cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance attack detection with 5 modern attack patterns

Browse Source 
ATTACK DETECTION ENHANCEMENTS:
Added detection for critical modern attack vectors not in OWASP Top 10:

1. XXE (XML External Entity) Detection - detect_xxe()
   - XML entity patterns (<!ENTITY, <!DOCTYPE)
   - External entity references (SYSTEM, file://, php://, expect://)
   - URL-encoded variants (%3c!entity)
   - XML-specific patterns (jar:, .dtd)
   - Threat Score: 18 (HIGH)
   - Icon: 📄

2. SSRF (Server-Side Request Forgery) Detection - detect_ssrf()
   - Internal network targeting (localhost, 127.0.0.1, 169.254.x.x)
   - Private IP ranges (10.x.x.x, 192.168.x.x, 172.16-31.x.x)
   - Cloud metadata endpoints (metadata.google, 169.254.169.254, metadata.aws)
   - Protocol abuse (file://, gopher://, dict://, ftp://localhost)
   - URL parameter patterns (url=http, redirect.*http, proxy.*http)
   - Threat Score: 18 (HIGH)
   - Icon: 🌐

3. NoSQL Injection Detection - detect_nosql_injection()
   - MongoDB operators ($ne, $gt, $lt, $regex, $where, $in, $nin)
   - URL-encoded variants (%24ne, %24gt, %24where)
   - NoSQL-specific patterns (sleep(), this., function(), javascript:)
   - Threat Score: 15 (HIGH)
   - Icon: 🗄️

4. Template Injection (SSTI) Detection - detect_template_injection()
   - Jinja2/Twig patterns ({{ }}, {% %})
   - FreeMarker patterns (${ })
   - JSP patterns (<% %>)
   - URL-encoded variants (%7b%7b, %7b%25, %24%7b)
   - SSTI probe patterns (7*7, config., self., request., env.)
   - Threat Score: 20 (CRITICAL)
   - Icon: 📝
   - Color: White on Red (highest severity)

5. Encoding Bypass Detection - detect_encoding_bypass()
   - Double/triple URL encoding (%25XX, %252X, %2525)
   - WAF bypass attempts (%c0%af, %e0%80%af)
   - Unicode/UTF-8 bypass (%uXXXX, \uXXXX)
   - Threat Score: 12 (MEDIUM)
   - Icon: 🔀

CHANGES TO lib/attack-patterns.sh:
- Added 5 new detection functions (lines 128-206)
- Updated detect_all_attacks() to call new detections (lines 222-226)
- Updated calculate_attack_score() with new scoring (lines 251-255)
- Added icons for new attack types (lines 273-277)
- Added color coding (CRITICAL/HIGH/MEDIUM) (lines 289-291)
- Exported all new functions (lines 303-307)

IMPACT:
- Detection coverage expanded from 7 to 12 attack types
- Now covers modern attack vectors (API attacks, cloud exploits, WAF bypasses)
- Better threat scoring with 3-tier severity (CRITICAL/HIGH/MEDIUM)
- Real-time detection in live-attack-monitor
- Historical detection in bot-analyzer

NEXT STEPS:
- Consider User-Agent rotation detection (bot fingerprinting)
- Consider Tor/VPN/Proxy detection (anonymizer identification)
This commit is contained in:
cschantz
2025-12-01 18:58:16 -05:00
parent 22bd97b06c
commit c349503747
1 changed files with 103 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/attack-patterns.sh
+103 -3
View File
@@ -125,6 +125,86 @@ detect_admin_probe() {
return 1
}
# XXE (XML External Entity) Detection
detect_xxe() {
local url="$1"
local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
# XML entity patterns and external entity references
if [[ "$url_lower" =~ (<!entity|<!doctype|system|file://|php://|expect://) ]] ||
[[ "$url_lower" =~ (%3c!entity|%3c!doctype|%3centity|jar:) ]] ||
[[ "$url_lower" =~ (xml.*<!|\.xml.*entity|\.dtd) ]]; then
return 0
fi
return 1
}
# SSRF (Server-Side Request Forgery) Detection
detect_ssrf() {
local url="$1"
local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
# Internal network targeting
if [[ "$url_lower" =~ (localhost|127\.0\.0\.|169\.254\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.) ]] ||
[[ "$url_lower" =~ (metadata\.google|169\.254\.169\.254|metadata\.aws|metadata) ]] ||
[[ "$url_lower" =~ (file://|gopher://|dict://|ftp://localhost|http://127|http://0\.0\.0\.0) ]] ||
[[ "$url_lower" =~ (url=http|redirect.*http|fetch.*http|proxy.*http) ]]; then
return 0
fi
return 1
}
# NoSQL Injection Detection
detect_nosql_injection() {
local url="$1"
local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
# MongoDB and NoSQL patterns
if [[ "$url_lower" =~ (\$ne|\$gt|\$lt|\$regex|\$where|\$in|\$nin) ]] ||
[[ "$url_lower" =~ (%24ne|%24gt|%24regex|%24where) ]] ||
[[ "$url_lower" =~ (sleep\(.*\)|this\.|function\(|javascript:) ]]; then
return 0
fi
return 1
}
# Template Injection (SSTI) Detection
detect_template_injection() {
local url="$1"
local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
# Jinja2, Twig, FreeMarker, etc.
if [[ "$url_lower" =~ (\{\{.*\}\}|\{%.*%\}|\$\{.*\}|<%.*%>) ]] ||
[[ "$url_lower" =~ (%7b%7b|%7b%25|%24%7b) ]] ||
[[ "$url_lower" =~ (7\*7|config\.|self\.|request\.|env\.) ]]; then
return 0
fi
return 1
}
# Encoding Bypass Detection (Multiple layers of encoding)
detect_encoding_bypass() {
local url="$1"
# Double/triple URL encoding (bypass WAF)
if [[ "$url" =~ %25[0-9a-fA-F]{2} ]] ||
[[ "$url" =~ (%252[0-9a-fA-F]|%25%32|%2525) ]]; then
return 0
fi
# Unicode/UTF-8 bypass attempts
if [[ "$url" =~ (%u[0-9a-fA-F]{4}|\\u[0-9a-fA-F]{4}) ]] ||
[[ "$url" =~ (%c0%af|%e0%80%af) ]]; then
return 0
fi
return 1
}
# Detect all attack vectors for a URL
# Returns: attack_type1,attack_type2,... or empty if none
detect_all_attacks() {
@@ -139,6 +219,11 @@ detect_all_attacks() {
detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE")
detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE")
detect_admin_probe "$url" && attacks+=("ADMIN_PROBE")
detect_xxe "$url" && attacks+=("XXE")
detect_ssrf "$url" && attacks+=("SSRF")
detect_nosql_injection "$url" && attacks+=("NOSQL_INJECTION")
detect_template_injection "$url" && attacks+=("TEMPLATE_INJECTION")
detect_encoding_bypass "$url" && attacks+=("ENCODING_BYPASS")
if [ ${#attacks[@]} -gt 0 ]; then
IFS=','; echo "${attacks[*]}"
@@ -163,6 +248,11 @@ calculate_attack_score() {
[[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10))
[[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5))
[[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25))
[[ "$attacks" =~ (^|,)XXE(,|$) ]] && score=$((score + 18))
[[ "$attacks" =~ (^|,)SSRF(,|$) ]] && score=$((score + 18))
[[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15))
[[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20))
[[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12))
echo "$score"
}
@@ -180,6 +270,11 @@ get_attack_icon() {
BRUTEFORCE) echo "🔐" ;;
ADMIN_PROBE) echo "🔍" ;;
DDOS) echo "💥" ;;
XXE) echo "📄" ;;
SSRF) echo "🌐" ;;
NOSQL_INJECTION) echo "🗄️ " ;;
TEMPLATE_INJECTION) echo "📝" ;;
ENCODING_BYPASS) echo "🔀" ;;
BOT) echo "🤖" ;;
SCANNER) echo "🔎" ;;
*) echo "❓" ;;
@@ -191,9 +286,9 @@ get_attack_color() {
local attack_type="$1"
case "$attack_type" in
SQL_INJECTION|RCE) echo '\033[1;41;97m' ;; # White on Red (CRITICAL)
XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;; # Bold Red (HIGH)
INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM)
SQL_INJECTION|RCE|TEMPLATE_INJECTION) echo '\033[1;41;97m' ;; # White on Red (CRITICAL)
XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION) echo '\033[1;31m' ;; # Bold Red (HIGH)
INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS) echo '\033[1;33m' ;; # Bold Yellow (MEDIUM)
*) echo '\033[0;36m' ;; # Cyan (LOW)
esac
}
@@ -205,6 +300,11 @@ export -f detect_rce
export -f detect_info_disclosure
export -f detect_login_bruteforce_url
export -f detect_admin_probe
export -f detect_xxe
export -f detect_ssrf
export -f detect_nosql_injection
export -f detect_template_injection
export -f detect_encoding_bypass
export -f detect_all_attacks
export -f calculate_attack_score
export -f get_attack_icon