Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Header, HTTP Network and Session Fingerprints #320

Merged
merged 36 commits into from
Jul 18, 2024
Merged

HTTP Header, HTTP Network and Session Fingerprints #320

merged 36 commits into from
Jul 18, 2024

Conversation

Anilm3
Copy link
Collaborator

@Anilm3 Anilm3 commented Jul 15, 2024
edited
Loading

This PR introduces the HTTP header, HTTP network and session fingerprint processors, taking advantage of functionality introduced in #318. To include these processors, one must add the following configuration:

id: http-header-fingerprint
generator: http_header_fingerprint
conditions:
  - operator: exists
    parameters:
      inputs:
        - address: waf.context.event
parameters:
  mappings:
    - headers:
        - address: server.request.headers.no_cookies
      output: _dd.appsec.fp.http.header
evaluate: false
output: true

id: http-network-fingerprint
generator: http_network_fingerprint
conditions:
  - operator: exists
    parameters:
      inputs:
        - address: waf.context.event
parameters:
  mappings:
    - headers:
        - address: server.request.headers.no_cookies
      output: _dd.appsec.fp.http.network
evaluate: false
output: true

id: session-fingerprint
generator: session_fingerprint
conditions:
  - operator: exists
    parameters:
      inputs:
        - address: waf.context.event
parameters:
  mappings:
   - cookies:
        - address: server.request.cookies
     session_id:
       -  address: usr.session_id
     user_id:
       -  address: usr.id
     output: _dd.appsec.fp.session
evaluate: false
output: true

These fragments are specifically aimed at providing information regarding the headers used to access the application:

  • The header fingerprint gives us a fingerprint of the headers used, highlighting known headers, as well as the user agent.
  • The network fingerprint for now is quite limited, focusing only on XFF headers and their precedence in IP resolution.
  • The session fingerprint provides us information about authenticated and / or tracked users through cookies and session IDs.

Finally note that both network and header processors currently evaluate the same set of headers, unfortunately due to the nature of processors it's not possible to evaluate all headers only once, however I'm evaluating options...

Related Jiras:

@codecov-commenter
Copy link

codecov-commenter commented Jul 15, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 83.76963% with 31 lines in your changes missing coverage. Please review.

Project coverage is 84.52%. Comparing base (a217ab2) to head (0a2d5e8).

Files Patch % Lines
src/processor/fingerprint.cpp 82.53% 20 Missing and 9 partials ⚠️
src/condition/exists.hpp 50.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #320      +/-   ##
==========================================
+ Coverage   84.30%   84.52%   +0.22%     
==========================================
  Files         144      144              
  Lines        6746     6941     +195     
  Branches     3102     3179      +77     
==========================================
+ Hits         5687     5867     +180     
- Misses        389      400      +11     
- Partials      670      674       +4
Flag Coverage Δ
waf_test 84.52% <83.76%> (+0.22%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pr-commenter
Copy link

pr-commenter bot commented Jul 15, 2024
edited
Loading

Benchmarks

Benchmark execution time: 2024-07-18 14:02:51

Comparing candidate commit 1162a90 in PR branch anilm3/remaining-fingerprints with baseline commit a217ab2 in branch master.

Found 8 performance improvements and 1 performance regressions! Performance is the same for 10 metrics, 0 unstable metrics.

scenario:bool_equals_matcher.random

  • 🟩 execution_time [-46.011µs; -42.858µs] or [-3.865%; -3.600%]

scenario:float_equals_matcher.random

  • 🟩 execution_time [-54.013µs; -53.119µs] or [-4.534%; -4.459%]

scenario:ip_match_matcher.random

  • 🟩 execution_time [-51.490µs; -50.356µs] or [-3.147%; -3.078%]

scenario:is_xss_matcher.random

  • 🟥 execution_time [+7.307ms; +7.321ms] or [+9.027%; +9.044%]

scenario:regex_match_matcher.case_insensitive_flag.random

  • 🟩 execution_time [-819.482µs; -816.793µs] or [-14.054%; -14.008%]

scenario:regex_match_matcher.case_insensitive_option.random

  • 🟩 execution_time [-817.228µs; -814.694µs] or [-14.016%; -13.973%]

scenario:regex_match_matcher.lowercase_transformer.random

  • 🟩 execution_time [-682.002µs; -679.118µs] or [-9.385%; -9.346%]

scenario:signed_equals_matcher.random

  • 🟩 execution_time [-45.144µs; -42.216µs] or [-3.788%; -3.542%]

scenario:unsigned_equals_matcher.random

  • 🟩 execution_time [-46.300µs; -43.656µs] or [-3.886%; -3.664%]

@Anilm3 Anilm3 changed the base branch from master to anilm3/endpoint-fingerprint July 15, 2024 15:46
@Anilm3 Anilm3 changed the base branch from anilm3/endpoint-fingerprint to master July 15, 2024 15:46
@Anilm3 Anilm3 changed the base branch from master to anilm3/endpoint-fingerprint July 15, 2024 19:19
@Anilm3 Anilm3 force-pushed the anilm3/remaining-fingerprints branch from 23ee838 to 2ab351c Compare July 15, 2024 19:21
Base automatically changed from anilm3/endpoint-fingerprint to master July 16, 2024 14:25
@Anilm3 Anilm3 marked this pull request as ready for review July 16, 2024 15:50
@Anilm3 Anilm3 requested a review from a team as a code owner July 16, 2024 15:50
@Anilm3 Anilm3 mentioned this pull request Jul 17, 2024
Merged
@Anilm3 Anilm3 changed the title HTTP Header and Network Fingerprints HTTP Header, HTTP Network and Session Fingerprints Jul 17, 2024
@Anilm3 Anilm3 mentioned this pull request Jul 17, 2024
Merged
cataphract
cataphract approved these changes Jul 18, 2024
View reviewed changes
src/processor/fingerprint.cpp Outdated Show resolved Hide resolved
src/processor/fingerprint.cpp Show resolved Hide resolved
@Anilm3 Anilm3 merged commit 4bedd53 into master Jul 18, 2024
49 of 50 checks passed
@Anilm3 Anilm3 deleted the anilm3/remaining-fingerprints branch July 18, 2024 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cataphract cataphract cataphract approved these changes

@estringana estringana estringana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Anilm3 @codecov-commenter @cataphract @estringana