Merge pull request #734 from AikidoSec/report-stored-ssrf

Report stored SSRF as attack event

Author: hansott

library/agent/Agent.ts

@@ -199,13 +199,29 @@ export class Agent {
     operation: string;
     kind: Kind;
     blocked: boolean;
-    source: Source;
-    request: Context;
+    source: Source | undefined;
+    request: Context | undefined;
     stack: string;
     paths: string[];
     metadata: Record<string, string>;
     payload: unknown;
   }) {
+    const attackRequest: DetectedAttack["request"] = request
+      ? {
+          method: request.method,
+          url: request.url,
+          ipAddress: request.remoteAddress,
+          userAgent:
+            typeof request.headers["user-agent"] === "string"
+              ? request.headers["user-agent"]
+              : undefined,
+          body: convertRequestBodyToString(request.body),
+          headers: filterEmptyRequestHeaders(request.headers),
+          source: request.source,
+          route: request.route,
+        }
+      : undefined;
+
     const attack: DetectedAttack = {
       type: "detected_attack",
       time: Date.now(),
@@ -218,22 +234,13 @@ export class Agent {
         source: source,
         metadata: limitLengthMetadata(metadata, 4096),
         kind: kind,
-        payload: JSON.stringify(payload).substring(0, 4096),
-        user: request.user,
-      },
-      request: {
-        method: request.method,
-        url: request.url,
-        ipAddress: request.remoteAddress,
-        userAgent:
-          typeof request.headers["user-agent"] === "string"
-            ? request.headers["user-agent"]
+        payload:
+          payload !== undefined
+            ? JSON.stringify(payload).substring(0, 4096)
             : undefined,
-        body: convertRequestBodyToString(request.body),
-        headers: filterEmptyRequestHeaders(request.headers),
-        source: request.source,
-        route: request.route,
+        user: request?.user,
       },
+      request: attackRequest,
       agent: this.getAgentInfo(),
     };
 

library/agent/Attack.ts

@@ -4,6 +4,7 @@ export type Kind =
   | "shell_injection"
   | "path_traversal"
   | "ssrf"
+  | "stored_ssrf"
   | "code_injection";
 
 export function attackKindHumanName(kind: Kind) {
@@ -18,6 +19,8 @@ export function attackKindHumanName(kind: Kind) {
       return "a path traversal attack";
     case "ssrf":
       return "a server-side request forgery";
+    case "stored_ssrf":
+      return "a stored server-side request forgery";
     case "code_injection":
       return "a JavaScript injection";
   }

library/agent/AttackLogger.ts

@@ -28,7 +28,7 @@ export class AttackLogger {
     this.logCount++; // Increment the log counter
 
     const { blocked, kind, operation, source, path } = event.attack;
-    const { ipAddress } = event.request;
+    const ipAddress = event.request?.ipAddress;
 
     const message = `Zen has ${blocked ? "blocked" : "detected"} ${attackKindHumanName(kind)}: kind="${escapeLog(kind)}" operation="${escapeLog(operation)}(...)" source="${escapeLog(source)}${escapeLog(path)}" ip="${escapeLog(ipAddress)}"`;
 

library/agent/api/Event.ts

@@ -39,25 +39,27 @@ export type User = {
 
 export type DetectedAttack = {
   type: "detected_attack";
-  request: {
-    method: string | undefined;
-    ipAddress: string | undefined;
-    userAgent: string | undefined;
-    url: string | undefined;
-    headers: Record<string, string | string[]>;
-    body: string | undefined;
-    source: string;
-    route: string | undefined;
-  };
+  request:
+    | {
+        method: string | undefined;
+        ipAddress: string | undefined;
+        userAgent: string | undefined;
+        url: string | undefined;
+        headers: Record<string, string | string[]>;
+        body: string | undefined;
+        source: string;
+        route: string | undefined;
+      }
+    | undefined;
   attack: {
     kind: Kind;
     operation: string;
     module: string;
     blocked: boolean;
-    source: Source;
+    source: Source | undefined;
     path: string;
     stack: string;
-    payload: string;
+    payload: string | undefined;
     metadata: Record<string, string>;
     user: User | undefined;
   };

library/vulnerabilities/ssrf/inspectDNSLookupCalls.test.ts

@@ -370,7 +370,7 @@ t.test("Blocks IMDS SSRF with untrusted domain", async (t) => {
         if (err instanceof Error) {
           t.same(
             err.message,
-            "Zen has blocked a server-side request forgery: operation(...) originating from unknown source"
+            "Zen has blocked a stored server-side request forgery: operation(...) originating from unknown source"
           );
         }
         t.same(address, undefined);
@@ -384,7 +384,7 @@ t.test("Blocks IMDS SSRF with untrusted domain", async (t) => {
           if (err instanceof Error) {
             t.same(
               err.message,
-              "Zen has blocked a server-side request forgery: operation(...) originating from unknown source"
+              "Zen has blocked a stored server-side request forgery: operation(...) originating from unknown source"
             );
           }
           t.same(address, undefined);
@@ -524,3 +524,205 @@ t.test("it ignores when the argument is an IP address", async (t) => {
     }),
   ]);
 });
+
+t.test("Reports stored SSRF without context", async (t) => {
+  const api = new ReportingAPIForTesting();
+  const agent = createTestAgent({
+    token: new Token("123"),
+    api,
+  });
+  agent.start([]);
+
+  const wrappedLookup = inspectDNSLookupCalls(
+    imdsMockLookup,
+    agent,
+    "http",
+    "request"
+  );
+
+  await new Promise<void>((resolve) => {
+    wrappedLookup("imds.test.com", { family: 4 }, (err, address) => {
+      t.same(err instanceof Error, true);
+      if (err instanceof Error) {
+        t.same(
+          err.message,
+          "Zen has blocked a stored server-side request forgery: request(...) originating from unknown source"
+        );
+      }
+      t.same(address, undefined);
+      resolve();
+    });
+  });
+
+  t.match(api.getEvents(), [
+    {
+      type: "started",
+    },
+    {
+      type: "detected_attack",
+      attack: {
+        kind: "stored_ssrf",
+        operation: "request",
+        module: "http",
+        blocked: true,
+        source: undefined,
+        path: "",
+        payload: undefined,
+        metadata: {
+          hostname: "imds.test.com",
+          privateIP: "169.254.169.254",
+        },
+        user: undefined,
+      },
+      request: undefined,
+    },
+  ]);
+});
+
+t.test("Reports stored SSRF with context set", async (t) => {
+  const api = new ReportingAPIForTesting();
+  const agent = createTestAgent({
+    token: new Token("123"),
+    api,
+  });
+  agent.start([]);
+
+  await runWithContext(
+    {
+      remoteAddress: "::1",
+      method: "POST",
+      url: "http://app.example.com:4000",
+      query: {},
+      headers: {},
+      body: {
+        image: "test.png",
+      },
+      cookies: {},
+      routeParams: {},
+      source: "express",
+      route: "/posts/:id",
+    },
+    async () => {
+      const wrappedLookup = inspectDNSLookupCalls(
+        imdsMockLookup,
+        agent,
+        "http",
+        "request"
+      );
+
+      await new Promise<void>((resolve) => {
+        wrappedLookup("imds.test.com", { family: 4 }, (err, address) => {
+          t.same(err instanceof Error, true);
+          if (err instanceof Error) {
+            t.same(
+              err.message,
+              "Zen has blocked a stored server-side request forgery: request(...) originating from unknown source"
+            );
+          }
+          t.same(address, undefined);
+          resolve();
+        });
+      });
+    }
+  );
+
+  t.match(api.getEvents(), [
+    {
+      type: "started",
+    },
+    {
+      type: "detected_attack",
+      attack: {
+        kind: "stored_ssrf",
+        operation: "request",
+        module: "http",
+        blocked: true,
+        source: undefined,
+        path: "",
+        payload: undefined,
+        metadata: {
+          hostname: "imds.test.com",
+          privateIP: "169.254.169.254",
+        },
+        user: undefined,
+      },
+      request: undefined,
+    },
+  ]);
+});
+
+t.test("Reports IDMS SSRF from current request context", async (t) => {
+  const api = new ReportingAPIForTesting();
+  const agent = createTestAgent({
+    token: new Token("123"),
+    api,
+  });
+  agent.start([]);
+
+  await runWithContext(
+    {
+      remoteAddress: "::1",
+      method: "POST",
+      url: "http://app.example.com:4000",
+      query: {},
+      headers: {},
+      body: {
+        image: "https://imds.test.com",
+      },
+      cookies: {},
+      routeParams: {},
+      source: "express",
+      route: "/posts/:id",
+    },
+    async () => {
+      const wrappedLookup = inspectDNSLookupCalls(
+        imdsMockLookup,
+        agent,
+        "http",
+        "request"
+      );
+
+      await new Promise<void>((resolve) => {
+        wrappedLookup("imds.test.com", { family: 4 }, (err, address) => {
+          t.same(err instanceof Error, true);
+          if (err instanceof Error) {
+            t.same(
+              err.message,
+              "Zen has blocked a server-side request forgery: request(...) originating from body.image"
+            );
+          }
+          t.same(address, undefined);
+          resolve();
+        });
+      });
+    }
+  );
+
+  t.match(api.getEvents(), [
+    {
+      type: "started",
+    },
+    {
+      type: "detected_attack",
+      attack: {
+        kind: "ssrf",
+        operation: "request",
+        module: "http",
+        blocked: true,
+        source: "body",
+        path: ".image",
+        payload: "https://imds.test.com",
+        metadata: {
+          hostname: "imds.test.com",
+          privateIP: "169.254.169.254",
+        },
+        user: undefined,
+      },
+      request: {
+        method: "POST",
+        ipAddress: "::1",
+        url: "http://app.example.com:4000",
+      },
+    },
+  ]);
+});