From 61c0df69f40ce1fad9b78c8ac80628d2f27b2f79 Mon Sep 17 00:00:00 2001 From: Alexandre Rulleau Date: Mon, 18 Nov 2024 15:42:03 +0100 Subject: [PATCH] test(integration): add integration test for fingerprints Signed-off-by: Alexandre Rulleau --- .../appsec/php/integration/CommonTests.groovy | 1 + .../integration/src/test/waf/recommended.json | 271 ++++++++++++++---- 2 files changed, 222 insertions(+), 50 deletions(-) diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy index 84ca54e07a9..3001685afb4 100644 --- a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy @@ -66,6 +66,7 @@ trait CommonTests { assert span.meta."appsec.events.users.login.failure.email" == 'jean.example@example.com' assert span.meta."appsec.events.users.login.failure.session_id" == '987654321' assert span.meta."appsec.events.users.login.failure.role" == 'admin' + assert span.meta."_dd.appsec.fp.http.endpoint".matches("http-get-[A-Za-z0-9]{8}-[A-Za-z0-9]{8}-([A-Za-z0-9]{8})?") } diff --git a/appsec/tests/integration/src/test/waf/recommended.json b/appsec/tests/integration/src/test/waf/recommended.json index 0fbc7b4c015..17add7f0d73 100644 --- a/appsec/tests/integration/src/test/waf/recommended.json +++ b/appsec/tests/integration/src/test/waf/recommended.json @@ -6754,15 +6754,15 @@ "parameters": { "inputs": [ { - "address": "server.request.body", - "key_path": [ - "message" - ] + "address": "server.request.body", + "key_path": [ + "message" + ] }, { "address": "server.response.body", "key_path": [ - "message" + "message" ] } ], @@ -6777,24 +6777,24 @@ "id": "poison-in-json-block", "name": "poison-in-json-block", "tags": { - "type": "security_scanner", - "category": "attack_attempt" + "type": "security_scanner", + "category": "attack_attempt" }, "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.response.body", - "key_path": [ - "message" - ] - } - ], - "regex": "(?i)block_this" - }, - "operator": "match_regex" - } + { + "parameters": { + "inputs": [ + { + "address": "server.response.body", + "key_path": [ + "message" + ] + } + ], + "regex": "(?i)block_this" + }, + "operator": "match_regex" + } ], "transformers": [], "on_match": [ @@ -6802,35 +6802,35 @@ ] }, { - "id": "poison-in-xml", - "name": "poison-in-xml", - "tags": { - "type": "security_scanner", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.body", - "key_path": [ - "note" - ] - }, - { - "address": "server.response.body", - "key_path": [ - "note" - ] - } - ], - "regex": "(?i).*poison.*" - }, - "operator": "match_regex" - } - ], - "transformers": [] + "id": "poison-in-xml", + "name": "poison-in-xml", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.body", + "key_path": [ + "note" + ] + }, + { + "address": "server.response.body", + "key_path": [ + "note" + ] + } + ], + "regex": "(?i).*poison.*" + }, + "operator": "match_regex" + } + ], + "transformers": [] } ], "rules_data": [ @@ -6884,5 +6884,176 @@ "location": "https://datadoghq.com" } } + ], + "processors": [ + { + "id": "http-endpoint-fingerprint", + "generator": "http_endpoint_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "method": [ + { + "address": "server.request.method" + } + ], + "uri_raw": [ + { + "address": "server.request.uri.raw" + } + ], + "body": [ + { + "address": "server.request.body" + } + ], + "query": [ + { + "address": "server.request.query" + } + ], + "output": "_dd.appsec.fp.http.endpoint" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "http-header-fingerprint", + "generator": "http_header_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.header" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "http-network-fingerprint", + "generator": "http_network_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.network" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "session-fingerprint", + "generator": "session_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "cookies": [ + { + "address": "server.request.cookies" + } + ], + "session_id": [ + { + "address": "usr.session_id" + } + ], + "user_id": [ + { + "address": "usr.id" + } + ], + "output": "_dd.appsec.fp.session" + } + ] + }, + "evaluate": false, + "output": true + } ] }