoded report_http_response flag
sumitsuthar Jan 16, 2025
ad05b1a
handling to send http response event over ws
sumitsuthar Jan 16, 2025
f8aa4c1
handling to not compute body for rxss in case of report_http_response…
sumitsuthar Jan 16, 2025
3a5fc83
merged main branch
sumitsuthar Feb 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 71 additions & 16 deletions lib/instrumentation-security/hooks/http/nr-http.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
const securityMetaData = require('../../core/security-metadata');
const { EVENT_TYPE, EVENT_CATEGORY } = require('../../core/event-constants');
const hc = require('../../../nr-security-agent/lib/core/health-check');
const LinkingMetaData = require('../../../nr-security-agent/lib/core/LinkingMetadata');

const NRCSECTRACINGDATA = 'NR-CSEC-TRACING-DATA';
const SELFTEST = 'self-test';
Expand Down Expand Up @@ -454,28 +455,79 @@
}

responseBodyCompute(response, arguments);
if (NRAgent && NRAgent.config.security.detection.rxss.enabled && NRAgent.config.security.scan_controllers.report_http_response_body) {
const construct = API.checkForReflectedXSS(request, response.res.body, response.getHeaders());
const policy = API.getPolicy();
const dynamicScanningFlag = policy.data ? (policy.data.vulnerabilityScan?.enabled && policy.data.vulnerabilityScan.iastScan.enabled) : false;
const type = response.getHeader(CONTENT_TYPE);
let isUnsupportedType = isUnsupportedContentType(type, response);

if (request && (construct || dynamicScanningFlag) && !isUnsupportedType) {
const args = [];
args.push(construct);
args.push(response.res.body);
const traceObject = secUtils.getTraceObject(shim);
const secMetadata = securityMetaData.getSecurityMetaData(request, args, traceObject, secUtils.getExecutionId(), EVENT_TYPE.REFLECTED_XSS, EVENT_CATEGORY.REFLECTED_XSS)
const secEvent = API.generateSecEvent(secMetadata);
secEvent.httpResponse = {};
secEvent.httpResponse.contentType = response.getHeader(CONTENT_TYPE);
API.sendEvent(secEvent);
}
}

const construct = API.checkForReflectedXSS(request, response.res.body, response.getHeaders());
const policy = API.getPolicy();
const dynamicScanningFlag = policy.data ? (policy.data.vulnerabilityScan?.enabled && policy.data.vulnerabilityScan.iastScan.enabled) : false;
const type = response.getHeader(CONTENT_TYPE);
let isUnsupportedType = isUnsupportedContentType(type, response);

if (request && (construct || dynamicScanningFlag) && !isUnsupportedType) {
const args = [];
args.push(construct);
args.push(response.res.body);
const traceObject = secUtils.getTraceObject(shim);
const secMetadata = securityMetaData.getSecurityMetaData(request, args, traceObject, secUtils.getExecutionId(), EVENT_TYPE.REFLECTED_XSS, EVENT_CATEGORY.REFLECTED_XSS)
const secEvent = API.generateSecEvent(secMetadata);
secEvent.httpResponse = {};
secEvent.httpResponse.contentType = response.getHeader(CONTENT_TYPE);
API.sendEvent(secEvent);

if (request && API && API.getSecAgent() && NRAgent.config.security.scan_controllers && NRAgent.config.security.scan_controllers.report_http_response_body) {
const fuzzHeader = request.headers[NR_CSEC_FUZZ_REQUEST_ID];
if (fuzzHeader && fuzzHeader.includes('VULNERABLE'))
generateTransactionEvent(request, response);
}


return fn.apply(this, arguments);
}
})
}

/**
* Generate transactionEvent
*/
function generateTransactionEvent(request, response) {
let transactionEvent = {};
let applicationInfo = API.getSecAgent().applicationInfo;
transactionEvent.jsonVersion = applicationInfo.jsonVersion;
transactionEvent.pid = applicationInfo.pid ? applicationInfo.pid : null;
transactionEvent.jsonName = 'sec_http_response';
transactionEvent.eventType = transactionEvent.jsonName;
if (NRAgent) {
transactionEvent.appEntityGuid = NRAgent.config.entity_guid;
transactionEvent.appAccountId = NRAgent.config.account_id;
transactionEvent.linkingMetadata = LinkingMetaData.getLinkingMetadata();
transactionEvent.traceId = transactionEvent.linkingMetadata['trace.id'];
}
transactionEvent.applicationUUID = applicationInfo.applicationUUID;
transactionEvent.policyVersion = applicationInfo.policyVersion;
transactionEvent.collectorVersion = applicationInfo.collectorVersion ? applicationInfo.collectorVersion : null;
transactionEvent.buildNumber = applicationInfo.buildNumber ? applicationInfo.buildNumber : null;
transactionEvent.timestamp = Date.now();
transactionEvent.httpRequest = request;
transactionEvent.httpResponse = {};
let responseBody = response.res.body;
try {
const contentLength = Buffer.byteLength(responseBody, 'utf8');
let bodyLimit = 500000;
if (contentLength && contentLength > bodyLimit) {
responseBody = truncateStringToBytes(responseBody, bodyLimit);
}
} catch (error) {
logger.error("Error while truncating response body", error);
}
transactionEvent.httpResponse.body = responseBody;
transactionEvent.httpResponse.statusCode = response.statusCode;
transactionEvent.httpResponse.headers = response.getHeaders();
transactionEvent.httpResponse.contentType = response.getHeader(CONTENT_TYPE);
logger.debug("Response event is:", JSON.stringify(transactionEvent))
API.sendEvent(transactionEvent);
}
/**
* Utility to check unsupported content types
* @param {*} conType
Expand Down Expand Up @@ -535,6 +587,9 @@
}

function responseBodyCompute(response, args) {
if(NRAgent && !NRAgent.config.security.scan_controllers.report_http_response_body){
return;
}
let encoding = UTF8;
const type = response.getHeader(CONTENT_TYPE);
let isUnsupportedType = isUnsupportedContentType(type, response);
Expand Down
2 changes: 2 additions & 0 deletions lib/nr-security-api/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ function getNRAgent() {
NRAgent.config.security.scan_controllers = {};
NRAgent.config.security.scan_controllers.iast_scan_request_rate_limit = 3600;
NRAgent.config.security.scan_controllers.scan_instance_count = 0;
NRAgent.config.security.scan_controllers.report_http_response_body = true;
}
if (NRAgent && NRAgent.config && !NRAgent.config.security.exclude_from_iast_scan) {
NRAgent.config.security.exclude_from_iast_scan = {};
Expand All @@ -43,6 +44,7 @@ function getNRAgent() {
NRAgent.config.security.exclude_from_iast_scan.iast_detection_category.ssrf = false;
NRAgent.config.security.exclude_from_iast_scan.iast_detection_category.rxss = false;
}

return NRAgent;
}

Expand Down
Loading