Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AI PRP: Apache airflow default credential tester #526

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

AI PRP: Apache airflow default credential tester #526

wants to merge 3 commits into from
+330 −0

Conversation

joernNNN
Copy link

@joernNNN joernNNN commented Aug 14, 2024
edited
Loading

According to #521
the testbed:
google/security-testbeds#81

@google-cla Google CLA
Copy link

google-cla bot commented Aug 14, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@leonardo-doyensec
Copy link
Collaborator

Hello @joernNNN. Can you please link the testbed?

@joernNNN
Copy link
Author

@leonardo-doyensec i updated the first comment to contain the testbeds.

@leonardo-doyensec
Copy link
Collaborator

Hello @joernNNN. Thank you for your contribution. I'm noticing that the plugin is not working correctly. When i try to run the plugin on my side it's not running at all. Can you please check it on your side?

Feel free to reach out
~ Leonardo (Doyensec)

@leonardo-doyensec
Copy link
Collaborator

Friendly ping @joernNNN

@joernNNN
Copy link
Author

@leonardo-doyensec, Thanks for the ping, I totally missed your comment. I'm going to solve this issue today.

@joernNNN
Copy link
Author

joernNNN commented Oct 18, 2024
edited
Loading

@leonardo-doyensec the plugin is working fine.

You must also use the google/fingerprinters/web plugin when you want to run the Tsunami CLI, I think.

because we are checking whether the service is airflow, we need to do the fingerprinting step before running the weak credential tester plugin.

  @Override
  public boolean canAccept(NetworkService networkService) {
    return NetworkServiceUtils.getWebServiceName(networkService).equals(AIRFLOW_SERVICE);
  }

the command line switches I use and the version of the Tsunami CLI can be seen in the following:

java -cp "tsunami-main-0.0.24-SNAPSHOT-cli.jar:/home/joern/tsunami/myPlugins/*"   -Dtsunami-config.location=/home/joern/tsunami/tsunami_tcs.yaml   com.google.tsunami.main.cli.TsunamiCli   --uri-target=http://localhost:8080/    --http-client-trust-all-certificates --scan-results-local-output-format=JSON   --scan-results-local-output-filename=/tmp/tsunami-output.json

@tooryx tooryx added the Contributor main The main issue a contributor is working on (top of the contribution queue). label Oct 22, 2024
@tooryx tooryx linked an issue Oct 23, 2024 that may be closed by this pull request
AI PRP: Apache airflow default credential tester #521
Open
leonardo-doyensec
leonardo-doyensec reviewed Dec 3, 2024
View reviewed changes
Copy link
Collaborator

@leonardo-doyensec leonardo-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @joernNNN
i've noticed that the plugin is working correctly right now. There is just one problem. The plugin tries to bruteforce all the credentials even if the ones from the fingerprint phase are valid. Can you find a way to stop the plugin if those are correct? This will reduce the noise performed by the scan.
Moreover you can find some minor stylistic issue to address.

~ Feel free to reach out
Leonardo (Doyensec)

...ctors/credentials/genericweakcredentialdetector/testers/airflow/AirflowCredentialTester.java Show resolved Hide resolved
...ctors/credentials/genericweakcredentialdetector/testers/airflow/AirflowCredentialTester.java Outdated Show resolved Hide resolved
...s/credentials/genericweakcredentialdetector/testers/airflow/AirflowCredentialTesterTest.java Show resolved Hide resolved
@joernNNN
Copy link
Author

joernNNN commented Dec 3, 2024

Hello @leonardo-doyensec
I noticed the number of credentials for brute-forcing too. I tried to find an immediate solution like finding a method in TestCredential or CredentialTester classes but there is not anything helpful.

@tooryx I would like to know if we can have only the default credentials for a weak credential plugin to brute-force not all other default credentials or top username and password lists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leonardo-doyensec leonardo-doyensec leonardo-doyensec left review comments

Assignees

@joernNNN joernNNN

Labels
Contributor main The main issue a contributor is working on (top of the contribution queue).
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AI PRP: Apache airflow default credential tester
3 participants
@joernNNN @leonardo-doyensec @tooryx