From 12b013eae1ffc25501f66c2881b84cf507176f9c Mon Sep 17 00:00:00 2001 From: cschantz Date: Mon, 1 Dec 2025 18:58:16 -0500 Subject: [PATCH] Enhance attack detection with 5 modern attack patterns MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ATTACK DETECTION ENHANCEMENTS: Added detection for critical modern attack vectors not in OWASP Top 10: 1. XXE (XML External Entity) Detection - detect_xxe() - XML entity patterns () - URL-encoded variants (%7b%7b, %7b%25, %24%7b) - SSTI probe patterns (7*7, config., self., request., env.) - Threat Score: 20 (CRITICAL) - Icon: 📝 - Color: White on Red (highest severity) 5. Encoding Bypass Detection - detect_encoding_bypass() - Double/triple URL encoding (%25XX, %252X, %2525) - WAF bypass attempts (%c0%af, %e0%80%af) - Unicode/UTF-8 bypass (%uXXXX, \uXXXX) - Threat Score: 12 (MEDIUM) - Icon: 🔀 CHANGES TO lib/attack-patterns.sh: - Added 5 new detection functions (lines 128-206) - Updated detect_all_attacks() to call new detections (lines 222-226) - Updated calculate_attack_score() with new scoring (lines 251-255) - Added icons for new attack types (lines 273-277) - Added color coding (CRITICAL/HIGH/MEDIUM) (lines 289-291) - Exported all new functions (lines 303-307) IMPACT: - Detection coverage expanded from 7 to 12 attack types - Now covers modern attack vectors (API attacks, cloud exploits, WAF bypasses) - Better threat scoring with 3-tier severity (CRITICAL/HIGH/MEDIUM) - Real-time detection in live-attack-monitor - Historical detection in bot-analyzer NEXT STEPS: - Consider User-Agent rotation detection (bot fingerprinting) - Consider Tor/VPN/Proxy detection (anonymizer identification) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- lib/attack-patterns.sh | 106 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 103 insertions(+), 3 deletions(-) diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh index 7109084..bd26b83 100644 --- a/lib/attack-patterns.sh +++ b/lib/attack-patterns.sh @@ -125,6 +125,86 @@ detect_admin_probe() { return 1 } +# XXE (XML External Entity) Detection +detect_xxe() { + local url="$1" + local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + + # XML entity patterns and external entity references + if [[ "$url_lower" =~ () ]] || + [[ "$url_lower" =~ (%7b%7b|%7b%25|%24%7b) ]] || + [[ "$url_lower" =~ (7\*7|config\.|self\.|request\.|env\.) ]]; then + return 0 + fi + + return 1 +} + +# Encoding Bypass Detection (Multiple layers of encoding) +detect_encoding_bypass() { + local url="$1" + + # Double/triple URL encoding (bypass WAF) + if [[ "$url" =~ %25[0-9a-fA-F]{2} ]] || + [[ "$url" =~ (%252[0-9a-fA-F]|%25%32|%2525) ]]; then + return 0 + fi + + # Unicode/UTF-8 bypass attempts + if [[ "$url" =~ (%u[0-9a-fA-F]{4}|\\u[0-9a-fA-F]{4}) ]] || + [[ "$url" =~ (%c0%af|%e0%80%af) ]]; then + return 0 + fi + + return 1 +} + # Detect all attack vectors for a URL # Returns: attack_type1,attack_type2,... or empty if none detect_all_attacks() { @@ -139,6 +219,11 @@ detect_all_attacks() { detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE") detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE") detect_admin_probe "$url" && attacks+=("ADMIN_PROBE") + detect_xxe "$url" && attacks+=("XXE") + detect_ssrf "$url" && attacks+=("SSRF") + detect_nosql_injection "$url" && attacks+=("NOSQL_INJECTION") + detect_template_injection "$url" && attacks+=("TEMPLATE_INJECTION") + detect_encoding_bypass "$url" && attacks+=("ENCODING_BYPASS") if [ ${#attacks[@]} -gt 0 ]; then IFS=','; echo "${attacks[*]}" @@ -163,6 +248,11 @@ calculate_attack_score() { [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10)) [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5)) [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25)) + [[ "$attacks" =~ (^|,)XXE(,|$) ]] && score=$((score + 18)) + [[ "$attacks" =~ (^|,)SSRF(,|$) ]] && score=$((score + 18)) + [[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15)) + [[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20)) + [[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12)) echo "$score" } @@ -180,6 +270,11 @@ get_attack_icon() { BRUTEFORCE) echo "🔐" ;; ADMIN_PROBE) echo "🔍" ;; DDOS) echo "💥" ;; + XXE) echo "📄" ;; + SSRF) echo "🌐" ;; + NOSQL_INJECTION) echo "🗄️ " ;; + TEMPLATE_INJECTION) echo "📝" ;; + ENCODING_BYPASS) echo "🔀" ;; BOT) echo "🤖" ;; SCANNER) echo "🔎" ;; *) echo "❓" ;; @@ -191,9 +286,9 @@ get_attack_color() { local attack_type="$1" case "$attack_type" in - SQL_INJECTION|RCE) echo '\033[1;41;97m' ;; # White on Red (CRITICAL) - XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;; # Bold Red (HIGH) - INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM) + SQL_INJECTION|RCE|TEMPLATE_INJECTION) echo '\033[1;41;97m' ;; # White on Red (CRITICAL) + XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION) echo '\033[1;31m' ;; # Bold Red (HIGH) + INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM) *) echo '\033[0;36m' ;; # Cyan (LOW) esac } @@ -205,6 +300,11 @@ export -f detect_rce export -f detect_info_disclosure export -f detect_login_bruteforce_url export -f detect_admin_probe +export -f detect_xxe +export -f detect_ssrf +export -f detect_nosql_injection +export -f detect_template_injection +export -f detect_encoding_bypass export -f detect_all_attacks export -f calculate_attack_score export -f get_attack_icon