From 5e0cb00762eb28d0e08f8bfd051ceba56b1eb6fb Mon Sep 17 00:00:00 2001 From: Alexandre Rulleau Date: Mon, 18 Nov 2024 15:42:03 +0100 Subject: [PATCH] test(integration): add integration test for fingerprints Signed-off-by: Alexandre Rulleau --- .../appsec/php/integration/CommonTests.groovy | 5 + .../integration/src/test/waf/recommended.json | 271 ++++++++++++++---- 2 files changed, 226 insertions(+), 50 deletions(-) diff --git a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy index 84ca54e07a..70b4587714 100644 --- a/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy +++ b/appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy @@ -222,6 +222,7 @@ trait CommonTests { assert span.metrics."_dd.appsec.enabled" == 1.0d assert span.metrics."_dd.appsec.waf.duration" > 0.0d assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."_dd.appsec.fp.http.endpoint" != '' } @Test @@ -236,6 +237,7 @@ trait CommonTests { assert span.metrics."_dd.appsec.enabled" == 1.0d assert span.metrics."_dd.appsec.waf.duration" > 0.0d assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."_dd.appsec.fp.http.endpoint" != '' } @Test @@ -249,6 +251,7 @@ trait CommonTests { assert span.metrics."_dd.appsec.enabled" == 1.0d assert span.metrics."_dd.appsec.waf.duration" > 0.0d assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."_dd.appsec.fp.http.endpoint" != '' } @Test @@ -262,6 +265,7 @@ trait CommonTests { assert span.metrics."_dd.appsec.enabled" == 1.0d assert span.metrics."_dd.appsec.waf.duration" > 0.0d assert span.meta."_dd.appsec.event_rules.version" != '' + assert span.meta."_dd.appsec.fp.http.endpoint" != '' } @Test @@ -278,6 +282,7 @@ trait CommonTests { assert span.metrics."_dd.appsec.waf.duration" > 0.0d assert span.meta."_dd.appsec.event_rules.version" != '' assert span.meta."appsec.blocked" == "true" + assert span.meta."_dd.appsec.fp.http.endpoint" != '' } @Test diff --git a/appsec/tests/integration/src/test/waf/recommended.json b/appsec/tests/integration/src/test/waf/recommended.json index 0fbc7b4c01..17add7f0d7 100644 --- a/appsec/tests/integration/src/test/waf/recommended.json +++ b/appsec/tests/integration/src/test/waf/recommended.json @@ -6754,15 +6754,15 @@ "parameters": { "inputs": [ { - "address": "server.request.body", - "key_path": [ - "message" - ] + "address": "server.request.body", + "key_path": [ + "message" + ] }, { "address": "server.response.body", "key_path": [ - "message" + "message" ] } ], @@ -6777,24 +6777,24 @@ "id": "poison-in-json-block", "name": "poison-in-json-block", "tags": { - "type": "security_scanner", - "category": "attack_attempt" + "type": "security_scanner", + "category": "attack_attempt" }, "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.response.body", - "key_path": [ - "message" - ] - } - ], - "regex": "(?i)block_this" - }, - "operator": "match_regex" - } + { + "parameters": { + "inputs": [ + { + "address": "server.response.body", + "key_path": [ + "message" + ] + } + ], + "regex": "(?i)block_this" + }, + "operator": "match_regex" + } ], "transformers": [], "on_match": [ @@ -6802,35 +6802,35 @@ ] }, { - "id": "poison-in-xml", - "name": "poison-in-xml", - "tags": { - "type": "security_scanner", - "category": "attack_attempt" - }, - "conditions": [ - { - "parameters": { - "inputs": [ - { - "address": "server.request.body", - "key_path": [ - "note" - ] - }, - { - "address": "server.response.body", - "key_path": [ - "note" - ] - } - ], - "regex": "(?i).*poison.*" - }, - "operator": "match_regex" - } - ], - "transformers": [] + "id": "poison-in-xml", + "name": "poison-in-xml", + "tags": { + "type": "security_scanner", + "category": "attack_attempt" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.body", + "key_path": [ + "note" + ] + }, + { + "address": "server.response.body", + "key_path": [ + "note" + ] + } + ], + "regex": "(?i).*poison.*" + }, + "operator": "match_regex" + } + ], + "transformers": [] } ], "rules_data": [ @@ -6884,5 +6884,176 @@ "location": "https://datadoghq.com" } } + ], + "processors": [ + { + "id": "http-endpoint-fingerprint", + "generator": "http_endpoint_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "method": [ + { + "address": "server.request.method" + } + ], + "uri_raw": [ + { + "address": "server.request.uri.raw" + } + ], + "body": [ + { + "address": "server.request.body" + } + ], + "query": [ + { + "address": "server.request.query" + } + ], + "output": "_dd.appsec.fp.http.endpoint" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "http-header-fingerprint", + "generator": "http_header_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.header" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "http-network-fingerprint", + "generator": "http_network_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.network" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "session-fingerprint", + "generator": "session_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "cookies": [ + { + "address": "server.request.cookies" + } + ], + "session_id": [ + { + "address": "usr.session_id" + } + ], + "user_id": [ + { + "address": "usr.id" + } + ], + "output": "_dd.appsec.fp.session" + } + ] + }, + "evaluate": false, + "output": true + } ] }