[ASM] Update ruleset to version 1.13.1 and WAF to version 1.20.0 (#6129)

## Summary of changes

The default ruleset has been updated to [version
1.13.1](https://github.com/DataDog/appsec-event-rules/blob/main/build/recommended.json)

The WAF version has been updated to 1.20.0

Since the new ruleset includes fingerprint, tests using them have
started generating fingerprints, so snapshots need to be updated. Also,
the newest WAF version corrects some errors in the FP generation and
generates FPs if only some optional parameters are sent, so some new
values have been added/modified.

A small update has been done in the code to send FPs if the WAF returns
them even if there is no match event, which could potentially happen.

## Reason for change

We need to update both the WAF and the ruleset to support the newest FP
and RASP features.

## Implementation details

## Test coverage

## Other details
<!-- Fixes #{issue} -->

<!-- ⚠️ Note: where possible, please obtain 2 approvals prior to
merging. Unless CODEOWNERS specifies otherwise, for external teams it is
typically best to have one review from a team member, and one review
from apm-dotnet. Trivial changes do not require 2 reviews. -->

tracer/build/_build/Build.Steps.cs

@@ -62,7 +62,7 @@ partial class Build
 
     AbsolutePath NativeBuildDirectory => RootDirectory / "obj";
 
-    const string LibDdwafVersion = "1.19.1";
+    const string LibDdwafVersion = "1.20.0";
 
     string[] OlderLibDdwafVersions = { "1.3.0", "1.10.0", "1.14.0", "1.16.0" };
 

tracer/build/smoke_test_snapshots/smoke_test_snapshots.json

@@ -38,7 +38,7 @@
       "parent_id": 1,
       "type": "web",
       "meta": {
-        "_dd.appsec.waf.version": "1.19.1",
+        "_dd.appsec.waf.version": "1.20.0",
         "_dd.runtime_family": "dotnet",
         "_dd.appsec.s.req.params": "H4sIAAAAAAAAA4uuVkrOzyspys/JSS1Ssoq2iNVRSkwuyczPA3NqYwH+CR9jIQAAAA==",
         "_dd.appsec.s.res.body": "H4sIAAAAAAAAA4u2iAUA8YntnQMAAAA=",
@@ -61,7 +61,7 @@
       "metrics": {
         "_dd.appsec.enabled": 1.0,
         "_dd.appsec.event_rules.error_count": 0.0,
-        "_dd.appsec.event_rules.loaded": 153.0,
+        "_dd.appsec.event_rules.loaded": 158.0,
         "_dd.top_level": 1.0,
         "_dd.tracer_kr": 0.0,
         "_sampling_priority_v1": 2.0,

tracer/build/smoke_test_snapshots/smoke_test_snapshots_2_1.json

@@ -38,7 +38,7 @@
       "parent_id": 1,
       "type": "web",
       "meta": {
-        "_dd.appsec.waf.version": "1.19.1",
+        "_dd.appsec.waf.version": "1.20.0",
         "_dd.runtime_family": "dotnet",
         "_dd.appsec.s.res.body": "H4sIAAAAAAAAA4u2iAUA8YntnQMAAAA=",
         "_dd.appsec.s.req.headers": "H4sIAAAAAAAAA4WOMQrAIBDA/uKsQ7fiVw6Ho4oVrIp3Q4v491JcLc4JJNAEVzwcMbITGgB2Y2QT0SWht27kwAWrSzzlt7LIaLNXjJ4WCuFVYkhelRpyDfws/NFVwa7S3+SfdmaarXfzAg6PMlH9AAAA",
@@ -59,7 +59,7 @@
       "metrics": {
         "_dd.appsec.enabled": 1.0,
         "_dd.appsec.event_rules.error_count": 0.0,
-        "_dd.appsec.event_rules.loaded": 153.0,
+        "_dd.appsec.event_rules.loaded": 158.0,
         "_dd.top_level": 1.0,
         "_dd.tracer_kr": 0.0,
         "_sampling_priority_v1": 2.0,

tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs

@@ -114,6 +114,8 @@ internal void TryReport(IResult result, bool blocked, int? status = null)
             _httpTransport.ReportedExternalWafsRequestHeaders = true;
         }
 
+        AttackerFingerprintHelper.AddSpanTags(_localRootSpan, result);
+
         if (result.ShouldReportSecurityResult)
         {
             _localRootSpan.SetTag(Tags.AppSecEvent, "true");
@@ -132,8 +134,6 @@ internal void TryReport(IResult result, bool blocked, int? status = null)
                 traceContext.AppSecRequestContext.AddWafSecurityEvents(result.Data);
             }
 
-            AttackerFingerprintHelper.AddSpanTags(_localRootSpan, result);
-
             var clientIp = _localRootSpan.GetTag(Tags.HttpClientIp);
             if (!string.IsNullOrEmpty(clientIp))
             {

tracer/test/Datadog.Trace.Security.Unit.Tests/Fingerprint/FingerprintTests.cs

@@ -40,7 +40,6 @@ public class FingerprintTests : WafLibraryRequiredTest
                     { "server.response.status", "200" },
                     { "server.request.uri.raw", "/Iast/GetFileContent?file=/nonexisting.txt" },
                     { "http.client_ip", "::1" },
-                    { "server.request.body", new Dictionary<string, string>() },
                     { "server.request.query", new Dictionary<string, string[]> { { "file", new[] { "/nonexisting.txt" } } } },
                     {
                         "server.request.headers.no_cookies", new Dictionary<string, string[]>
@@ -114,8 +113,8 @@ public class FingerprintTests : WafLibraryRequiredTest
 
     [Theory]
     [InlineData(0, 4)]
-    [InlineData(1, 3)]
-    [InlineData(2, 3)]
+    [InlineData(1, 4)]
+    [InlineData(2, 4)]
     public void GivenAFingerprintRequest_WhenRunWAF_FingerprintIsGenerated(int testIndex, int resultingHeaders)
     {
         var ruleFile = "rasp-rule-set.json";

tracer/test/Datadog.Trace.Security.Unit.Tests/WafErrorsTests.cs

@@ -40,7 +40,7 @@ public void HasNoError()
             waf.Should().NotBeNull();
             initResult.Success.Should().BeTrue();
             initResult.FailedToLoadRules.Should().Be(0);
-            initResult.LoadedRules.Should().Be(153);
+            initResult.LoadedRules.Should().Be(158);
             initResult.Errors.Should().BeEmpty();
             initResult.HasErrors.Should().BeFalse();
             initResult.ErrorMessage.Should().BeNullOrEmpty();

tracer/test/snapshots/AspNetCore5.SecurityEnabled.MetaStruct._.verified.txt

@@ -1,4 +1,4 @@
-[
+[
   {
     TraceId: Id_1,
     SpanId: Id_2,
@@ -25,6 +25,7 @@
       network.client.ip: 127.0.0.1,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-,
       _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]},

tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -23,8 +23,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -46,8 +46,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -46,8 +46,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -23,8 +23,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt

@@ -27,6 +27,7 @@
       _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -24,8 +24,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -47,8 +47,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -47,8 +47,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -24,8 +24,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt

@@ -28,6 +28,7 @@
       _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.origin: appsec,
       _dd.runtime_family: dotnet

tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -46,6 +46,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt

@@ -47,6 +47,7 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]},

tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt

@@ -23,8 +23,10 @@
       language: dotnet,
       runtime-id: Guid_1,
       span.kind: server,
+      _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-,
       _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a,
       _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn----,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]},
       _dd.iast.enabled: 1,
       _dd.iast.json: