Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the principle analysis of IAST and its application in SDL. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

First, why should I analyze IAST

Recently, in the implementation of the SDL project, I want to improve the automatic scanning method to improve the scanning accuracy. Since there are already relatively formed IAST products, I want to analyze the principle of IAST. There are many articles on the analysis of RASP on the Internet, but there is very little analysis on the principle of IAST. Previously, we used the proxy mode to scan the black box, such as the commonly used AWVS. I believe we all know that the false alarm rate of the black box is very high. In the process of implementing SDL, we need to invest a lot of manpower to verify vulnerabilities. The advantage of IAST is that it can scan vulnerability 0 false positives. To analyze IAST, it is necessary to analyze the principle of RASP. In view of the fact that there are many articles on the principle analysis of RASP, I will briefly introduce it in another article for the sake of coherence.

Second, IAST scanning effect

Here two normal url are tested and scanned by IAST and AWVS. Other scans can be tested by yourself.

Http://10.57.131.36:8080/vulns/005-file-write.jsp?filename=123.txt&filedata=some-report-data

According to the AWVS scan, the vulnerability was not identified.

IAST identified an arbitrary write file vulnerability.

Http://10.57.131.36:8080/vulns/004-command-1.jsp?cmd="openraspcmd"

AWVS scanned a lot of false positives.

IAST identified a command execution vulnerability.

Here is a brief introduction to why scanning is so different, because the black box mainly determines whether it is a vulnerability by constructing a payload request analysis request response. For example, for a command execution vulnerability that is blindly injected, because the result of a normal request is similar to that of a request response with payload, the black box cannot determine whether it is a vulnerability. So how does IAST judge? Keep looking down.

Third, the analysis of IAST principle.

IAST architecture diagram:

The scanning module includes three modules: preprocessing module (Preprocessor), scanning module (Scanner) and monitoring module (Monitor).

The preprocessing module is the HTTPServer part of the figure, which is used to receive http requests from agent plug-ins, and to process, store and distribute http request information.

The scanning module is used to run the scanning plug-in and execute the vulnerability scanning logic.

The monitoring module is used to regularly obtain the runtime information of other modules, adjust parameters, and provide HTTP services for the console, etc.

The iast plug-in needs to be installed on the rasp, and the iast scanner should be used with the iast plug-in.

Just like all programs have an entry point. The entry point for iast is run and then the start function is called. We started at the entrance and went down step by step.

The configuration file will be read at startup

It is then determined to initialize some information, such as python greater than 3.7and database table initialization.

Test whether you can connect to cloud control

Judge whether the process of iast is started by pid.

Here you can see that Preprocessor, Monitor, and n scanning modules are about to be started.

Then start starting the preprocessor and monitor modules

The startup of all modules depends on the basic module

BaseModule base class, all module inherits from this class

The breakpoint enters the preprocessor module

Tornado is a framework that can handle http requests

Enable the httpserver service to receive http requests from agent plug-ins, process, store and distribute http request information

Load monitoring module for monitoring preprocessing module, each scanning module, monitoring module

Start the monitor console port 18664

This is the monitoring background of IAST scanning.

The loop detects whether each module is alive or not, and if any module does not survive, it ends and ends all other modules.

Start loading scan module

Scan initializes all scan plug-ins

Load all scanning plug-ins plugin_module = _ _ import__ (plugin_import_path, fromlist= [plugin _ name]) through dynamic loading module traversal

After loading each module, you are waiting to receive the scan request. Initiates a normal request, and httpserver gets the original request sent by rasp agent.

This is a normal xml request

Http://10.57.131.36:8080/vulns/007-xxe.jsp?data= TovdeJani ReminderDon't forget me this weekend!

The original request sent from rasp to iast is received here, where hook_info is empty, because the normal request has not triggered the execution function.

The same is true through log analysis. Several places marked red. 1. The user sends a normal request to the server where the raspagent is located. 2. The underlying http of rasp sends the traffic hook down to iast3, iast joins malicious payload and sends it to rasp 4. The iast plug-in on rasp returns the hook information to iast,iast to determine whether there is a vulnerability.

Iterate through all the parameters in the http request, the parameters in header, body, get, plus payload.

Another difference between this and the black box is that you don't need too much payload. As long as you have a payload, you can judge whether there is a loophole by judging whether the returned information has hook_info.

Traversing payload to initiate a request

Check to see if the vulnerability is triggered

We can judge whether there is a vulnerability by comparing whether the hook_type of hook information is xxe and whether entity is the payload sent by IAST.

4. The application of IAST in SDL

There are roughly several stages of SDL: requirements review, development, testing, release, and launch. The important security activities corresponding to each stage are threat modeling, code scanning, automated security testing, CICD release interception, online dependent vulnerability identification and threat intelligence collection.

According to my experience in implementing SDL, the most important thing in the requirements review stage is to issue a security requirements document, which is purely instructive, without any means that can be checked automatically, and is easy to flow to the surface. Using code scanning in the development phase is the biggest problem with SAST,SAST, which is that false positives and false positives are both prominent. A system, there are 5 vulnerabilities, SAST scan may report 100 vulnerabilities, of which 2 are real vulnerabilities and 98 are false positives, which requires a lot of manpower to troubleshoot. Automatic scanning is usually used in the testing phase, just as the difference between IAST and black box scanning is introduced at the beginning of the article, black box scanning has a high false positive rate and does not need to spend a lot of manpower to verify vulnerabilities. Through the deployment of IAST products, when QA completes the quality test of its own work, the IAST system automatically completes a security report, and can also ensure the accuracy of security testing, thus greatly reducing labor costs. I think IAST is a big addition to SDL.

After reading the above, do you have any further understanding of the principle analysis of IAST and its application in SDL? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.