Merge pull request #827 from AikidoSec/attack-wave-samples

Collect samples for attack wave detection

Author: hansott

library/agent/Agent.test.ts

@@ -1,7 +1,6 @@
 import * as FakeTimers from "@sinonjs/fake-timers";
 import { hostname, platform, release } from "os";
 import * as t from "tap";
-import * as fetch from "../helpers/fetch";
 import { getSemverNodeVersion } from "../helpers/getNodeVersion";
 import { ip } from "../helpers/ipAddress";
 import { wrap } from "../helpers/wrap";
@@ -1265,17 +1264,14 @@ t.test("attack wave detected event", async (t) => {
       route: "/posts/:id",
       routeParams: {},
     },
-    metadata: {
-      x: "test",
-    },
   });
 
   t.match(api.getEvents(), [
     {
       type: "detected_attack_wave",
       attack: {
         metadata: {
-          x: "test",
+          samples: "[]",
         },
       },
       request: {

library/agent/Agent.ts

@@ -647,18 +647,27 @@ export class Agent {
   /**
    * This function gets called when an attack wave is detected, it reports this attack wave to the API
    */
-  onDetectedAttackWave({
-    request,
-    metadata,
-  }: {
-    request: Context;
-    metadata: Record<string, string>;
-  }) {
+  onDetectedAttackWave({ request }: { request: Context }) {
+    if (!request.remoteAddress) {
+      // Cannot report attack wave without IP address
+      // Should not happen since AttackWaveDetector checks for remoteAddress
+      return;
+    }
+
+    const samples = this.attackWaveDetector.getSamplesForIP(
+      request.remoteAddress
+    );
+
     const attack: DetectedAttackWave = {
       type: "detected_attack_wave",
       time: Date.now(),
       attack: {
-        metadata: limitLengthMetadata(metadata, 4096),
+        metadata: limitLengthMetadata(
+          {
+            samples: JSON.stringify(samples),
+          },
+          4096
+        ),
         user: request.user,
       },
       request: {

library/agent/api/Event.ts

@@ -158,7 +158,7 @@ type Heartbeat = {
 export type DetectedAttackWave = {
   type: "detected_attack_wave";
   request: {
-    ipAddress: string | undefined;
+    ipAddress: string;
     userAgent: string | undefined;
     source: string;
   };

library/agent/api/ReportingAPIRateLimitedClientSide.test.ts

@@ -62,7 +62,7 @@ function generateAttackWaveEvent(): Event {
     type: "detected_attack_wave",
     time: Date.now(),
     request: {
-      ipAddress: undefined,
+      ipAddress: "::1",
       userAgent: undefined,
       source: "express",
     },

library/sources/FunctionsFramework.test.ts

@@ -299,7 +299,6 @@ t.test("it waits for attack events to be sent before returning", async (t) => {
 
     agent.onDetectedAttackWave({
       request: getContext()!,
-      metadata: {},
     });
 
     res.sendStatus(200);

library/sources/HTTPServer.test.ts

@@ -1103,7 +1103,34 @@ t.test("it reports attack waves", async (t) => {
         {
           type: "detected_attack_wave",
           attack: {
-            metadata: {},
+            metadata: {
+              samples: JSON.stringify([
+                {
+                  method: "GET",
+                  url: "/../package.json",
+                },
+                {
+                  method: "GET",
+                  url: "/.env",
+                },
+                {
+                  method: "GET",
+                  url: "/wp-config.php",
+                },
+                {
+                  method: "GET",
+                  url: "/etc/passwd",
+                },
+                {
+                  method: "GET",
+                  url: "/.git/config",
+                },
+                {
+                  method: "GET",
+                  url: "/%systemroot%/system32/cmd.exe",
+                },
+              ]),
+            },
             user: undefined,
           },
           request: {

library/sources/Lambda.test.ts

@@ -558,7 +558,6 @@ t.test("it waits for attack events to be sent before returning", async (t) => {
 
     agent.onDetectedAttackWave({
       request: getContext()!,
-      metadata: {},
     });
 
     return { statusCode: 200 };

library/sources/http-server/createRequestListener.ts

@@ -118,7 +118,9 @@ function onFinishRequestHandler(
       !agent.getConfig().isBypassedIP(context.remoteAddress) &&
       agent.getAttackWaveDetector().check(context)
     ) {
-      agent.onDetectedAttackWave({ request: context, metadata: {} });
+      agent.onDetectedAttackWave({
+        request: context,
+      });
       agent.getInspectionStatistics().onAttackWaveDetected();
     }
   }

library/sources/http-server/http2/createStreamListener.ts

@@ -81,7 +81,9 @@ function discoverRouteFromStream(
         !agent.getConfig().isBypassedIP(context.remoteAddress) &&
         agent.getAttackWaveDetector().check(context)
       ) {
-        agent.onDetectedAttackWave({ request: context, metadata: {} });
+        agent.onDetectedAttackWave({
+          request: context,
+        });
         agent.getInspectionStatistics().onAttackWaveDetected();
       }
     }

library/vulnerabilities/attack-wave-detection/AttackWaveDetector.test.ts

@@ -30,6 +30,7 @@ function newAttackWaveDetector() {
     attackWaveTimeFrame: 60 * 1000,
     minTimeBetweenEvents: 60 * 60 * 1000,
     maxLRUEntries: 10_000,
+    maxSamplesPerIP: 5,
   });
 }
 
@@ -150,3 +151,55 @@ t.test("a slow web scanner that triggers in the third interval", async (t) => {
 
   clock.uninstall();
 });
+
+t.test("it collects samples correctly", async (t) => {
+  const detector = newAttackWaveDetector();
+  const ip = "::1";
+  detector.check(getTestContext(ip, "/wp-config.php", "GET"));
+  detector.check(getTestContext(ip, "/wp-config.php.bak", "GET"));
+  detector.check(getTestContext(ip, "/.git/config", "GET"));
+  detector.check(getTestContext(ip, "/.env", "GET"));
+  detector.check(getTestContext(ip, "/.htaccess", "GET"));
+
+  detector.check(getTestContext(ip, "/.htaccess", "GET")); // Duplicate
+  detector.check(getTestContext("::2", "/test/.env", "GET")); // Different IP
+
+  const samples = detector.getSamplesForIP(ip);
+  t.equal(samples.length, 5, "should have collected 5 samples");
+
+  t.same(
+    samples,
+    [
+      { method: "GET", url: "http://localhost:4000/wp-config.php" },
+      { method: "GET", url: "http://localhost:4000/wp-config.php.bak" },
+      { method: "GET", url: "http://localhost:4000/.git/config" },
+      { method: "GET", url: "http://localhost:4000/.env" },
+      { method: "GET", url: "http://localhost:4000/.htaccess" },
+    ],
+    "should have collected the correct samples"
+  );
+});
+
+t.test("it limits samples correctly", async (t) => {
+  const detector = newAttackWaveDetector();
+  const ip = "::1";
+
+  for (let i = 0; i < 10; i++) {
+    detector.check(getTestContext(ip, `/${i}/.env`, "GET"));
+  }
+
+  const samples = detector.getSamplesForIP(ip);
+  t.equal(samples.length, 5, "should have collected maximum 5 samples");
+
+  t.same(
+    samples,
+    [
+      { method: "GET", url: "http://localhost:4000/0/.env" },
+      { method: "GET", url: "http://localhost:4000/1/.env" },
+      { method: "GET", url: "http://localhost:4000/2/.env" },
+      { method: "GET", url: "http://localhost:4000/3/.env" },
+      { method: "GET", url: "http://localhost:4000/4/.env" },
+    ],
+    "should have collected the correct samples"
+  );
+});