From 0bf704ba04f46310cae963c99e92a1fdf07c9fe4 Mon Sep 17 00:00:00 2001 From: Anna Date: Fri, 11 Oct 2024 21:43:21 +0200 Subject: [PATCH 1/7] Refactoring and hardening of security coordinator (#6143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary of changes Security coordinator should NEVER be able to be instantiated if http context is null ## Reason for change Refering to several errors at customers with NullReferenceException or waf additive contexts disposed ## Implementation details ## Test coverage ## Other details --------- Co-authored-by: Andrew Lock --- tracer/missing-nullability-files.csv | 1 - .../AttackerFingerprintHelper.cs | 9 ++++++-- .../ControllerContextExtensions.Framework.cs | 3 ++- .../AppSec/Coordinator/HttpTransportBase.cs | 1 + .../Coordinator/SecurityCoordinator.Core.cs | 22 +++++++++++++++--- .../SecurityCoordinator.Framework.cs | 21 +++++++++++++++-- .../AppSec/Coordinator/SecurityCoordinator.cs | 20 +++++----------- .../SecurityCoordinatorHelpers.Core.cs | 13 ++++++----- .../AppSec/CoreHttpContextStore.cs | 19 ++++++++++++--- .../Datadog.Trace/AppSec/Rasp/RaspModule.cs | 11 +++++---- .../Datadog.Trace/AspNet/TracingHttpModule.cs | 4 ++-- ...rActionInvoker_InvokeAction_Integration.cs | 2 +- ...tionDescriptor_ExecuteAsync_Integration.cs | 2 +- .../AspNetCore/BlockingMiddleware.cs | 4 ++-- .../AspNetCoreDiagnosticObserver.cs | 2 +- .../AspNetCoreHttpRequestHandler.cs | 2 +- .../Datadog.Trace/SpanExtensions.Framework.cs | 8 +++++-- .../SecurityCoordinatorTests.cs | 23 +++++++++++++++++++ .../Util/RequestDataHelperTests.cs | 5 ++-- .../Asm/AppSecBodyBenchmark.cs | 4 ++-- 20 files changed, 124 insertions(+), 52 deletions(-) create mode 100644 tracer/test/Datadog.Trace.Security.Unit.Tests/SecurityCoordinatorTests.cs diff --git a/tracer/missing-nullability-files.csv b/tracer/missing-nullability-files.csv index f65cc13d46b1..bb24ee0f582b 100644 --- a/tracer/missing-nullability-files.csv +++ b/tracer/missing-nullability-files.csv @@ -60,7 +60,6 @@ src/Datadog.Trace/Agent/TracesTransportType.cs src/Datadog.Trace/AppSec/AddressesConstants.cs src/Datadog.Trace/AppSec/AppSecRateLimiter.cs src/Datadog.Trace/AppSec/BlockingAction.cs -src/Datadog.Trace/AppSec/CoreHttpContextStore.cs src/Datadog.Trace/AppSec/EventTrackingSdk.cs src/Datadog.Trace/AppSec/IDatadogSecurity.cs src/Datadog.Trace/AppSec/IEvent.cs diff --git a/tracer/src/Datadog.Trace/AppSec/AttackerFingerprint/AttackerFingerprintHelper.cs b/tracer/src/Datadog.Trace/AppSec/AttackerFingerprint/AttackerFingerprintHelper.cs index ee644fc7bbc9..81967ea6c6dc 100644 --- a/tracer/src/Datadog.Trace/AppSec/AttackerFingerprint/AttackerFingerprintHelper.cs +++ b/tracer/src/Datadog.Trace/AppSec/AttackerFingerprint/AttackerFingerprintHelper.cs @@ -24,10 +24,15 @@ public static void AddSpanTags(Span span, IResult result) return; } - var securityCoordinator = new SecurityCoordinator(Security.Instance, span); + var securityCoordinator = SecurityCoordinator.TryGet(Security.Instance, span); + + if (securityCoordinator is null) + { + return; + } // We need a context - if (!securityCoordinator.HasContext() || securityCoordinator.IsAdditiveContextDisposed()) + if (securityCoordinator.Value.IsAdditiveContextDisposed()) { return; } diff --git a/tracer/src/Datadog.Trace/AppSec/ControllerContextExtensions.Framework.cs b/tracer/src/Datadog.Trace/AppSec/ControllerContextExtensions.Framework.cs index a96383e2a4bf..982a1543006b 100644 --- a/tracer/src/Datadog.Trace/AppSec/ControllerContextExtensions.Framework.cs +++ b/tracer/src/Datadog.Trace/AppSec/ControllerContextExtensions.Framework.cs @@ -9,6 +9,7 @@ using System.Collections.Generic; using System.Linq; using System.Web; +using Datadog.Trace.AppSec.Coordinator; using Datadog.Trace.AspNet; using Datadog.Trace.ClrProfiler.AutoInstrumentation.AspNet; using Datadog.Trace.Iast; @@ -78,7 +79,7 @@ internal static void MonitorBodyAndPathParams(this IControllerContext controller if (security.Enabled) { - var securityTransport = new Coordinator.SecurityCoordinator(security, scope.Span!); + var securityTransport = SecurityCoordinator.Get(security, scope.Span!, context); if (!securityTransport.IsBlocked) { var inputData = new Dictionary(); diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs index a09391a0991f..d03f8b4cb351 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs @@ -4,6 +4,7 @@ // #nullable enable +using System; using System.Collections.Generic; using Datadog.Trace.AppSec.Waf; using Datadog.Trace.Headers; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs index 8bb22b08be8d..cab8b08e820f 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs @@ -20,15 +20,31 @@ namespace Datadog.Trace.AppSec.Coordinator; internal readonly partial struct SecurityCoordinator { - internal SecurityCoordinator(Security security, Span span, HttpTransport? transport = null) + private SecurityCoordinator(Security security, Span span, HttpTransport transport) { _security = security; _localRootSpan = TryGetRoot(span); - _httpTransport = transport ?? new HttpTransport(CoreHttpContextStore.Instance.Get()); + _httpTransport = transport; } private static bool CanAccessHeaders => true; + internal static SecurityCoordinator? TryGet(Security security, Span span) + { + var context = CoreHttpContextStore.Instance.Get(); + if (context is null) + { + Log.Warning("Can't instantiate SecurityCoordinator.Core as no transport has been provided and CoreHttpContextStore.Instance.Get() returned null, make sure HttpContext is available"); + return null; + } + + return new SecurityCoordinator(security, span, new(context)); + } + + internal static SecurityCoordinator Get(Security security, Span span, HttpContext context) => new(security, span, new HttpTransport(context)); + + internal static SecurityCoordinator Get(Security security, Span span, HttpTransport transport) => new(security, span, transport); + public static Dictionary ExtractHeadersFromRequest(IHeaderDictionary headers) { var headersDic = new Dictionary(headers.Keys.Count); @@ -162,7 +178,7 @@ internal override bool IsBlocked { if (Context.Items.TryGetValue(BlockingAction.BlockDefaultActionName, out var value)) { - return value is bool boolValue && boolValue; + return value is true; } return false; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs index 0245c5604e84..561479433f5d 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs @@ -45,15 +45,32 @@ static SecurityCoordinator() } } - internal SecurityCoordinator(Security security, Span span, HttpTransport? transport = null) + private SecurityCoordinator(Security security, Span span, HttpTransport transport) { _security = security; _localRootSpan = TryGetRoot(span); - _httpTransport = transport ?? new HttpTransport(HttpContext.Current); + _httpTransport = transport; } private bool CanAccessHeaders => UsingIntegratedPipeline is true or null; + internal static SecurityCoordinator? TryGet(Security security, Span span) + { + if (HttpContext.Current is not { } current) + { + Log.Warning("Can't instantiate SecurityCoordinator.Framework as no transport has been provided and HttpContext.Current null, make sure HttpContext is available"); + return null; + } + + var transport = new HttpTransport(current); + + return new SecurityCoordinator(security, span, transport); + } + + internal static SecurityCoordinator Get(Security security, Span span, HttpContext context) => new(security, span, new HttpTransport(context)); + + internal static SecurityCoordinator Get(Security security, Span span, HttpTransport transport) => new(security, span, transport); + private static Action? CreateThrowHttpResponseExceptionDynMeth() { try diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index d6b99284f91d..d7432c4cfdc8 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -67,23 +67,10 @@ private static void LogMatchesIfDebugEnabled(IReadOnlyCollection? result return RunWaf(args, lastTime); } - public bool HasContext() - { - return _httpTransport.Context is not null; - } - - public bool IsAdditiveContextDisposed() - { - return _httpTransport.IsAdditiveContextDisposed(); - } + public bool IsAdditiveContextDisposed() => _httpTransport.IsAdditiveContextDisposed(); public IResult? RunWaf(Dictionary args, bool lastWafCall = false, bool runWithEphemeral = false, bool isRasp = false) { - if (!HasContext()) - { - return null; - } - LogAddressIfDebugEnabled(args); IResult? result = null; try @@ -99,6 +86,11 @@ public bool IsAdditiveContextDisposed() _httpTransport.SetAdditiveContext(additiveContext); } } + else if (_httpTransport.IsAdditiveContextDisposed()) + { + Log.Warning("Waf could not run as waf additive context is disposed"); + return null; + } _security.ApiSecurity.ShouldAnalyzeSchema(lastWafCall, _localRootSpan, args, _httpTransport.StatusCode.ToString(), _httpTransport.RouteData); diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinatorHelpers.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinatorHelpers.Core.cs index 208b11282608..563035099f56 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinatorHelpers.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinatorHelpers.Core.cs @@ -25,7 +25,7 @@ internal static void CheckAndBlock(this Security security, HttpContext context, var transport = new SecurityCoordinator.HttpTransport(context); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, context); var result = securityCoordinator.Scan(); securityCoordinator.BlockAndReport(result); } @@ -41,7 +41,8 @@ internal static void CheckReturnedHeaders(this Security security, Span span, IHe var transport = new SecurityCoordinator.HttpTransport(httpContext); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, transport); + var args = new Dictionary { { @@ -73,7 +74,7 @@ internal static void CheckPathParams(this Security security, HttpContext context var transport = new SecurityCoordinator.HttpTransport(context); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, transport); var args = new Dictionary { { AddressesConstants.RequestPathParams, pathParams } }; var result = securityCoordinator.RunWaf(args); securityCoordinator.BlockAndReport(result); @@ -88,7 +89,7 @@ internal static void CheckUser(this Security security, HttpContext context, Span var transport = new SecurityCoordinator.HttpTransport(context); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, transport); var args = new Dictionary { { AddressesConstants.UserId, userId } }; var result = securityCoordinator.RunWaf(args); securityCoordinator.BlockAndReport(result); @@ -103,7 +104,7 @@ internal static void CheckPathParamsFromAction(this Security security, HttpConte var transport = new SecurityCoordinator.HttpTransport(context); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, transport); var pathParams = new Dictionary(actionPathParams.Count); for (var i = 0; i < actionPathParams.Count; i++) { @@ -131,7 +132,7 @@ internal static void CheckPathParamsFromAction(this Security security, HttpConte var transport = new SecurityCoordinator.HttpTransport(context); if (!transport.IsBlocked) { - var securityCoordinator = new SecurityCoordinator(security, span, transport); + var securityCoordinator = SecurityCoordinator.Get(security, span, transport); var keysAndValues = ObjectExtractor.Extract(body); if (keysAndValues is not null) diff --git a/tracer/src/Datadog.Trace/AppSec/CoreHttpContextStore.cs b/tracer/src/Datadog.Trace/AppSec/CoreHttpContextStore.cs index d5b1b090707b..4f670ab0e692 100644 --- a/tracer/src/Datadog.Trace/AppSec/CoreHttpContextStore.cs +++ b/tracer/src/Datadog.Trace/AppSec/CoreHttpContextStore.cs @@ -2,6 +2,7 @@ // Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License. // This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc. // +#nullable enable #if !NETFRAMEWORK using System; @@ -10,19 +11,31 @@ using System.Text; using System.Threading; using System.Threading.Tasks; +using Datadog.Trace.AppSec.Coordinator; +using Datadog.Trace.Logging; using Microsoft.AspNetCore.Http; namespace Datadog.Trace.AppSec { internal class CoreHttpContextStore { + private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(); + public static readonly CoreHttpContextStore Instance = new(); - private AsyncLocal localStore = new(); + private readonly AsyncLocal _localStore = new(); + + public HttpContext? Get() + { + if (_localStore.Value is null) + { + Log.Debug("CoreHttpContextStore.Get called but returning null for HttpContext"); + } - public HttpContext Get() => localStore.Value; + return _localStore.Value; + } - public void Set(HttpContext context) => localStore.Value = context; + public void Set(HttpContext context) => _localStore.Value = context; } } diff --git a/tracer/src/Datadog.Trace/AppSec/Rasp/RaspModule.cs b/tracer/src/Datadog.Trace/AppSec/Rasp/RaspModule.cs index da15c0dcdeed..6cad1d4f7fa9 100644 --- a/tracer/src/Datadog.Trace/AppSec/Rasp/RaspModule.cs +++ b/tracer/src/Datadog.Trace/AppSec/Rasp/RaspModule.cs @@ -107,15 +107,16 @@ private static void RecordRaspTelemetry(string address, bool isMatch, bool timeO private static void RunWafRasp(Dictionary arguments, Span rootSpan, string address) { - var securityCoordinator = new SecurityCoordinator(Security.Instance, rootSpan); + var securityCoordinator = SecurityCoordinator.TryGet(Security.Instance, rootSpan); // We need a context for RASP - if (!securityCoordinator.HasContext() || securityCoordinator.IsAdditiveContextDisposed()) + if (securityCoordinator is null) { + Log.Warning("Tried to run Rasp but security coordinator couldn't be instantiated, probably because of httpcontext missing"); return; } - var result = securityCoordinator.RunWaf(arguments, runWithEphemeral: true, isRasp: true); + var result = securityCoordinator.Value.RunWaf(arguments, runWithEphemeral: true, isRasp: true); if (result is not null) { @@ -139,7 +140,7 @@ private static void RunWafRasp(Dictionary arguments, Span rootSp } } } - catch (System.Exception ex) + catch (Exception ex) { Log.Error(ex, "RASP: Error while sending stack."); } @@ -148,7 +149,7 @@ private static void RunWafRasp(Dictionary arguments, Span rootSp // we want to report first because if we are inside a try{} catch(Exception ex){} block, we will not report // the blockings, so we report first and then block - securityCoordinator.ReportAndBlock(result); + securityCoordinator.Value.ReportAndBlock(result); } private static void AddSpanId(IResult? result) diff --git a/tracer/src/Datadog.Trace/AspNet/TracingHttpModule.cs b/tracer/src/Datadog.Trace/AspNet/TracingHttpModule.cs index 73e53884362f..0f59d94e4b83 100644 --- a/tracer/src/Datadog.Trace/AspNet/TracingHttpModule.cs +++ b/tracer/src/Datadog.Trace/AspNet/TracingHttpModule.cs @@ -184,7 +184,7 @@ private void OnBeginRequest(object sender, EventArgs eventArgs) if (security.Enabled) { SecurityCoordinator.ReportWafInitInfoOnce(security, scope.Span); - var securityCoordinator = new SecurityCoordinator(security, scope.Span); + var securityCoordinator = SecurityCoordinator.Get(security, scope.Span, httpContext); // request args var args = securityCoordinator.GetBasicRequestArgsForWaf(); @@ -245,7 +245,7 @@ private void OnEndRequest(object sender, EventArgs eventArgs) var security = Security.Instance; if (security.Enabled) { - var securityCoordinator = new SecurityCoordinator(security, rootSpan); + var securityCoordinator = SecurityCoordinator.Get(security, rootSpan, app.Context); var args = securityCoordinator.GetBasicRequestArgsForWaf(); args.Add(AddressesConstants.RequestPathParams, securityCoordinator.GetPathParams()); diff --git a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNet/ControllerActionInvoker_InvokeAction_Integration.cs b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNet/ControllerActionInvoker_InvokeAction_Integration.cs index 4ce267d20a25..9141581f0fe8 100644 --- a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNet/ControllerActionInvoker_InvokeAction_Integration.cs +++ b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNet/ControllerActionInvoker_InvokeAction_Integration.cs @@ -96,7 +96,7 @@ internal static CallTargetState OnMethodBegin(TTarget inst var scope = SharedItems.TryPeekScope(HttpContext.Current, AspNetWebApi2Integration.HttpContextKey); if (scope is not null) { - var securityTransport = new SecurityCoordinator(security, scope.Span); + var securityTransport = SecurityCoordinator.Get(security, scope.Span, HttpContext.Current); if (!securityTransport.IsBlocked) { var extractedObj = ObjectExtractor.Extract(responseObject); diff --git a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNetCore/BlockingMiddleware.cs b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNetCore/BlockingMiddleware.cs index f662b8896ad7..61bc72b5574f 100644 --- a/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNetCore/BlockingMiddleware.cs +++ b/tracer/src/Datadog.Trace/ClrProfiler/AutoInstrumentation/AspNetCore/BlockingMiddleware.cs @@ -80,7 +80,7 @@ internal async Task Invoke(HttpContext context) { if (Tracer.Instance?.ActiveScope?.Span is Span span) { - var securityCoordinator = new SecurityCoordinator(security, span, new SecurityCoordinator.HttpTransport(context)); + var securityCoordinator = SecurityCoordinator.Get(security, span, new SecurityCoordinator.HttpTransport(context)); if (_endPipeline && !context.Response.HasStarted) { context.Response.StatusCode = 404; @@ -123,7 +123,7 @@ internal async Task Invoke(HttpContext context) { if (Tracer.Instance?.ActiveScope?.Span is Span span) { - var securityCoordinator = new SecurityCoordinator(security, span, new SecurityCoordinator.HttpTransport(context)); + var securityCoordinator = SecurityCoordinator.Get(security, span, new SecurityCoordinator.HttpTransport(context)); if (!blockException.Reported) { securityCoordinator.TryReport(blockException.Result, endedResponse); diff --git a/tracer/src/Datadog.Trace/DiagnosticListeners/AspNetCoreDiagnosticObserver.cs b/tracer/src/Datadog.Trace/DiagnosticListeners/AspNetCoreDiagnosticObserver.cs index c0c3a0a0cff4..e6d2f9bf782d 100644 --- a/tracer/src/Datadog.Trace/DiagnosticListeners/AspNetCoreDiagnosticObserver.cs +++ b/tracer/src/Datadog.Trace/DiagnosticListeners/AspNetCoreDiagnosticObserver.cs @@ -423,7 +423,7 @@ private void OnHostingHttpRequestInStart(object arg) if (arg.TryDuckCast(out var requestStruct)) { - HttpContext httpContext = requestStruct.HttpContext; + var httpContext = requestStruct.HttpContext; if (shouldTrace) { // Use an empty resource name here, as we will likely replace it as part of the request diff --git a/tracer/src/Datadog.Trace/PlatformHelpers/AspNetCoreHttpRequestHandler.cs b/tracer/src/Datadog.Trace/PlatformHelpers/AspNetCoreHttpRequestHandler.cs index e4f907ca7e69..0252dd0a7b2e 100644 --- a/tracer/src/Datadog.Trace/PlatformHelpers/AspNetCoreHttpRequestHandler.cs +++ b/tracer/src/Datadog.Trace/PlatformHelpers/AspNetCoreHttpRequestHandler.cs @@ -169,7 +169,7 @@ public void StopAspNetCorePipelineScope(Tracer tracer, Security security, Scope span.SetHeaderTags(new HeadersCollectionAdapter(httpContext.Response.Headers), tracer.Settings.HeaderTagsInternal, defaultTagPrefix: SpanContextPropagator.HttpResponseHeadersTagPrefix); if (security.Enabled) { - var transport = new SecurityCoordinator(security, span, new SecurityCoordinator.HttpTransport(httpContext)); + var transport = SecurityCoordinator.Get(security, span, new SecurityCoordinator.HttpTransport(httpContext)); transport.AddResponseHeadersToSpanAndCleanup(); } else diff --git a/tracer/src/Datadog.Trace/SpanExtensions.Framework.cs b/tracer/src/Datadog.Trace/SpanExtensions.Framework.cs index cb337faf23b3..5bc0ec2ab696 100644 --- a/tracer/src/Datadog.Trace/SpanExtensions.Framework.cs +++ b/tracer/src/Datadog.Trace/SpanExtensions.Framework.cs @@ -26,14 +26,18 @@ private static void RunBlockingCheck(Span span, string userId) if (security.Enabled) { - var securityCoordinator = new SecurityCoordinator(Security.Instance, span); + var securityCoordinator = SecurityCoordinator.TryGet(Security.Instance, span); + if (securityCoordinator is null) + { + return; + } var wafArgs = new Dictionary { { AddressesConstants.UserId, userId }, }; - securityCoordinator.BlockAndReport(wafArgs); + securityCoordinator.Value.BlockAndReport(wafArgs); } } } diff --git a/tracer/test/Datadog.Trace.Security.Unit.Tests/SecurityCoordinatorTests.cs b/tracer/test/Datadog.Trace.Security.Unit.Tests/SecurityCoordinatorTests.cs new file mode 100644 index 000000000000..955a5a1e1d6d --- /dev/null +++ b/tracer/test/Datadog.Trace.Security.Unit.Tests/SecurityCoordinatorTests.cs @@ -0,0 +1,23 @@ +// +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc. +// + +using Datadog.Trace.AppSec.Coordinator; +using FluentAssertions; +using Xunit; + +namespace Datadog.Trace.Security.Unit.Tests +{ + public class SecurityCoordinatorTests + { + [Fact] + public void DefaultBehavior() + { + var target = new AppSec.Security(); + var span = new Span(new SpanContext(1, 1), new System.DateTimeOffset()); + var secCoord = SecurityCoordinator.TryGet(target, span); + secCoord.Should().BeNull(); + } + } +} diff --git a/tracer/test/Datadog.Trace.Tests/Util/RequestDataHelperTests.cs b/tracer/test/Datadog.Trace.Tests/Util/RequestDataHelperTests.cs index 20f0984ca141..9584eb789385 100644 --- a/tracer/test/Datadog.Trace.Tests/Util/RequestDataHelperTests.cs +++ b/tracer/test/Datadog.Trace.Tests/Util/RequestDataHelperTests.cs @@ -14,7 +14,6 @@ using FluentAssertions; using Moq; using Xunit; -using static Datadog.Trace.AppSec.Coordinator.SecurityCoordinator; namespace Datadog.Trace.Tests.Util; @@ -79,8 +78,8 @@ private static void CheckRequest(HttpRequest request) scope.Span.ServiceName = "service"; HttpContext context = new HttpContext(request, new HttpResponse(new System.IO.StringWriter())); request.ValidateInput(); - HttpTransport transport = new HttpTransport(context); - var securityCoordinator = new SecurityCoordinator(security, scope.Span, transport); + var transport = new SecurityCoordinator.HttpTransport(context); + var securityCoordinator = SecurityCoordinator.Get(security, scope.Span, transport); // We should not launch any exception here var result = securityCoordinator.GetBasicRequestArgsForWaf(); var iastContext = new IastRequestContext(); diff --git a/tracer/test/benchmarks/Benchmarks.Trace/Asm/AppSecBodyBenchmark.cs b/tracer/test/benchmarks/Benchmarks.Trace/Asm/AppSecBodyBenchmark.cs index 7c5f82a6d23f..986ccc32a242 100644 --- a/tracer/test/benchmarks/Benchmarks.Trace/Asm/AppSecBodyBenchmark.cs +++ b/tracer/test/benchmarks/Benchmarks.Trace/Asm/AppSecBodyBenchmark.cs @@ -80,8 +80,8 @@ private void ExecuteCycle(object body) context?.Dispose(); _httpContext.Features.Set(null); #else - var securityTransport = new SecurityCoordinator(_security, span, new SecurityCoordinator.HttpTransport(_httpContext)); - securityTransport.RunWaf(new Dictionary { { AddressesConstants.RequestBody, ObjectExtractor.Extract(body) } }); + var securityTransport = SecurityCoordinator.Get(_security, span, new SecurityCoordinator.HttpTransport(_httpContext)); + securityTransport!.RunWaf(new Dictionary { { AddressesConstants.RequestBody, ObjectExtractor.Extract(body) } }); var context = _httpContext.Items["waf"] as IContext; context?.Dispose(); _httpContext.Items["waf"] = null; From a721f7b1e580f3afea7f54303cc4c7ab91b8eab7 Mon Sep 17 00:00:00 2001 From: NachoEchevarria <53266532+NachoEchevarria@users.noreply.github.com> Date: Mon, 14 Oct 2024 09:22:29 +0200 Subject: [PATCH 2/7] [ASM] Fix exception when accessing ReportedExternalWafsRequestHeaders (#6030) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary of changes This PR is closely related to [this one](https://github.com/DataDog/dd-trace-dotnet/pull/6017) In this case, the error is thrown when accessing the key ReportedExternalWafsRequestHeaders No other httpRequest.Items problematic accesses have been found. This error can happen only in netcore versions of the framework. When we access httpcontext.Items, the exception is thrown if the key is not found. httpcontext.Items is defined as a IDictionary. Usually, it will be a Microsoft.AspNetCore.Http.ItemsDictionary, which does not throw an exception when trying to retrieve a key that is not stored, but other custom implementations such as Dictionary will throw it. It seems that in one customer, we are receiving a context in which Items is a Dictionary. This might be due to custom middlewares, third party extensions, use of custom http contexts, etc. ## Reason for change ## Implementation details ## Test coverage ## Other details --- .../AppSec/Coordinator/SecurityCoordinator.Core.cs | 12 ++++++++++-- .../Coordinator/SecurityCoordinator.Framework.cs | 4 ++-- .../AppSec/Coordinator/SecurityCoordinator.cs | 1 + 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs index cab8b08e820f..4073118697eb 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs @@ -191,8 +191,16 @@ internal override bool IsBlocked internal override bool ReportedExternalWafsRequestHeaders { - get => Context.Items["ReportedExternalWafsRequestHeaders"] is true; - set => Context.Items["ReportedExternalWafsRequestHeaders"] = value; + get + { + if (Context.Items.TryGetValue(ReportedExternalWafsRequestHeadersStr, out var value)) + { + return value is bool boolValue && boolValue; + } + + return false; + } + set => Context.Items[ReportedExternalWafsRequestHeadersStr] = value; } internal override void MarkBlocked() => Context.Items[BlockingAction.BlockDefaultActionName] = true; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs index 561479433f5d..666ee51b3e3e 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Framework.cs @@ -558,8 +558,8 @@ public HttpTransport(HttpContext context) internal override bool ReportedExternalWafsRequestHeaders { - get => Context.Items["ReportedExternalWafsRequestHeaders"] is true; - set => Context.Items["ReportedExternalWafsRequestHeaders"] = value; + get => Context.Items[ReportedExternalWafsRequestHeadersStr] is true; + set => Context.Items[ReportedExternalWafsRequestHeadersStr] = value; } internal override void MarkBlocked() => Context.Items[BlockingAction.BlockDefaultActionName] = true; diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs index d7432c4cfdc8..4a235a85e0d6 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs @@ -27,6 +27,7 @@ namespace Datadog.Trace.AppSec.Coordinator; /// internal readonly partial struct SecurityCoordinator { + private const string ReportedExternalWafsRequestHeadersStr = "ReportedExternalWafsRequestHeaders"; private static readonly IDatadogLogger Log = DatadogLogging.GetLoggerFor(); private readonly Security _security; private readonly Span _localRootSpan; From cabf0fd345ae8f915f5c6a6a70f48bb2e5f48264 Mon Sep 17 00:00:00 2001 From: Andrew Lock Date: Mon, 14 Oct 2024 13:00:09 +0100 Subject: [PATCH 3/7] Handle Nuke .NET 9 preview issue (#6130) ## Summary of changes - Adds workaround for case where .NET 9 (preview) SDK is installed lately. ## Reason for change Fixes case where Nuke no longer works if you install the .NET 9 SDK ## Implementation details Currently we have a global.json which enforces that we use the .NET 8.0.100 SDK for building _in general_. However, we have to use the .NET 7 SDK for running the Nuke project specifically when we're building the Linux x64 _native_ components. > This is because .NET 8 _doesn't_ support CentOS 7 and can't run there, but we _have_ to use CentOS 7 currently for technical reasons. We worked around this previously by specifically opting in to major-version rollforward in the Nuke project. Unfortunately, Nuke doesn't work out of the box with .NET 9 because of the [binary formatter](https://learn.microsoft.com/en-gb/dotnet/standard/serialization/binaryformatter-security-guide) removal. Consequently we have to make sure we _don't_ roll forward to .NET 9 in that case. The solution is pretty simple: - Explicitly use .NET 8 _without_ roll forward in general - Set an env var in the CentOS7 dockerfile `USE_NATIVE_SDK_VERSION=true` which switches the Nuke project to build and run on .NET 7 explicitly ## Test coverage Tested locally that it fixes the .NET 9 issue, this is the test for CI ## Other details ~The side-quest here was updating Nuke as it was quiet out of date. I _thought_ it might be required, and it required fixing a _bunch_ of warnings and breaking changes, so figured it would make sense to just do the work here at the same time~ This ended up being a horrible pit of errors so I abandoned it as it seems to be unnecessary. --- .azure-pipelines/ultimate-pipeline.yml | 2 +- tracer/build/_build/_build.csproj | 4 ++-- tracer/build/_build/docker/centos7.dockerfile | 4 ++++ tracer/build/_build/docker/universal.dockerfile | 1 + 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.azure-pipelines/ultimate-pipeline.yml b/.azure-pipelines/ultimate-pipeline.yml index 201ae5f94048..5dfa6344e8d3 100644 --- a/.azure-pipelines/ultimate-pipeline.yml +++ b/.azure-pipelines/ultimate-pipeline.yml @@ -504,7 +504,7 @@ stages: build: true target: builder baseImage: "universal" - useNativeSdkVersion: true + useNativeSdkVersion: false command: "Clean BuildNativeLoader BuildNativeWrapper ExtractDebugInfoLinux" retryCountForRunCommand: 1 diff --git a/tracer/build/_build/_build.csproj b/tracer/build/_build/_build.csproj index e6d28c5e64be..adef7379b264 100644 --- a/tracer/build/_build/_build.csproj +++ b/tracer/build/_build/_build.csproj @@ -2,10 +2,10 @@ Exe - net7.0 + net8.0 + net7.0 $(TargetFramework)-windows10.0.19041 $(DefineConstants);NUKE_NOTIFY - LatestMajor CS0649;CS0169;SA1652;NU1901;NU1902;NU1903;NU1904 diff --git a/tracer/build/_build/docker/centos7.dockerfile b/tracer/build/_build/docker/centos7.dockerfile index a84604788eb0..f7b80d79a5fb 100644 --- a/tracer/build/_build/docker/centos7.dockerfile +++ b/tracer/build/_build/docker/centos7.dockerfile @@ -78,6 +78,8 @@ ENV \ FROM base as builder +ENV USE_NATIVE_SDK_VERSION=true + # Copy the build project in and build it COPY *.csproj *.props *.targets /build/ RUN dotnet restore /build @@ -104,6 +106,8 @@ RUN if [ "$(uname -m)" = "x86_64" ]; \ && rm dotnet-install.sh +ENV USE_NATIVE_SDK_VERSION=true + # Copy the build project in and build it COPY *.csproj *.props *.targets /build/ RUN dotnet restore /build diff --git a/tracer/build/_build/docker/universal.dockerfile b/tracer/build/_build/docker/universal.dockerfile index 420242254e75..899dd864244e 100644 --- a/tracer/build/_build/docker/universal.dockerfile +++ b/tracer/build/_build/docker/universal.dockerfile @@ -55,6 +55,7 @@ RUN ln -s `which clang-16` /usr/bin/clang && \ ENV \ DOTNET_ROLL_FORWARD_TO_PRERELEASE=1 \ + USE_NATIVE_SDK_VERSION=true \ CXX=clang++ \ CC=clang From 5eb0180834d4433a8939f606fb9004680a858b73 Mon Sep 17 00:00:00 2001 From: Kevin Gosse Date: Mon, 14 Oct 2024 16:44:48 +0200 Subject: [PATCH 4/7] Stop using current_path in the native loader (#6132) ## Summary of changes Stop changing the current path in the native loader. ## Reason for change We've received crash reports caused by `fs::current_path`. It's unclear why it threw (apparently it can happen for instance if the current path is too long), but it doesn't look like we actually need it anyway (it was needed for `fs::absolute` but we can replace it by directly appending the relative path to the base path). ## Implementation details After removing the call to `current_path`, there is a risk that whatever caused it to fail would cause `fs::exist` to fail as well, so I replaced the call with the overload that doesn't throw. ## Test coverage Many tests already rely on the native loader. --- .../dynamic_dispatcher.cpp | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/shared/src/Datadog.Trace.ClrProfiler.Native/dynamic_dispatcher.cpp b/shared/src/Datadog.Trace.ClrProfiler.Native/dynamic_dispatcher.cpp index a874a89d5496..4a0cd1170efe 100644 --- a/shared/src/Datadog.Trace.ClrProfiler.Native/dynamic_dispatcher.cpp +++ b/shared/src/Datadog.Trace.ClrProfiler.Native/dynamic_dispatcher.cpp @@ -80,13 +80,6 @@ namespace datadog::shared::nativeloader fs::path configFolder = fs::path(configFilePath).remove_filename(); Log::Debug("DynamicDispatcherImpl::LoadConfiguration: Config Folder: ", configFolder); - // Get the current path - fs::path oldCurrentPath = fs::current_path(); - Log::Debug("DynamicDispatcherImpl::LoadConfiguration: Current Path: ", oldCurrentPath); - - // Set the current path to the configuration folder (to allow relative paths) - fs::current_path(configFolder); - const auto isRunningOnAlpine = IsRunningOnAlpine(); const auto currentOsArch = GetCurrentOsArch(isRunningOnAlpine); @@ -128,9 +121,11 @@ namespace datadog::shared::nativeloader { // Convert possible relative paths to absolute paths using the configuration file folder as base // (current_path) - std::string absoluteFilepathValue = fs::absolute(filepathValue).string(); + std::string absoluteFilepathValue = (configFolder / filepathValue).string(); Log::Debug("DynamicDispatcherImpl::LoadConfiguration: [", type, "] Loading: ", filepathValue, " [AbsolutePath=", absoluteFilepathValue,"] (", currentOsArch, ")" ); - if (fs::exists(absoluteFilepathValue)) + + ec.clear(); + if (fs::exists(absoluteFilepathValue, ec)) { Log::Debug("[", type, "] Creating a new DynamicInstance object"); @@ -162,8 +157,17 @@ namespace datadog::shared::nativeloader } else { - Log::Warn("DynamicDispatcherImpl::LoadConfiguration: [", type, "] Dynamic library for '", absoluteFilepathValue, - "' cannot be loaded, file doesn't exist."); + if (ec) + { + Log::Warn("DynamicDispatcherImpl::LoadConfiguration: [", type, "] Dynamic library for '", absoluteFilepathValue, + "' cannot be loaded, error code: ", ec.value(), ", message: ", ec.message()); + } + else + { + + Log::Warn("DynamicDispatcherImpl::LoadConfiguration: [", type, "] Dynamic library for '", absoluteFilepathValue, + "' cannot be loaded, file doesn't exist."); + } } } else @@ -182,9 +186,6 @@ namespace datadog::shared::nativeloader } } t.close(); - - // Set the current path to the original one - fs::current_path(oldCurrentPath); } HRESULT DynamicDispatcherImpl::LoadClassFactory(REFIID riid) From 34444ead96f5bb18b7926699ef4a6155f3422254 Mon Sep 17 00:00:00 2001 From: Kevin Gosse Date: Mon, 14 Oct 2024 16:45:01 +0200 Subject: [PATCH 5/7] Subscribe to AssemblyLoadContext.Default.Resolving (#6148) ## Summary of changes In the managed loader, subscribe to `AssemblyLoadContext.Default.Resolving` in addition to `AppDomain.CurrentDomain.AssemblyResolve`. ## Reason for change When an assembly is loaded implicitly (because it's referenced in some code), the JIT compiler calls `AssemblyLoadContext.ResolveUsingResolvingEvent`. This method asks the current ALC to resolve the assembly, and it will in turn raise its `Resolving` event if it fails. If the active ALC `Resolving` event fails, then the global `AssemblyLoadContext.AssemblyResolve` event is finally raised. In the managed loader, we subscribe to `AppDomain.Current.AssemblyResolve`, which is a wrapper around `AssemblyLoadContext.AssemblyResolve`. It means that the ALC `Resolving` event has a chance to resolve assemblies before we do. `System.Management.Automation`, a powershell library, subscribes to `AssemblyLoadContext.Default.Resolving`. In its resolution logic, it loads assemblies from the GAC if they're not found, thus loading the .NET Framework version of Datadog.Trace even if the process is running .NET Core. By subscribing to `AssemblyLoadContext.Default.Resolving`, we prevent that from happining. ## Test coverage Added a smoke test. ## Other details Fixes https://github.com/DataDog/dd-trace-dotnet/issues/6135 --- Datadog.Trace.sln | 8 +++ .../Startup.cs | 11 ++++ .../AssemblyLoadContextResolve.csproj | 7 +++ .../AssemblyLoadContextResolve/Program.cs | 56 +++++++++++++++++++ .../Properties/launchSettings.json | 16 ++++++ 5 files changed, 98 insertions(+) create mode 100644 tracer/test/test-applications/regression/AssemblyLoadContextResolve/AssemblyLoadContextResolve.csproj create mode 100644 tracer/test/test-applications/regression/AssemblyLoadContextResolve/Program.cs create mode 100644 tracer/test/test-applications/regression/AssemblyLoadContextResolve/Properties/launchSettings.json diff --git a/Datadog.Trace.sln b/Datadog.Trace.sln index fca5c9a4b65a..4525f4ce2d2a 100644 --- a/Datadog.Trace.sln +++ b/Datadog.Trace.sln @@ -589,6 +589,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Generated", "Generated", "{ tracer\build\PackageVersionsLatestSpecific.g.props = tracer\build\PackageVersionsLatestSpecific.g.props EndProjectSection EndProject +Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AssemblyLoadContextResolve", "tracer\test\test-applications\regression\AssemblyLoadContextResolve\AssemblyLoadContextResolve.csproj", "{8B1AF6A7-DD41-4347-B637-90C23D69B50E}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -1409,6 +1411,10 @@ Global {2CA0D70C-DFC1-458A-871B-328AB6E87E3A}.Debug|Any CPU.Build.0 = Debug|Any CPU {2CA0D70C-DFC1-458A-871B-328AB6E87E3A}.Release|Any CPU.ActiveCfg = Release|Any CPU {2CA0D70C-DFC1-458A-871B-328AB6E87E3A}.Release|Any CPU.Build.0 = Release|Any CPU + {8B1AF6A7-DD41-4347-B637-90C23D69B50E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8B1AF6A7-DD41-4347-B637-90C23D69B50E}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8B1AF6A7-DD41-4347-B637-90C23D69B50E}.Release|Any CPU.ActiveCfg = Release|Any CPU + {8B1AF6A7-DD41-4347-B637-90C23D69B50E}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -1638,6 +1644,7 @@ Global {7131FE5A-6B27-4BBC-B0CF-09780F6D2DFE} = {BAF8F246-3645-42AD-B1D0-0F7EAFBAB34A} {2CA0D70C-DFC1-458A-871B-328AB6E87E3A} = {BAF8F246-3645-42AD-B1D0-0F7EAFBAB34A} {E1B0F72C-991A-409D-9266-DE5ED1BD940E} = {A0C5FBBB-CFB2-4FB9-B8F0-55676E9DCF06} + {8B1AF6A7-DD41-4347-B637-90C23D69B50E} = {498A300E-D036-49B7-A43D-821D1CAF11A5} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {160A1D00-1F5B-40F8-A155-621B4459D78F} @@ -1717,6 +1724,7 @@ Global tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{83290961-40bf-48cb-b925-fbbe48e629f3}*SharedItemsImports = 5 tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{87d57940-9a6e-473c-a4d6-777e3bafd5f9}*SharedItemsImports = 5 tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{887ac8ba-35a6-4646-bf9a-59357155805e}*SharedItemsImports = 5 + tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{8b1af6a7-dd41-4347-b637-90c23d69b50e}*SharedItemsImports = 5 tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{8b457e8f-8716-4f29-bbe2-dd6c7bc4ac37}*SharedItemsImports = 5 tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{8bdf1de0-e6de-48ad-aaa3-ce09cb544e2c}*SharedItemsImports = 5 tracer\test\test-applications\Samples.Shared\Samples.Shared.projitems*{8dfe1168-b1cc-43d1-b256-b5708badd47b}*SharedItemsImports = 5 diff --git a/tracer/src/Datadog.Trace.ClrProfiler.Managed.Loader/Startup.cs b/tracer/src/Datadog.Trace.ClrProfiler.Managed.Loader/Startup.cs index a362c7e41fcd..bbf9273642cc 100644 --- a/tracer/src/Datadog.Trace.ClrProfiler.Managed.Loader/Startup.cs +++ b/tracer/src/Datadog.Trace.ClrProfiler.Managed.Loader/Startup.cs @@ -59,6 +59,17 @@ static Startup() StartupLogger.Log(ex, "Unable to register a callback to the CurrentDomain.AssemblyResolve event."); } +#if NETCOREAPP + try + { + System.Runtime.Loader.AssemblyLoadContext.Default.Resolving += (_, assemblyName) => ResolveAssembly(assemblyName.Name); + } + catch (Exception ex) + { + StartupLogger.Log(ex, "Unable to register a callback to the AssemblyLoadContext.Default.Resolving event."); + } +#endif + var runInAas = ReadBooleanEnvironmentVariable(AzureAppServicesKey, false); if (runInAas) { diff --git a/tracer/test/test-applications/regression/AssemblyLoadContextResolve/AssemblyLoadContextResolve.csproj b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/AssemblyLoadContextResolve.csproj new file mode 100644 index 000000000000..779d0be4c21e --- /dev/null +++ b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/AssemblyLoadContextResolve.csproj @@ -0,0 +1,7 @@ + + + + netcoreapp2.1;netcoreapp3.0;netcoreapp3.1;net5.0;net6.0;net7.0;net8.0 + + + diff --git a/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Program.cs b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Program.cs new file mode 100644 index 000000000000..01d2a3acf5a9 --- /dev/null +++ b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Program.cs @@ -0,0 +1,56 @@ +using System; +using System.Collections.Concurrent; +using System.IO; +using System.Linq; +using System.Reflection; +using System.Runtime.Loader; + +namespace AssemblyLoadContextResolve; + +internal class Program +{ + private static ConcurrentStack _assemblyResolveCalls = new(); + + private const string TestAssemblyName = "datadog_test_assembly"; + + static void Main(string[] args) + { + AssemblyLoadContext.Default.Resolving += AssemblyResolving; + + var traceAssembly = Assembly.Load("Datadog.Trace"); + var alc = AssemblyLoadContext.GetLoadContext(traceAssembly); + + if (alc.GetType().FullName != "Datadog.Trace.ClrProfiler.Managed.Loader.ManagedProfilerAssemblyLoadContext") + { + throw new InvalidOperationException($"Datadog.Trace was loaded in the wrong ALC: {alc.GetType()}"); + } + + try + { + var testAssembly = Assembly.Load(TestAssemblyName); + throw new InvalidOperationException($"Test assembly was found, this shouldn't happen: {testAssembly}"); + } + catch (FileNotFoundException) + { + // Expected + } + + var resolvedAssemblies = _assemblyResolveCalls.ToList(); + + if (!resolvedAssemblies.Contains(TestAssemblyName)) + { + throw new InvalidOperationException($"AssemblyResolving should have been called for {TestAssemblyName}: {string.Join(", ", resolvedAssemblies)}"); + } + + if (resolvedAssemblies.Contains("Datadog.Trace")) + { + throw new InvalidOperationException($"AssemblyResolving shouldn't have been called for Datadog.Trace: {string.Join(", ", resolvedAssemblies)}"); + } + } + + private static Assembly AssemblyResolving(AssemblyLoadContext alc, AssemblyName assemblyname) + { + _assemblyResolveCalls.Push(assemblyname?.Name); + return null; + } +} diff --git a/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Properties/launchSettings.json b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Properties/launchSettings.json new file mode 100644 index 000000000000..10cfdc3dac4f --- /dev/null +++ b/tracer/test/test-applications/regression/AssemblyLoadContextResolve/Properties/launchSettings.json @@ -0,0 +1,16 @@ +{ + "profiles": { + "AssemblyLoadContextResolve": { + "commandName": "Project", + "environmentVariables": { + "CORECLR_ENABLE_PROFILING": "1", + "CORECLR_PROFILER": "{846F5F1C-F9AE-4B07-969E-05C26BC060D8}", + "CORECLR_PROFILER_PATH": "$(SolutionDir)shared\\bin\\monitoring-home\\tracer\\win-$(Platform)\\Datadog.Trace.ClrProfiler.Native.dll", + + "DD_DOTNET_TRACER_HOME": "$(SolutionDir)shared\\bin\\monitoring-home\\tracer", + "DD_VERSION": "1.0.0" + }, + "nativeDebugging": true + } + } +} \ No newline at end of file From e94a4c3e264667306eab67959328866ed56f5b42 Mon Sep 17 00:00:00 2001 From: Kevin Gosse Date: Mon, 14 Oct 2024 18:17:51 +0200 Subject: [PATCH 6/7] [Crashtracking] Disable crashtracking on Windows by default (#6152) ## Summary of changes Disable crashtracking on Windows by default. ## Reason for change The next version of the tracer will be released before we implement proper support for the PDBs in crashtracking, so change it to opt-in for now (effectively disabling it since nobody is going to manually enable it). ## Implementation details Changed the default value of `DD_CRASHTRACKING_ENABLED`. ## Test coverage Had to update the tests to account for the new default value on Windows. --- shared/src/Datadog.Trace.ClrProfiler.Native/dllmain.cpp | 2 +- .../CreatedumpTests.cs | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/shared/src/Datadog.Trace.ClrProfiler.Native/dllmain.cpp b/shared/src/Datadog.Trace.ClrProfiler.Native/dllmain.cpp index 70ee30f937c9..f0856ca62f6c 100644 --- a/shared/src/Datadog.Trace.ClrProfiler.Native/dllmain.cpp +++ b/shared/src/Datadog.Trace.ClrProfiler.Native/dllmain.cpp @@ -80,7 +80,7 @@ EXTERN_C BOOL STDMETHODCALLTYPE DllMain(HMODULE hModule, DWORD ul_reason_for_cal bool telemetry_enabled = true; shared::TryParseBooleanEnvironmentValue(shared::GetEnvironmentValue(L"DD_INSTRUMENTATION_TELEMETRY_ENABLED"), telemetry_enabled); - bool crashtracking_enabled = true; + bool crashtracking_enabled = false; shared::TryParseBooleanEnvironmentValue(shared::GetEnvironmentValue(L"DD_CRASHTRACKING_ENABLED"), crashtracking_enabled); if (telemetry_enabled && crashtracking_enabled) diff --git a/tracer/test/Datadog.Trace.Tools.dd_dotnet.ArtifactTests/CreatedumpTests.cs b/tracer/test/Datadog.Trace.Tools.dd_dotnet.ArtifactTests/CreatedumpTests.cs index 16ff5a735ab7..0d48cd291a5e 100644 --- a/tracer/test/Datadog.Trace.Tools.dd_dotnet.ArtifactTests/CreatedumpTests.cs +++ b/tracer/test/Datadog.Trace.Tools.dd_dotnet.ArtifactTests/CreatedumpTests.cs @@ -35,6 +35,11 @@ public CreatedumpTests(ITestOutputHelper output) SetEnvironmentVariable("COMPlus_DbgMiniDumpType", string.Empty); SetEnvironmentVariable("COMPlus_DbgEnableMiniDump", string.Empty); SetEnvironmentVariable("DD_INSTRUMENTATION_TELEMETRY_ENABLED", string.Empty); + + if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) + { + SetEnvironmentVariable("DD_CRASHTRACKING_ENABLED", "1"); + } } private static (string Key, string Value) LdPreloadConfig From aa5cedc16d5deb26059b2940ef0c559c62d2870d Mon Sep 17 00:00:00 2001 From: NachoEchevarria <53266532+NachoEchevarria@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:58:53 +0200 Subject: [PATCH 7/7] [ASM] Update ruleset to version 1.13.1 and WAF to version 1.20.0 (#6129) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary of changes The default ruleset has been updated to [version 1.13.1](https://github.com/DataDog/appsec-event-rules/blob/main/build/recommended.json) The WAF version has been updated to 1.20.0 Since the new ruleset includes fingerprint, tests using them have started generating fingerprints, so snapshots need to be updated. Also, the newest WAF version corrects some errors in the FP generation and generates FPs if only some optional parameters are sent, so some new values have been added/modified. A small update has been done in the code to send FPs if the WAF returns them even if there is no match event, which could potentially happen. ## Reason for change We need to update both the WAF and the ruleset to support the newest FP and RASP features. ## Implementation details ## Test coverage ## Other details --- tracer/build/_build/Build.Steps.cs | 2 +- .../smoke_test_snapshots.json | 4 +- .../smoke_test_snapshots_2_1.json | 4 +- .../SecurityCoordinator.Reporter.cs | 4 +- .../AppSec/Waf/ConfigFiles/rule-set.json | 519 +++++++++++++++++- .../Fingerprint/FingerprintTests.cs | 5 +- .../WafErrorsTests.cs | 2 +- ....SecurityEnabled.MetaStruct._.verified.txt | 3 +- ...d&fromShell=true_exploit=CmdI.verified.txt | 1 + ...ile=-etc-password_exploit=Lfi.verified.txt | 1 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 1 + ...ile=-etc-password_exploit=Lfi.verified.txt | 1 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 2 + ...ile=-etc-password_exploit=Lfi.verified.txt | 2 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...h-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...y={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 2 + ...ile=-etc-password_exploit=Lfi.verified.txt | 2 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...h-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...y={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 1 + ...ile=-etc-password_exploit=Lfi.verified.txt | 1 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 1 + ...ile=-etc-password_exploit=Lfi.verified.txt | 1 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 2 + ...ile=-etc-password_exploit=Lfi.verified.txt | 2 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...h-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...y={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...d&fromShell=true_exploit=CmdI.verified.txt | 2 + ...ile=-etc-password_exploit=Lfi.verified.txt | 2 + ...k-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...h-host=127.0.0.1_exploit=SSRF.verified.txt | 2 + ...y={-UserName-- -' or '1'='1-}.verified.txt | 1 + ...ile=-etc-password_exploit=Lfi.verified.txt | 2 + ...y.scans_url=_Health_login.php.verified.txt | 10 + ...s_appscan_fingerprint-&q=help.verified.txt | 15 + ...th_params_appscan_fingerprint.verified.txt | 10 + ...0_url=_Health_-[$slice]=value.verified.txt | 15 + ...200_url=_Health_-arg&[$slice].verified.txt | 15 + ...an_fingerprint-[$slice]=value.verified.txt | 15 + ...tusCode=403_url=_health-q=fun.verified.txt | 5 + ...tusCode=403_url=_health-q=fun.verified.txt | 3 +- ...e=403_url=_Home_Privacy-q=fun.verified.txt | 3 +- ...y.scans_url=_Health_login.php.verified.txt | 10 + ...s_appscan_fingerprint-&q=help.verified.txt | 15 + ...th_params_appscan_fingerprint.verified.txt | 10 + ...-endpoint_appscan_fingerprint.verified.txt | 10 + ...0_url=_Health_-[$slice]=value.verified.txt | 15 + ...200_url=_Health_-arg&[$slice].verified.txt | 15 + ...an_fingerprint-[$slice]=value.verified.txt | 15 + ...tusCode=403_url=_health-q=fun.verified.txt | 7 +- ...Code=403_url=_Home_LangHeader.verified.txt | 2 +- ...tatusCode=403_url=_status_418.verified.txt | 2 +- ...Code=403_url=_Home_LangHeader.verified.txt | 2 +- ...action_actionName=customblock.verified.txt | 4 +- ...t=dummy_rule_actionName=block.verified.txt | 4 +- ...action_actionName=customblock.verified.txt | 4 +- ...t=dummy_rule_actionName=block.verified.txt | 4 +- ...y.AspNetCore5AsmCustomRules._.verified.txt | 3 +- ...t=blocking-ips-oneclick_url=_.verified.txt | 4 + ...led.__test=blocking-ips_url=_.verified.txt | 2 + ..._test=blocking-user_url=_user.verified.txt | 5 +- ...ed.TestSecurityInitialization.verified.txt | 9 +- ...et.TestSecurityInitialization.verified.txt | 2 +- ...y.AspNetCore5AsmRemoteRules._.verified.txt | 17 +- ...y.AspNetCore5AsmRulesToggle._.verified.txt | 12 + ...re5AsmToggleSecurityDefault._.verified.txt | 3 + ...re5AsmToggleSecurityEnabled._.verified.txt | 12 + ...ty.AspNetCore5ExternalRules._.verified.txt | 7 +- ...=200_url=_good-param=[$slice].verified.txt | 7 +- ...=200_url=_void-param=[$slice].verified.txt | 7 +- ...e=500_url=_bad-param=[$slice].verified.txt | 7 +- ...Security=True.__test=blocking.verified.txt | 10 + ...Property-- {-a---[$slice]-} }.verified.txt | 5 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...fingerprint-&q=help_body=null.verified.txt | 10 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...ealth_-arg=[$slice]_body=null.verified.txt | 10 + ...Security=True.__test=blocking.verified.txt | 10 + ...l=_Health_wp-config_body=null.verified.txt | 10 + ...Property-- {-a---[$slice]-} }.verified.txt | 5 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...fingerprint-&q=help_body=null.verified.txt | 10 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...ealth_-arg=[$slice]_body=null.verified.txt | 10 + ...rl=_Home_LangHeader_body=null.verified.txt | 10 + ...=block_request_statusCode=200.verified.txt | 4 + ...direct_request_statusCode=302.verified.txt | 4 + ...=block_request_statusCode=200.verified.txt | 4 + ...direct_request_statusCode=302.verified.txt | 4 + ...rue.__test=blocking-ips_url=_.verified.txt | 10 +- ..._test=blocking-user_url=_user.verified.txt | 6 +- ...rue.__test=blocking-ips_url=_.verified.txt | 10 +- ..._test=blocking-user_url=_user.verified.txt | 6 +- ...Classic.enableSecurity=True._.verified.txt | 12 + ...egrated.enableSecurity=True._.verified.txt | 12 + ...y=True.__scenario=null-action.verified.txt | 4 + ...Security=True.__test=blocking.verified.txt | 10 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...oute_2-arg=[$slice]_body=null.verified.txt | 10 + ...Member-arg=[$slice]_body=null.verified.txt | 10 + ...ealth_-arg=[$slice]_body=null.verified.txt | 10 + ...y=True.__scenario=null-action.verified.txt | 4 + ...Security=True.__test=blocking.verified.txt | 10 + ...ody={-Property1-- -[$slice]-}.verified.txt | 5 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...oute_2-arg=[$slice]_body=null.verified.txt | 10 + ...Member-arg=[$slice]_body=null.verified.txt | 10 + ...ealth_-arg=[$slice]_body=null.verified.txt | 10 + ...=blocking-ips_url=_api_health.verified.txt | 6 +- ...t=blocking-user_url=_api_user.verified.txt | 10 +- ...=blocking-ips_url=_api_health.verified.txt | 10 +- ...t=blocking-user_url=_api_user.verified.txt | 6 +- ...Security=True.__test=blocking.verified.txt | 10 + ...Health-arg=[$slice]_body=null.verified.txt | 10 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...tent%24testBox=%5B%24slice%5D.verified.txt | 5 + ...Security=True.__test=blocking.verified.txt | 10 + ...Health-arg=[$slice]_body=null.verified.txt | 10 + ...appscan_fingerprint_body=null.verified.txt | 10 + ...tent%24testBox=%5B%24slice%5D.verified.txt | 5 + ...locking-ips_url=_default.aspx.verified.txt | 6 +- ..._test=blocking-user_url=_user.verified.txt | 10 +- ...locking-ips_url=_default.aspx.verified.txt | 10 +- ..._test=blocking-user_url=_user.verified.txt | 6 +- .../TestGlobalRulesToggling._.verified.txt | 8 +- 136 files changed, 1275 insertions(+), 87 deletions(-) diff --git a/tracer/build/_build/Build.Steps.cs b/tracer/build/_build/Build.Steps.cs index 96a5dc4c6ac8..ec4dc5013e59 100644 --- a/tracer/build/_build/Build.Steps.cs +++ b/tracer/build/_build/Build.Steps.cs @@ -62,7 +62,7 @@ partial class Build AbsolutePath NativeBuildDirectory => RootDirectory / "obj"; - const string LibDdwafVersion = "1.19.1"; + const string LibDdwafVersion = "1.20.0"; string[] OlderLibDdwafVersions = { "1.3.0", "1.10.0", "1.14.0", "1.16.0" }; diff --git a/tracer/build/smoke_test_snapshots/smoke_test_snapshots.json b/tracer/build/smoke_test_snapshots/smoke_test_snapshots.json index 429e6cd2450a..bfd92509cefc 100644 --- a/tracer/build/smoke_test_snapshots/smoke_test_snapshots.json +++ b/tracer/build/smoke_test_snapshots/smoke_test_snapshots.json @@ -38,7 +38,7 @@ "parent_id": 1, "type": "web", "meta": { - "_dd.appsec.waf.version": "1.19.1", + "_dd.appsec.waf.version": "1.20.0", "_dd.runtime_family": "dotnet", "_dd.appsec.s.req.params": "H4sIAAAAAAAAA4uuVkrOzyspys/JSS1Ssoq2iNVRSkwuyczPA3NqYwH+CR9jIQAAAA==", "_dd.appsec.s.res.body": "H4sIAAAAAAAAA4u2iAUA8YntnQMAAAA=", @@ -61,7 +61,7 @@ "metrics": { "_dd.appsec.enabled": 1.0, "_dd.appsec.event_rules.error_count": 0.0, - "_dd.appsec.event_rules.loaded": 153.0, + "_dd.appsec.event_rules.loaded": 158.0, "_dd.top_level": 1.0, "_dd.tracer_kr": 0.0, "_sampling_priority_v1": 2.0, diff --git a/tracer/build/smoke_test_snapshots/smoke_test_snapshots_2_1.json b/tracer/build/smoke_test_snapshots/smoke_test_snapshots_2_1.json index ee830e108a3b..55fa948e2bc4 100644 --- a/tracer/build/smoke_test_snapshots/smoke_test_snapshots_2_1.json +++ b/tracer/build/smoke_test_snapshots/smoke_test_snapshots_2_1.json @@ -38,7 +38,7 @@ "parent_id": 1, "type": "web", "meta": { - "_dd.appsec.waf.version": "1.19.1", + "_dd.appsec.waf.version": "1.20.0", "_dd.runtime_family": "dotnet", "_dd.appsec.s.res.body": "H4sIAAAAAAAAA4u2iAUA8YntnQMAAAA=", "_dd.appsec.s.req.headers": "H4sIAAAAAAAAA4WOMQrAIBDA/uKsQ7fiVw6Ho4oVrIp3Q4v491JcLc4JJNAEVzwcMbITGgB2Y2QT0SWht27kwAWrSzzlt7LIaLNXjJ4WCuFVYkhelRpyDfws/NFVwa7S3+SfdmaarXfzAg6PMlH9AAAA", @@ -59,7 +59,7 @@ "metrics": { "_dd.appsec.enabled": 1.0, "_dd.appsec.event_rules.error_count": 0.0, - "_dd.appsec.event_rules.loaded": 153.0, + "_dd.appsec.event_rules.loaded": 158.0, "_dd.top_level": 1.0, "_dd.tracer_kr": 0.0, "_sampling_priority_v1": 2.0, diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs index bbb9492f6606..b28a9603e3de 100644 --- a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs +++ b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Reporter.cs @@ -114,6 +114,8 @@ internal void TryReport(IResult result, bool blocked, int? status = null) _httpTransport.ReportedExternalWafsRequestHeaders = true; } + AttackerFingerprintHelper.AddSpanTags(_localRootSpan, result); + if (result.ShouldReportSecurityResult) { _localRootSpan.SetTag(Tags.AppSecEvent, "true"); @@ -132,8 +134,6 @@ internal void TryReport(IResult result, bool blocked, int? status = null) traceContext.AppSecRequestContext.AddWafSecurityEvents(result.Data); } - AttackerFingerprintHelper.AddSpanTags(_localRootSpan, result); - var clientIp = _localRootSpan.GetTag(Tags.HttpClientIp); if (!string.IsNullOrEmpty(clientIp)) { diff --git a/tracer/src/Datadog.Trace/AppSec/Waf/ConfigFiles/rule-set.json b/tracer/src/Datadog.Trace/AppSec/Waf/ConfigFiles/rule-set.json index d572c003911e..a2a52ac89888 100644 --- a/tracer/src/Datadog.Trace/AppSec/Waf/ConfigFiles/rule-set.json +++ b/tracer/src/Datadog.Trace/AppSec/Waf/ConfigFiles/rule-set.json @@ -1,7 +1,7 @@ { "version": "2.2", "metadata": { - "rules_version": "1.10.0" + "rules_version": "1.13.1" }, "rules": [ { @@ -141,7 +141,10 @@ "appscan_fingerprint", "w00tw00t.at.isc.sans.dfind", "w00tw00t.at.blackhats.romanian.anti-sec" - ] + ], + "options": { + "enforce_word_boundary": true + } }, "operator": "phrase_match" } @@ -1778,7 +1781,10 @@ "windows\\win.ini", "default\\ntuser.dat", "/var/run/secrets/kubernetes.io/serviceaccount" - ] + ], + "options": { + "enforce_word_boundary": true + } }, "operator": "phrase_match" } @@ -1895,6 +1901,9 @@ "address": "graphql.server.resolver" } ], + "options": { + "enforce_word_boundary": true + }, "list": [ "${cdpath}", "${dirstack}", @@ -1912,7 +1921,6 @@ "$ifs", "$oldpwd", "$ostype", - "$path", "$pwd", "dev/fd/", "dev/null", @@ -2471,7 +2479,10 @@ "settings.local.php", "local.xml", ".env" - ] + ], + "options": { + "enforce_word_boundary": true + } }, "operator": "phrase_match" } @@ -2567,6 +2578,9 @@ "address": "graphql.server.resolver" } ], + "options": { + "enforce_word_boundary": true + }, "list": [ "$globals", "$_cookie", @@ -2765,7 +2779,10 @@ "wp_safe_remote_post", "wp_safe_remote_request", "zlib_decode" - ] + ], + "options": { + "enforce_word_boundary": true + } }, "operator": "phrase_match" } @@ -2980,9 +2997,6 @@ { "address": "server.request.path_params" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -3037,9 +3051,6 @@ { "address": "server.request.path_params" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -3271,6 +3282,9 @@ "address": "graphql.server.resolver" } ], + "options": { + "enforce_word_boundary": true + }, "list": [ "document.cookie", "document.write", @@ -3546,9 +3560,6 @@ { "address": "server.request.path_params" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -3863,9 +3874,6 @@ { "address": "server.request.path_params" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -4454,7 +4462,10 @@ "org.apache.struts2", "org.omg.corba", "java.beans.xmldecode" - ] + ], + "options": { + "enforce_word_boundary": true + } }, "operator": "phrase_match" } @@ -4581,9 +4592,6 @@ { "address": "server.request.path_params" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -5342,6 +5350,40 @@ ], "transformers": [] }, + { + "id": "dog-920-001", + "name": "JWT authentication bypass", + "tags": { + "type": "http_protocol_violation", + "category": "attack_attempt", + "cwe": "287", + "capec": "1000/225/115", + "confidence": "0" + }, + "conditions": [ + { + "parameters": { + "inputs": [ + { + "address": "server.request.cookies" + }, + { + "address": "server.request.headers.no_cookies", + "key_path": [ + "authorization" + ] + } + ], + "regex": "^(?:Bearer )?ey[A-Za-z0-9+_\\-/]*([QY][UW]x[Hn]Ij([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiAi[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]Ij([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDogI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]IiA6ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]Ij([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiAi[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciOiAi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciIDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgOiJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]IiA6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]Ij([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciOiJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgOiAi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]IjogI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]IiA6I[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6I[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6I[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciIDogI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]IiA6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]IiA6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ciO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6I[km]5[Pv][Tb][km][U-X]|[QY][UW]x[Hn]IiA6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ID([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gI[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yIgO([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[\\x2b\\x2f-9A-Za-z]ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*ICJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]I([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*IDoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]A6I[km]5[Pv][Tb][km][U-X]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]y([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiJ[Ou][Tb][02]5[Fl]|[QY][UW]x[Hn]Ijoi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z]{2}[159BFJNRVZdhlptx][Bh][Tb][EG]ci([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[048AEIMQUYcgkosw]gOiAi[Tb][km]9[Ou][RZ][Q-Za-f]|[\\x2b\\x2f-9A-Za-z][02EGUWkm]F[Ms][RZ]yI6([048ACEIMQSUYcgikoswy]|[\\x2b\\x2f-9A-Za-z]I)*[CSiy]Ai[Tb][km]9[Ou][RZ][Q-Za-f])[A-Za-z0-9+-/]*\\.[A-Za-z0-9+_\\-/]+\\.(?:[A-Za-z0-9+_\\-/]+)?$", + "options": { + "case_sensitive": true + } + }, + "operator": "match_regex" + } + ], + "transformers": [] + }, { "id": "dog-931-001", "name": "RFI: URL Payload to well known RFI target", @@ -5603,6 +5645,9 @@ { "operator": "phrase_match", "parameters": { + "options": { + "enforce_word_boundary": true + }, "inputs": [ { "address": "server.request.uri.raw" @@ -5803,7 +5848,8 @@ "/website.php", "/stats.php", "/assets/plugins/mp3_id/mp3_id.php", - "/siteminderagent/forms/smpwservices.fcc" + "/siteminderagent/forms/smpwservices.fcc", + "/eval-stdin.php" ] } } @@ -6190,6 +6236,202 @@ ], "transformers": [] }, + { + "id": "rasp-930-100", + "name": "Local file inclusion exploit", + "tags": { + "type": "lfi", + "category": "vulnerability_trigger", + "cwe": "22", + "capec": "1000/255/153/126", + "confidence": "0", + "module": "rasp" + }, + "conditions": [ + { + "parameters": { + "resource": [ + { + "address": "server.io.fs.file" + } + ], + "params": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + }, + { + "address": "graphql.server.resolver" + } + ] + }, + "operator": "lfi_detector" + } + ], + "transformers": [], + "on_match": [ + "stack_trace" + ] + }, + { + "id": "rasp-932-100", + "name": "Command injection exploit", + "tags": { + "type": "command_injection", + "category": "vulnerability_trigger", + "cwe": "77", + "capec": "1000/152/248/88", + "confidence": "0", + "module": "rasp" + }, + "conditions": [ + { + "parameters": { + "resource": [ + { + "address": "server.sys.shell.cmd" + } + ], + "params": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + }, + { + "address": "graphql.server.resolver" + } + ] + }, + "operator": "shi_detector" + } + ], + "transformers": [], + "on_match": [ + "stack_trace" + ] + }, + { + "id": "rasp-934-100", + "name": "Server-side request forgery exploit", + "enabled": false, + "tags": { + "type": "ssrf", + "category": "vulnerability_trigger", + "cwe": "918", + "capec": "1000/225/115/664", + "confidence": "0", + "module": "rasp" + }, + "conditions": [ + { + "parameters": { + "resource": [ + { + "address": "server.io.net.url" + } + ], + "params": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "grpc.server.request.message" + }, + { + "address": "graphql.server.all_resolvers" + }, + { + "address": "graphql.server.resolver" + } + ] + }, + "operator": "ssrf_detector" + } + ], + "transformers": [], + "on_match": [ + "stack_trace" + ] + }, + { + "id": "rasp-942-100", + "name": "SQL injection exploit", + "enabled": false, + "tags": { + "type": "sql_injection", + "category": "vulnerability_trigger", + "cwe": "89", + "capec": "1000/152/248/66", + "confidence": "0", + "module": "rasp" + }, + "conditions": [ + { + "parameters": { + "resource": [ + { + "address": "server.db.statement" + } + ], + "params": [ + { + "address": "server.request.query" + }, + { + "address": "server.request.body" + }, + { + "address": "server.request.path_params" + }, + { + "address": "graphql.server.all_resolvers" + }, + { + "address": "graphql.server.resolver" + } + ], + "db_type": [ + { + "address": "server.db.system" + } + ] + }, + "operator": "sqli_detector" + } + ], + "transformers": [], + "on_match": [ + "stack_trace" + ] + }, { "id": "sqr-000-001", "name": "SSRF: Try to access the credential manager of the main cloud services", @@ -6606,9 +6848,6 @@ { "address": "server.request.headers.no_cookies" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -6654,9 +6893,6 @@ { "address": "server.request.headers.no_cookies" }, - { - "address": "grpc.server.request.message" - }, { "address": "graphql.server.all_resolvers" }, @@ -8199,6 +8435,57 @@ } ], "processors": [ + { + "id": "http-endpoint-fingerprint", + "generator": "http_endpoint_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "method": [ + { + "address": "server.request.method" + } + ], + "uri_raw": [ + { + "address": "server.request.uri.raw" + } + ], + "body": [ + { + "address": "server.request.body" + } + ], + "query": [ + { + "address": "server.request.query" + } + ], + "output": "_dd.appsec.fp.http.endpoint" + } + ] + }, + "evaluate": false, + "output": true + }, { "id": "extract-content", "generator": "extract_schema", @@ -8348,9 +8635,155 @@ }, "evaluate": false, "output": true + }, + { + "id": "http-header-fingerprint", + "generator": "http_header_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.header" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "http-network-fingerprint", + "generator": "http_network_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "headers": [ + { + "address": "server.request.headers.no_cookies" + } + ], + "output": "_dd.appsec.fp.http.network" + } + ] + }, + "evaluate": false, + "output": true + }, + { + "id": "session-fingerprint", + "generator": "session_fingerprint", + "conditions": [ + { + "operator": "exists", + "parameters": { + "inputs": [ + { + "address": "waf.context.event" + }, + { + "address": "server.business_logic.users.login.failure" + }, + { + "address": "server.business_logic.users.login.success" + } + ] + } + } + ], + "parameters": { + "mappings": [ + { + "cookies": [ + { + "address": "server.request.cookies" + } + ], + "session_id": [ + { + "address": "usr.session_id" + } + ], + "user_id": [ + { + "address": "usr.id" + } + ], + "output": "_dd.appsec.fp.session" + } + ] + }, + "evaluate": false, + "output": true } ], "scanners": [ + { + "id": "406f8606-52c4-4663-8db9-df70f9e8766c", + "name": "ZIP Code", + "key": { + "operator": "match_regex", + "parameters": { + "regex": "\\b(?:zip|postal)\\b", + "options": { + "case_sensitive": false, + "min_length": 3 + } + } + }, + "value": { + "operator": "match_regex", + "parameters": { + "regex": "^[0-9]{5}(?:-[0-9]{4})?$", + "options": { + "case_sensitive": true, + "min_length": 5 + } + } + }, + "tags": { + "type": "zipcode", + "category": "address" + } + }, { "id": "JU1sRk3mSzqSUJn6GrVn7g", "name": "American Express Card Scanner (4+4+4+3 digits)", @@ -9117,6 +9550,34 @@ "category": "payment" } }, + { + "id": "18b608bd7a764bff5b2344c0", + "name": "Phone number", + "key": { + "operator": "match_regex", + "parameters": { + "regex": "\\bphone|number|mobile\\b", + "options": { + "case_sensitive": false, + "min_length": 3 + } + } + }, + "value": { + "operator": "match_regex", + "parameters": { + "regex": "^(?:\\(\\+\\d{1,3}\\)|\\+\\d{1,3}|00\\d{1,3})?[-\\s\\.]?(?:\\(\\d{3}\\)[-\\s\\.]?)?(?:\\d[-\\s\\.]?){6,10}$", + "options": { + "case_sensitive": false, + "min_length": 6 + } + } + }, + "tags": { + "type": "phone", + "category": "pii" + } + }, { "id": "de0899e0cbaaa812bb624cf04c912071012f616d-mod", "name": "UK National Insurance Number Scanner", diff --git a/tracer/test/Datadog.Trace.Security.Unit.Tests/Fingerprint/FingerprintTests.cs b/tracer/test/Datadog.Trace.Security.Unit.Tests/Fingerprint/FingerprintTests.cs index 5c56708e885b..b5b2e4622b90 100644 --- a/tracer/test/Datadog.Trace.Security.Unit.Tests/Fingerprint/FingerprintTests.cs +++ b/tracer/test/Datadog.Trace.Security.Unit.Tests/Fingerprint/FingerprintTests.cs @@ -40,7 +40,6 @@ public class FingerprintTests : WafLibraryRequiredTest { "server.response.status", "200" }, { "server.request.uri.raw", "/Iast/GetFileContent?file=/nonexisting.txt" }, { "http.client_ip", "::1" }, - { "server.request.body", new Dictionary() }, { "server.request.query", new Dictionary { { "file", new[] { "/nonexisting.txt" } } } }, { "server.request.headers.no_cookies", new Dictionary @@ -114,8 +113,8 @@ public class FingerprintTests : WafLibraryRequiredTest [Theory] [InlineData(0, 4)] - [InlineData(1, 3)] - [InlineData(2, 3)] + [InlineData(1, 4)] + [InlineData(2, 4)] public void GivenAFingerprintRequest_WhenRunWAF_FingerprintIsGenerated(int testIndex, int resultingHeaders) { var ruleFile = "rasp-rule-set.json"; diff --git a/tracer/test/Datadog.Trace.Security.Unit.Tests/WafErrorsTests.cs b/tracer/test/Datadog.Trace.Security.Unit.Tests/WafErrorsTests.cs index e6c6de789a5f..c6382ee3cff7 100644 --- a/tracer/test/Datadog.Trace.Security.Unit.Tests/WafErrorsTests.cs +++ b/tracer/test/Datadog.Trace.Security.Unit.Tests/WafErrorsTests.cs @@ -40,7 +40,7 @@ public void HasNoError() waf.Should().NotBeNull(); initResult.Success.Should().BeTrue(); initResult.FailedToLoadRules.Should().Be(0); - initResult.LoadedRules.Should().Be(153); + initResult.LoadedRules.Should().Be(158); initResult.Errors.Should().BeEmpty(); initResult.HasErrors.Should().BeFalse(); initResult.ErrorMessage.Should().BeNullOrEmpty(); diff --git a/tracer/test/snapshots/AspNetCore5.SecurityEnabled.MetaStruct._.verified.txt b/tracer/test/snapshots/AspNetCore5.SecurityEnabled.MetaStruct._.verified.txt index d5d99163fbc3..f712e3177aaa 100644 --- a/tracer/test/snapshots/AspNetCore5.SecurityEnabled.MetaStruct._.verified.txt +++ b/tracer/test/snapshots/AspNetCore5.SecurityEnabled.MetaStruct._.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index d02f8497e8fb..73c0e376c390 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 5b403e2d104f..bd5dcda965f6 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 0a94b71134c6..5acfb4cab87d 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 5b37d06d8688..a44cdcb37fd7 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 7d30188e43fa..c959892ca905 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index f3273a6936d8..b464a6d4f104 100644 --- a/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 0323203ef0a8..b07b2cca8b6c 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -23,8 +23,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 148216e9607c..b3dc4cab0730 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -46,8 +46,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index e390ccf54c8a..e1dc0fa28d45 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -46,8 +46,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index 0172a79b7868..40d7c04869f1 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -23,8 +23,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index ef84b09e5c43..0ce1138260b9 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -27,6 +27,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 02c28ac82b85..617398f5083a 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -24,8 +24,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 2c0f3a381f3f..c7654d8c2135 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -47,8 +47,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 4c77c5a55e96..3fd6f683cee3 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -47,8 +47,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index a128e0530502..ab5c703e98cf 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -24,8 +24,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index fed70f3ab30a..fff6aa5dc652 100644 --- a/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/Rasp.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -28,6 +28,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 948f996cd9cc..932b0cd1773d 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 834e295bfbc0..a739ef5b7aa2 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 92f8338da1d6..9a8f71c4047a 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore2.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -46,6 +46,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0100000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 211aafdaef88..0f1ce4968ca4 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 5364c9c8683b..be8991b62403 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 4143fd5c2e6b..e6d566395b53 100644 --- a/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetCore5.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -47,6 +47,7 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index de0f78772a05..6939a7f4b4ac 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -23,8 +23,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 94c7b825632e..c6c3dd624f5e 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -46,8 +46,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index fed999106865..d1fc34bc1f76 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -46,8 +46,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index ef80f0331c25..4c81edc10ea7 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -23,8 +23,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-3-bf93958a, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 57b757c73e2b..76ebfc9b14ec 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Classic.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -27,6 +27,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt index 45e45ccd7b13..7c752621992e 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.CmdI_url=-Iast-ExecuteCommand-file=ls&argumentLine=;evilCommand&fromShell=true_exploit=CmdI.verified.txt @@ -24,8 +24,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-92238171-0a2bbc6e-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-932-100","name":"Shell injection exploit","tags":{"category":"vulnerability_trigger","type":"command_injection"}},"rule_matches":[{"operator":"shi_detector","operator_value":"","parameters":[{"address":null,"highlight":[";evilCommand"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 96b1e5033d66..b48f891d85a6 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -47,8 +47,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt index 3960befcb0eb..4991524a1f7f 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttack-host=127.0.0.1_exploit=SSRF.verified.txt @@ -47,8 +47,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-05b4d989-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt index 2b625ddc423b..46ddcfc74615 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SSRF_url=-Iast-SsrfAttackNoCatch-host=127.0.0.1_exploit=SSRF.verified.txt @@ -24,8 +24,10 @@ language: dotnet, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-ece9044c-4740ae63-, _dd.appsec.fp.http.header: hdr-0000000001-3626b5f8-5-6cdcf2fe, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-002-001","name":"Server-side request forgery","tags":{"category":"vulnerability_trigger","type":"ssrf"}},"rule_matches":[{"operator":"ssrf_detector","operator_value":"","parameters":[{"address":null,"highlight":["127.0.0.1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt index 2b8d794d027d..d195932a7c64 100644 --- a/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt +++ b/tracer/test/snapshots/RaspIast.AspNetMvc5.Integrated.SqlI_url=-Iast-ExecuteQueryFromBodyQueryData_exploit=SqlI_body={-UserName-- -' or '1'='1-}.verified.txt @@ -28,6 +28,7 @@ _dd.appsec.fp.http.endpoint: http-post-a13f66cb--6f45fc03, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-942-100","name":"SQL injection exploit","tags":{"category":"vulnerability_trigger","type":"sql_injection"}},"rule_matches":[{"operator":"sqli_detector","operator_value":"","parameters":[{"address":null,"highlight":["' or '1'='1"],"key_path":null,"value":null}]}],"span_id": XXX}]}, _dd.iast.enabled: 1, _dd.iast.json: diff --git a/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt b/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt index 8b16226b278d..104a200a9497 100644 --- a/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt +++ b/tracer/test/snapshots/RaspRCM.RuleEnableDisableEnable.AspNetCore5.Lfi_url=-Iast-GetFileContent-file=-etc-password_exploit=Lfi.verified.txt @@ -48,6 +48,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, @@ -171,6 +172,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e1e32f93-3b9c358f-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"rasp-001-001","name":"Path traversal attack","tags":{"category":"vulnerability_trigger","type":"lfi"}},"rule_matches":[{"operator":"lfi_detector","operator_value":"","parameters":[{"address":null,"highlight":["/etc/password"],"key_path":null,"value":null}]}],"span_id": XXX}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt index ee6e6d19cdd0..67254f8d2d5f 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt @@ -24,6 +24,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -63,6 +65,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -102,6 +106,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -141,6 +147,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -180,6 +188,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt index 1148905f0196..14d257eceb27 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt @@ -28,6 +28,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -71,6 +74,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -114,6 +120,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -157,6 +166,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,6 +212,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt index c0dce5c2bcbb..4f6012381fb0 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt @@ -28,6 +28,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -71,6 +73,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -114,6 +118,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -157,6 +163,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,6 +208,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt index a15a5415835d..df854b02a075 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt @@ -28,6 +28,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -71,6 +74,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -114,6 +120,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -157,6 +166,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,6 +212,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt index 5ee236492d29..f6569d3279ba 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt @@ -28,6 +28,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -71,6 +74,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -114,6 +120,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -157,6 +166,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,6 +212,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt index 566f0534292b..09381359aa62 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt @@ -28,6 +28,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -71,6 +74,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -114,6 +120,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -157,6 +166,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,6 +212,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt index e4adfb339e7c..7adf37f37025 100644 --- a/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore2.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -67,6 +68,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -109,6 +111,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -151,6 +154,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -193,6 +197,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesHtml.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesHtml.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt index 264784a48343..797502a83531 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesHtml.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesHtml.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -26,6 +26,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: hdr-0000000010-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesJson.__test=server.request.uri.raw_expectedStatusCode=403_url=_Home_Privacy-q=fun.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesJson.__test=server.request.uri.raw_expectedStatusCode=403_url=_Home_Privacy-q=fun.verified.txt index 05f47128ce3c..d4053786977f 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesJson.__test=server.request.uri.raw_expectedStatusCode=403_url=_Home_Privacy-q=fun.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityBlockingTemplatesJson.__test=server.request.uri.raw_expectedStatusCode=403_url=_Home_Privacy-q=fun.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-a848ab99-8e35c2cd-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/Home/Privacy?q=fun"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt index 55b9a46485de..479ff033bb6a 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=discovery.scans_url=_Health_login.php.verified.txt @@ -24,6 +24,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,6 +68,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -108,6 +112,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -150,6 +156,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -192,6 +200,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/login.php"],"key_path":[],"value":"/health/login.php"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt index 1a4fa342d716..af0cc467d1fa 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint-&q=help.verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +179,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -217,6 +229,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-8e35c2cd-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt index 1ea494889d67..49c00c6373db 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_health_params_appscan_fingerprint.verified.txt @@ -29,6 +29,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +78,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +127,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +176,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -217,6 +225,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_params-endpoint_appscan_fingerprint.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_params-endpoint_appscan_fingerprint.verified.txt index a810ac324fcc..9bbec3f6a811 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_params-endpoint_appscan_fingerprint.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.path_params_expectedStatusCode=200_url=_params-endpoint_appscan_fingerprint.verified.txt @@ -27,6 +27,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["s"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -72,6 +74,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["s"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -117,6 +121,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["s"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -162,6 +168,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["s"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -207,6 +215,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["s"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt index 4477bacfa41a..5280f9545e6f 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-[$slice]=value.verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +179,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -217,6 +229,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt index 27167a89b69c..ca2d736c9fe8 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_Health_-arg&[$slice].verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +179,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -217,6 +229,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-17b4850e-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt index 337c90d7aaca..649672eeeca0 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.query_expectedStatusCode=200_url=_health_params_appscan_fingerprint-[$slice]=value.verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +179,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -217,6 +229,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]},{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt index d50da05768c3..b1061a6a8a55 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.request.uri.raw_expectedStatusCode=403_url=_health-q=fun.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -67,6 +68,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -109,6 +111,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -151,6 +154,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, @@ -193,6 +197,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-8e35c2cd-, _dd.appsec.fp.http.header: _dd.appsec.fp.http.network: , _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-011","name":"No fun","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"fun","parameters":[{"address":"server.request.uri.raw","highlight":["fun"],"key_path":[],"value":"/health?q=fun"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt index 8106987ad0f4..9c35b0047912 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.status_expectedStatusCode=403_url=_status_418.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.status_expectedStatusCode=403_url=_status_418.verified.txt index 75ec3080c70d..496dfa7bc98e 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.status_expectedStatusCode=403_url=_status_418.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabled.__test=server.response.status_expectedStatusCode=403_url=_status_418.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, diff --git a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabledIIS.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabledIIS.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt index eb7235521c81..df0623d3b2ca 100644 --- a/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabledIIS.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5.SecurityEnabledIIS.__test=server.response.headers.no_cookies_expectedStatusCode=403_url=_Home_LangHeader.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_custom_action_actionName=customblock.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_custom_action_actionName=customblock.verified.txt index 0b2e61a91c20..3a843b3620af 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_custom_action_actionName=customblock.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_custom_action_actionName=customblock.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule-custom-block","name":"Dummy rule to test blocking with a custom action","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_custom_action"],"key_path":["arg","0"],"value":"dummy_custom_action"}]}]}]}, @@ -70,6 +71,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule-custom-block","name":"Dummy rule to test blocking with a custom action","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_custom_action"],"key_path":["arg","0"],"value":"dummy_custom_action"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_rule_actionName=block.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_rule_actionName=block.verified.txt index 4c3254286bf4..7a7677d25bd7 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_rule_actionName=block.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=block_request_statusCode=200_argument=dummy_rule_actionName=block.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, @@ -70,6 +71,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_custom_action_actionName=customblock.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_custom_action_actionName=customblock.verified.txt index 43b2f187c559..7a351653bebd 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_custom_action_actionName=customblock.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_custom_action_actionName=customblock.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule-custom-block","name":"Dummy rule to test blocking with a custom action","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_custom_action"],"key_path":["arg","0"],"value":"dummy_custom_action"}]}]}]}, @@ -70,6 +71,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule-custom-block","name":"Dummy rule to test blocking with a custom action","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_custom_action"],"key_path":["arg","0"],"value":"dummy_custom_action"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_rule_actionName=block.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_rule_actionName=block.verified.txt index 40c83d1a4dbe..60a6ee27e1f2 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_rule_actionName=block.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmActionsConfiguration.__type=redirect_request_statusCode=302_argument=dummy_rule_actionName=block.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -25,6 +25,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, @@ -70,6 +71,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmCustomRules._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmCustomRules._.verified.txt index c8f0b68abd2a..90908bf768aa 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmCustomRules._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmCustomRules._.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -62,6 +62,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"test_custom_rule","name":"Test custom rule","tags":{"category":"attack_attempt","type":"custom_rule"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["customrule"],"key_path":["arg","0"],"value":"customrule_trigger"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips-oneclick_url=_.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips-oneclick_url=_.verified.txt index d15f6b45a066..e348fc1d0533 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips-oneclick_url=_.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips-oneclick_url=_.verified.txt @@ -87,6 +87,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -159,6 +161,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips_url=_.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips_url=_.verified.txt index 994c3cb4dfd7..eb093d677508 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips_url=_.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-ips_url=_.verified.txt @@ -58,6 +58,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-user_url=_user.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-user_url=_user.verified.txt index 342732b846c0..ddad2d87c915 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-user_url=_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmDataSecurityEnabled.__test=blocking-user_url=_user.verified.txt @@ -64,7 +64,10 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabled.TestSecurityInitialization.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabled.TestSecurityInitialization.verified.txt index 93c52ac66ce2..9c4ca6937a84 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabled.TestSecurityInitialization.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabled.TestSecurityInitialization.verified.txt @@ -29,9 +29,12 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.origin: appsec, _dd.runtime_family: dotnet }, @@ -39,7 +42,7 @@ process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.appsec.waf.duration: 0.0, _dd.appsec.waf.duration_ext: 0.0, _dd.top_level: 1.0, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabledWithBadRuleset.TestSecurityInitialization.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabledWithBadRuleset.TestSecurityInitialization.verified.txt index 934caca692b0..a9968a972892 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabledWithBadRuleset.TestSecurityInitialization.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmInitializationSecurityEnabledWithBadRuleset.TestSecurityInitialization.verified.txt @@ -32,7 +32,7 @@ _dd.appsec.event_rules.errors: {"missing key 'name'":["crs-913-110","crs-913-120","crs-920-260"],"missing key 'tags'":["crs-921-110","crs-921-140"]}, _dd.appsec.event_rules.version: 1.3.1, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.origin: appsec, _dd.runtime_family: dotnet }, diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmRemoteRules._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmRemoteRules._.verified.txt index cbdfee9f1fe5..550310299add 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmRemoteRules._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmRemoteRules._.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290-new","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290-new","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -169,6 +178,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-bf177a93-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"new-test-non-blocking","name":"Datadog test scanner - NON blocking version: user-agent","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"^dd-test-scanner-log-block(?:$|/|\\s)","parameters":[{"address":"server.request.headers.no_cookies","highlight":["dd-test-scanner-log-block"],"key_path":["user-agent"],"value":"dd-test-scanner-log-block"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -212,6 +223,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-bf177a93-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-56x","name":"Datadog test scanner - blocking version: user-agent","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"^dd-test-scanner-log-block(?:$|/|\\s)","parameters":[{"address":"server.request.headers.no_cookies","highlight":["dd-test-scanner-log-block"],"key_path":["user-agent"],"value":"dd-test-scanner-log-block"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -255,6 +268,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-bf177a93-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-56x","name":"Datadog test scanner - blocking version: user-agent","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"^dd-test-scanner-log-block(?:$|/|\\s)","parameters":[{"address":"server.request.headers.no_cookies","highlight":["dd-test-scanner-log-block"],"key_path":["user-agent"],"value":"dd-test-scanner-log-block"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmRulesToggle._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmRulesToggle._.verified.txt index ccede3247d60..07f417675f2e 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmRulesToggle._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmRulesToggle._.verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,6 +112,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,6 +158,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -199,6 +208,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityDefault._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityDefault._.verified.txt index 68fe1e4ea485..6c12d1ef44f7 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityDefault._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityDefault._.verified.txt @@ -87,6 +87,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityEnabled._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityEnabled._.verified.txt index b3a05895079e..871fca410d0d 100644 --- a/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityEnabled._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5AsmToggleSecurityEnabled._.verified.txt @@ -29,6 +29,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +79,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +129,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -170,6 +179,9 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-49fefa92-, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[?\\$(?:(?:s(?:lic|iz)|wher)e|e(?:lemMatch|xists|q)|n(?:o[rt]|in?|e)|l(?:ike|te?)|t(?:ext|ype)|a(?:ll|nd)|jsonSchema|between|regex|x?or|div|mod)\\]?)\\b)","parameters":[{"address":"server.request.query","highlight":["[$slice"],"key_path":["[$slice]"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetCore5ExternalRules._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5ExternalRules._.verified.txt index d6f1cde96106..245a1fc80fa8 100644 --- a/tracer/test/snapshots/Security.AspNetCore5ExternalRules._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetCore5ExternalRules._.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -29,6 +29,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, @@ -78,6 +79,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, @@ -127,6 +129,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, @@ -176,6 +179,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, @@ -225,6 +229,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_good-param=[$slice].verified.txt b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_good-param=[$slice].verified.txt index 857daaf1576c..f9f95bc1fe5b 100644 --- a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_good-param=[$slice].verified.txt +++ b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_good-param=[$slice].verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -28,6 +28,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-80022bec-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -76,6 +77,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-80022bec-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -124,6 +126,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-80022bec-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -172,6 +175,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-80022bec-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -220,6 +224,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-80022bec-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_void-param=[$slice].verified.txt b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_void-param=[$slice].verified.txt index 6154b39e94ba..7e0085f6360e 100644 --- a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_void-param=[$slice].verified.txt +++ b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=200_url=_void-param=[$slice].verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -28,6 +28,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-c75550dd-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -76,6 +77,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-c75550dd-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -124,6 +126,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-c75550dd-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -172,6 +175,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-c75550dd-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -220,6 +224,7 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-c75550dd-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=500_url=_bad-param=[$slice].verified.txt b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=500_url=_bad-param=[$slice].verified.txt index 090142eaa9f8..c4a16f337668 100644 --- a/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=500_url=_bad-param=[$slice].verified.txt +++ b/tracer/test/snapshots/Security.AspNetCoreBare.__expectedStatusCode=500_url=_bad-param=[$slice].verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -34,6 +34,7 @@ at Samples.Security.AspNetCoreBare.Controllers.BadController.Get(), network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ede5d09-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -88,6 +89,7 @@ at Samples.Security.AspNetCoreBare.Controllers.BadController.Get(), network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ede5d09-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -142,6 +144,7 @@ at Samples.Security.AspNetCoreBare.Controllers.BadController.Get(), network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ede5d09-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -196,6 +199,7 @@ at Samples.Security.AspNetCoreBare.Controllers.BadController.Get(), network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ede5d09-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, @@ -250,6 +254,7 @@ at Samples.Security.AspNetCoreBare.Controllers.BadController.Get(), network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ede5d09-ccaaac7c-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["param","0"],"value":"[$slice]"}]}]}]}, diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=blocking.verified.txt index b0be44b2ad9b..07d299b9b986 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=blocking.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,8 +113,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,8 +158,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,8 +203,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt index 6da030b29599..7ac12e82bbc4 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt @@ -53,6 +53,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -124,6 +125,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,6 +197,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -266,6 +269,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -337,6 +341,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt index c6b4c65a0845..185200d6be61 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt @@ -53,6 +53,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0100000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -124,6 +125,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,6 +197,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -266,6 +269,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -337,6 +341,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt index 6dace1ca5e1b..19a3cca6fdb7 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt @@ -53,6 +53,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -124,6 +125,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,6 +197,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -266,6 +269,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -337,6 +341,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt index 52f15033556f..f1726ca3b176 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt @@ -48,8 +48,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -116,8 +118,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -184,8 +188,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -252,8 +258,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -320,8 +328,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt index 1f4cc2803a71..62ae97e9175d 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt @@ -48,8 +48,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -116,8 +118,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -184,8 +188,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -252,8 +258,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -320,8 +328,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt index 2a0d7ed5fe11..8dd8f11753fc 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Classic.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt @@ -48,8 +48,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -116,8 +118,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -184,8 +188,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -252,8 +258,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -320,8 +328,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=blocking.verified.txt index e0229d974fb4..1d300c039c7e 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=blocking.verified.txt @@ -24,8 +24,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -68,8 +70,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +116,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -156,8 +162,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,8 +208,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=discovery.scans_url=_Health_wp-config_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=discovery.scans_url=_Health_wp-config_body=null.verified.txt index a50698e74a4c..1f3f1863ee04 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=discovery.scans_url=_Health_wp-config_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=discovery.scans_url=_Health_wp-config_body=null.verified.txt @@ -49,8 +49,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-74ef4633--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/wp-config"],"key_path":[],"value":"/health/wp-config"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,8 +120,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-74ef4633--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/wp-config"],"key_path":[],"value":"/health/wp-config"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -187,8 +191,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-74ef4633--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/wp-config"],"key_path":[],"value":"/health/wp-config"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -256,8 +262,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-74ef4633--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/wp-config"],"key_path":[],"value":"/health/wp-config"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -325,8 +333,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-74ef4633--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"nfd-000-001","name":"Detect common directory discovery scans","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"^404$","parameters":[{"address":"server.response.status","highlight":["404"],"key_path":[],"value":"404"}]},{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.uri.raw","highlight":["/wp-config"],"key_path":[],"value":"/health/wp-config"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt index 0d67de705121..44b75aca3508 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadJson_body={-DictionaryProperty-- {-a---[$slice]-} }.verified.txt @@ -54,6 +54,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -126,6 +127,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -198,6 +200,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -270,6 +273,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -342,6 +346,7 @@ _dd.appsec.fp.http.endpoint: http-post-c4e91668--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","DictionaryProperty","a"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt index 02fcbd1d6b14..1323d4aad5d6 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_UploadStruct_body={-Property1-- -[$slice]-}.verified.txt @@ -54,6 +54,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -126,6 +127,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -198,6 +200,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -270,6 +273,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -342,6 +346,7 @@ _dd.appsec.fp.http.endpoint: http-post-a1fd7e2d--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt index 82d94900697c..013448d4b62a 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.body_url=_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt @@ -54,6 +54,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0100000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -126,6 +127,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -198,6 +200,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -270,6 +273,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -342,6 +346,7 @@ _dd.appsec.fp.http.endpoint: http-post-3c2db0bd--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt index d0088462fffc..34ba6e454877 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint-&q=help_body=null.verified.txt @@ -49,8 +49,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,8 +120,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -187,8 +191,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -256,8 +262,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -325,8 +333,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c-2e4a7b5a-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt index 590b8e35b912..6b8e721cb6c0 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.path_params_url=_Health_params_appscan_fingerprint_body=null.verified.txt @@ -49,8 +49,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,8 +120,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -187,8 +191,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -256,8 +262,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -325,8 +333,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt index 61c6bd3456d2..60c09b046bb2 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.request.query_url=_Health_-arg=[$slice]_body=null.verified.txt @@ -49,8 +49,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,8 +120,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -187,8 +191,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -256,8 +262,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -325,8 +333,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7f4bf8ee-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.response.headers.no_cookies_url=_Home_LangHeader_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.response.headers.no_cookies_url=_Home_LangHeader_body=null.verified.txt index 56482f067395..560306513db2 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.response.headers.no_cookies_url=_Home_LangHeader_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5.Integrated.enableSecurity=True.__test=server.response.headers.no_cookies_url=_Home_LangHeader_body=null.verified.txt @@ -50,8 +50,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0cfc1178--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-009","name":"Test block on response header","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"en-us|krypton","parameters":[{"address":"server.response.headers.no_cookies","highlight":["krypton"],"key_path":["content-language"],"value":"krypton"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -120,8 +122,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0cfc1178--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-009","name":"Test block on response header","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"en-us|krypton","parameters":[{"address":"server.response.headers.no_cookies","highlight":["krypton"],"key_path":["content-language"],"value":"krypton"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -190,8 +194,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0cfc1178--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-009","name":"Test block on response header","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"en-us|krypton","parameters":[{"address":"server.response.headers.no_cookies","highlight":["krypton"],"key_path":["content-language"],"value":"krypton"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -260,8 +266,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0cfc1178--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-009","name":"Test block on response header","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"en-us|krypton","parameters":[{"address":"server.response.headers.no_cookies","highlight":["krypton"],"key_path":["content-language"],"value":"krypton"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -330,8 +338,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0cfc1178--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"tst-037-009","name":"Test block on response header","tags":{"category":"attack_attempt","type":"lfi"}},"rule_matches":[{"operator":"match_regex","operator_value":"en-us|krypton","parameters":[{"address":"server.response.headers.no_cookies","highlight":["krypton"],"key_path":["content-language"],"value":"krypton"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=block_request_statusCode=200.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=block_request_statusCode=200.verified.txt index 4d9cd87bf01d..a882ee58f0c5 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=block_request_statusCode=200.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=block_request_statusCode=200.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt index 3dbd9ec650d6..d4c8c5dc9386 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Classic.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=block_request_statusCode=200.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=block_request_statusCode=200.verified.txt index 9bc3daeb0b2c..0abadb993e01 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=block_request_statusCode=200.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=block_request_statusCode=200.verified.txt @@ -24,8 +24,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -68,8 +70,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt index 9109a121b84a..33d302f67eac 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmBlockingActions.Integrated.enableSecurity=True.__type=redirect_request_statusCode=302.verified.txt @@ -24,8 +24,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -68,8 +70,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"test-dummy-rule","name":"Dummy rule to test blocking","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.query","highlight":["dummy_rule"],"key_path":["arg","0"],"value":"dummy_rule"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_.verified.txt index 72446da86965..2b4c09871165 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_.verified.txt @@ -43,14 +43,14 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -80,7 +80,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-8a5edab2--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt index 261a0154ae42..3b32ec40447b 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt @@ -105,7 +105,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c9ffce19--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_.verified.txt index 65da66fb9d97..b298f3de5d81 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_.verified.txt @@ -43,14 +43,14 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -81,7 +81,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-8a5edab2--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt index 24d45f7d99d4..1d619e6fb528 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt @@ -106,7 +106,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c9ffce19--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Classic.enableSecurity=True._.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Classic.enableSecurity=True._.verified.txt index 8356bafb2770..12b64641a3de 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Classic.enableSecurity=True._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Classic.enableSecurity=True._.verified.txt @@ -48,6 +48,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0100000000-948f4ea1-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -89,6 +93,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0000000000-948f4ea1-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -155,6 +163,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0000000000-948f4ea1-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Integrated.enableSecurity=True._.verified.txt b/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Integrated.enableSecurity=True._.verified.txt index 07f15f5ade00..5e380b3651a2 100644 --- a/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Integrated.enableSecurity=True._.verified.txt +++ b/tracer/test/snapshots/Security.AspNetMvc5AsmRulesToggle.Integrated.enableSecurity=True._.verified.txt @@ -49,6 +49,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0100000000-948f4ea1-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -91,6 +95,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0000000000-948f4ea1-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -158,6 +166,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, + _dd.appsec.fp.http.header: hdr-0000000000-948f4ea1-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ua0-600-16x","name":"SQL power injector","tags":{"category":"attack_attempt","type":"attack_tool"}},"rule_matches":[{"operator":"match_regex","operator_value":"sql power injector","parameters":[{"address":"server.request.headers.no_cookies","highlight":["sql power injector"],"key_path":["user-agent"],"value":"Mistake Not... (sql power injector)"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__scenario=null-action.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__scenario=null-action.verified.txt index cb0da9edec2c..79ba1030b7fd 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__scenario=null-action.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__scenario=null-action.verified.txt @@ -44,8 +44,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-6b529abb--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["pathparam2"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -108,8 +110,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e7fc1c3d--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["pathparam2"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=blocking.verified.txt index 0163856aa2d5..8dafaf1d2632 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=blocking.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,8 +113,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,8 +158,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,8 +203,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt index b97006b034d8..f79f445d0748 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,6 +119,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -186,6 +188,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -254,6 +257,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -322,6 +326,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt index 93e05bfc143b..9932a55b78e2 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt @@ -45,8 +45,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -110,8 +112,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -175,8 +179,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -240,8 +246,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -305,8 +313,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt index 12eb9c3a826e..90a324bf2567 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt @@ -45,8 +45,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -110,8 +112,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -175,8 +179,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -240,8 +246,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -305,8 +313,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt index 8cc3b5e1bbd5..5996c8277569 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt @@ -45,8 +45,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -110,8 +112,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -175,8 +179,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -240,8 +246,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -305,8 +313,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt index b7ae498b361a..ec837e8ac4cf 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Classic.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt @@ -45,8 +45,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -110,8 +112,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -175,8 +179,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -240,8 +246,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -305,8 +313,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__scenario=null-action.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__scenario=null-action.verified.txt index 7b111c66a5a3..a658db07eae9 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__scenario=null-action.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__scenario=null-action.verified.txt @@ -45,8 +45,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-6b529abb--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["pathparam2"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -110,8 +112,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-e7fc1c3d--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["pathparam2"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=blocking.verified.txt index 7d2de38e32de..0cd2c75dc854 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=blocking.verified.txt @@ -24,8 +24,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -68,8 +70,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +116,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -156,8 +162,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,8 +208,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt index e8865529d57c..3d47ad442ae4 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.body_url=_api_Home_Upload_body={-Property1-- -[$slice]-}.verified.txt @@ -50,6 +50,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -118,6 +119,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -186,6 +188,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -254,6 +257,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -322,6 +326,7 @@ _dd.appsec.fp.http.endpoint: http-post-ae7cd782--2d59fcb7, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["miscModel","Property1"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt index 5cc3a3119d4b..f1f05e10d9e9 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_Health_appscan_fingerprint_body=null.verified.txt @@ -46,8 +46,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +114,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -178,8 +182,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -244,8 +250,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -310,8 +318,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0553e2d1--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt index 3330e046418b..9f1a4cfbd9aa 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_2-arg=[$slice]_body=null.verified.txt @@ -46,8 +46,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +114,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -178,8 +182,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -244,8 +250,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -310,8 +318,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-33e6044f-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt index 966d621fa4b2..62da7d86e8bf 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.path_params_url=_api_route_TwoMember-arg=[$slice]_body=null.verified.txt @@ -46,8 +46,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +114,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -178,8 +182,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -244,8 +250,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -310,8 +318,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-42b7ca6a-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt index 03fa0917349b..efbf2834d36d 100644 --- a/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApi.Integrated.enableSecurity=True.__test=server.request.query_url=_api_Health_-arg=[$slice]_body=null.verified.txt @@ -46,8 +46,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +114,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -178,8 +182,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -244,8 +250,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -310,8 +318,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-5ca47921-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt index 0c196a3cc79d..72f0f3ffdd72 100644 --- a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt @@ -74,7 +74,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt index b853cd0e71a1..70fc9470f036 100644 --- a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt @@ -41,14 +41,14 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -102,7 +102,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c4cf151d--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt index 4e1d1677678a..e8d416beb1b9 100644 --- a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_api_health.verified.txt @@ -40,14 +40,14 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -78,7 +78,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-7ab84831--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt index d73c4f5d003d..7319711cac65 100644 --- a/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebApiAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_api_user.verified.txt @@ -101,7 +101,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c4cf151d--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__test=blocking.verified.txt index b0be44b2ad9b..07d299b9b986 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__test=blocking.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,8 +113,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,8 +158,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,8 +203,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt index 99688ac33a08..4cfe3d234471 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt @@ -22,8 +22,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0100000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -64,8 +66,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -106,8 +110,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -148,8 +154,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -190,8 +198,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt index 005696060e3c..368d013ac0f0 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt @@ -22,8 +22,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -64,8 +66,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -106,8 +110,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -148,8 +154,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -190,8 +198,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt index c08e68df9207..4bb98c95f1a2 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Classic.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt @@ -27,6 +27,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -72,6 +73,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -117,6 +119,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -162,6 +165,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -207,6 +211,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-3-4d739311, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__test=blocking.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__test=blocking.verified.txt index e0229d974fb4..1d300c039c7e 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__test=blocking.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__test=blocking.verified.txt @@ -24,8 +24,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -68,8 +70,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -112,8 +116,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -156,8 +162,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -200,8 +208,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e--, _dd.appsec.fp.http.header: hdr-0000000000-197358b8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"ublock","name":"Hello","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"match_regex","operator_value":"hello","parameters":[{"address":"server.request.headers.no_cookies","highlight":["hello"],"key_path":["user-agent"],"value":"mistake not... hello/v"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt index a6e7a09ee519..159cc039a8b6 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health-arg=[$slice]_body=null.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,8 +113,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,8 +158,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,8 +203,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-0587c50e-b25f03de-, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.query","highlight":["[$slice]"],"key_path":["arg","0"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt index 90d2a5e1742a..6ac5964f0e05 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_Params_appscan_fingerprint_body=null.verified.txt @@ -23,8 +23,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -66,8 +68,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -109,8 +113,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -152,8 +158,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -195,8 +203,10 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.endpoint: http-get-9ce5b35c--, _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-120","name":"Known security scanner filename/argument","tags":{"category":"attack_attempt","type":"security_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.path_params","highlight":["appscan_fingerprint"],"key_path":["id"],"value":"appscan_fingerprint"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt index 599778044e16..d84458d1daaf 100644 --- a/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebForms.Integrated.enableSecurity=True.__url=_Health_body=ctl00%24MainContent%24testBox=%5B%24slice%5D.verified.txt @@ -28,6 +28,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0100000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -74,6 +75,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -120,6 +122,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -166,6 +169,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -212,6 +216,7 @@ _dd.appsec.fp.http.endpoint: http-post-0587c50e--8a8abefe, _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-5-07490af2, _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-942-290","name":"Finds basic MongoDB SQL injection attempts","tags":{"category":"attack_attempt","type":"nosql_injection"}},"rule_matches":[{"operator":"match_regex","operator_value":"(?i:(?:\\[\\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\\]))","parameters":[{"address":"server.request.body","highlight":["[$slice]"],"key_path":["ctl00$MainContent$testBox"],"value":"[$slice]"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt index e2ea45d073b9..773fd217545b 100644 --- a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt @@ -52,7 +52,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-d2b1037e--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt index 7cf16cca878c..eb943cbe1d5a 100644 --- a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Classic.enableSecurity=True.__test=blocking-user_url=_user.verified.txt @@ -19,14 +19,14 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -57,7 +57,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c9ffce19--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt index 0296b1bb2e73..78e6aa996c51 100644 --- a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-ips_url=_default.aspx.verified.txt @@ -18,14 +18,14 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.waf.version: 1.19.1, + _dd.appsec.waf.version: 1.20.0, _dd.runtime_family: dotnet }, Metrics: { process_id: 0, _dd.appsec.enabled: 1.0, _dd.appsec.event_rules.error_count: 0.0, - _dd.appsec.event_rules.loaded: 153.0, + _dd.appsec.event_rules.loaded: 158.0, _dd.top_level: 1.0, _dd.tracer_kr: 1.0, _sampling_priority_v1: 2.0 @@ -56,7 +56,11 @@ network.client.ip: ::1, runtime-id: Guid_1, span.kind: server, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-d2b1037e--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn----, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-001","name":"Block IP Addresses","tags":{"category":"security_response","type":"block_ip"}},"rule_matches":[{"operator":"ip_match","operator_value":"","parameters":[{"address":"http.client_ip","highlight":["86.242.244.246"],"key_path":[],"value":"86.242.244.246"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt index e3110493c011..e36e277c9843 100644 --- a/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt +++ b/tracer/test/snapshots/Security.AspNetWebFormsAsmData.Integrated.enableSecurity=True.__test=blocking-user_url=_user.verified.txt @@ -55,7 +55,11 @@ runtime-id: Guid_1, span.kind: server, usr.id: user3, - _dd.appsec.event_rules.version: 1.10.0, + _dd.appsec.event_rules.version: 1.13.1, + _dd.appsec.fp.http.endpoint: http-get-c9ffce19--, + _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-3-98425651, + _dd.appsec.fp.http.network: net-1-1000000000, + _dd.appsec.fp.session: ssn-5860faf0---, _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["user3"],"key_path":[],"value":"user3"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet diff --git a/tracer/test/snapshots/TestGlobalRulesToggling._.verified.txt b/tracer/test/snapshots/TestGlobalRulesToggling._.verified.txt index 7109954e83dd..74222b547c11 100644 --- a/tracer/test/snapshots/TestGlobalRulesToggling._.verified.txt +++ b/tracer/test/snapshots/TestGlobalRulesToggling._.verified.txt @@ -1,4 +1,4 @@ -[ +[ { TraceId: Id_1, SpanId: Id_2, @@ -29,6 +29,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-e7f19e02-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-110","name":"Acunetix","tags":{"category":"attack_attempt","type":"commercial_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.headers.no_cookies","highlight":["acunetix-product"],"key_path":["user-agent"],"value":"mistake not... acunetix-product"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -76,6 +78,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-e7f19e02-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-110","name":"Acunetix","tags":{"category":"attack_attempt","type":"commercial_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.headers.no_cookies","highlight":["acunetix-product"],"key_path":["user-agent"],"value":"mistake not... acunetix-product"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet @@ -123,6 +127,8 @@ network.client.ip: 127.0.0.1, runtime-id: Guid_1, span.kind: server, + _dd.appsec.fp.http.header: hdr-0000000000-e7f19e02-1-4740ae63, + _dd.appsec.fp.http.network: net-1-1000000000, _dd.appsec.json: {"triggers":[{"rule":{"id":"crs-913-110","name":"Acunetix","tags":{"category":"attack_attempt","type":"commercial_scanner"}},"rule_matches":[{"operator":"phrase_match","operator_value":"","parameters":[{"address":"server.request.headers.no_cookies","highlight":["acunetix-product"],"key_path":["user-agent"],"value":"mistake not... acunetix-product"}]}]}]}, _dd.origin: appsec, _dd.runtime_family: dotnet