baidu-security / openrasp-iast Goto Github PK

ELECT * FROM '1234 1234 这里存在注入的时候无法检测。

Notice: sqlfetch called on invalid query resource. The most likely cause is an invalid sqlquery call. Last error returned was: Table 'dvwa.'1234' doesn't exist in query — SELECT * FROM '1234 WHERE id = '123' in /var/www/html/core/inc/bigtree/sql.php on line 158

不支持python3.6.8嘛？目前支持python得最高版本是多少呀？

启动iast灰盒扫描工具后，管理台上面看只有命令执行、任意文件读取、任意文件写入、SQL注入4种漏洞，无法扫出其他漏洞。
从openrasp-iast的Preprocessor.log日志中看出hook_info获取为空。
日志如下："querystring": "password=&username=&BenchmarkTest02578=SafeText", "url": "https://localhost:8443/benchmark/xss-05/BenchmarkTest02578", "method": "get",
"path": "/benchmark/xss-05/BenchmarkTest02578"}, "hook_info": [], "plugin_version": "2019-1220-1800"}

若想扫出xss漏洞是否需要自行添加XSS hook、新增编写xss_userinput_basic.py插件？

docker version

Client: Docker Engine - Community
 Version:           19.03.1
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        74b1e89e8a
 Built:             Thu Jul 25 21:21:35 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.1
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.5
  Git commit:       74b1e89e8a
  Built:            Thu Jul 25 21:20:09 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

docker-compose version

docker-compose version 1.24.1, build 4667896
docker-py version: 3.7.3
CPython version: 2.7.12
OpenSSL version: OpenSSL 1.0.2g  1 Mar 2016

java进程没起来

requirements中psutil使用的是5.6.3，其中存在CVE-2019-18874，在5.6.6版本修复，建议升级，参考链接：https://nvd.nist.gov/vuln/detail/CVE-2019-18874

Hi Supporter
we are installing IAST node in my test system, installing script return error, would you please help to give me advise ?
Thanks and Best Regards

'''root@openrasp:/opt/openrasp-iast-master/docker/iast-cloud# docker-compose up
Building rasp-cloud
[+] Building 3.8s (7/12)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 658B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/debian:stretch-slim 2.2s
=> [1/8] FROM docker.io/library/debian:stretch-slim@sha256:abaa313c7e1dfe16069a1a42fa254014780f165d4fd084844602edbe2 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 122B 0.0s
=> CACHED [2/8] COPY sources.list /etc/apt/sources.list 0.0s
=> ERROR [3/8] RUN apt-get update && apt-get install -y wget curl procps 1.6s

[3/8] RUN apt-get update && apt-get install -y wget curl procps:
#0 0.265 Ign:1 http://mirrors.ustc.edu.cn/debian stretch InRelease
#0 0.296 Ign:2 http://mirrors.ustc.edu.cn/debian-security stretch/updates InRelease
#0 0.323 Ign:3 http://mirrors.ustc.edu.cn/debian stretch-updates InRelease
#0 0.355 Ign:4 http://mirrors.ustc.edu.cn/debian stretch Release
#0 0.386 Ign:5 http://mirrors.ustc.edu.cn/debian-security stretch/updates Release
#0 0.417 Ign:6 http://mirrors.ustc.edu.cn/debian stretch-updates Release
#0 0.445 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 0.475 Ign:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 0.503 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 0.531 Ign:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 0.562 Ign:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 0.592 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 0.625 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 0.653 Ign:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 0.684 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 0.712 Ign:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 0.740 Ign:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 0.770 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 0.803 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 0.830 Ign:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 0.858 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 0.887 Ign:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 0.915 Ign:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 0.943 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 0.974 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 1.006 Ign:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 1.034 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 1.065 Ign:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 1.096 Ign:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 1.125 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 1.155 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 1.186 Ign:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 1.214 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 1.245 Ign:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 1.274 Ign:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 1.305 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 1.333 Ign:7 http://mirrors.ustc.edu.cn/debian stretch/main all Packages
#0 1.365 Err:8 http://mirrors.ustc.edu.cn/debian stretch/main amd64 Packages
#0 1.365 SECURITY: URL redirect target contains control characters, rejecting.
#0 1.392 Ign:9 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main all Packages
#0 1.421 Err:10 http://mirrors.ustc.edu.cn/debian-security stretch/updates/main amd64 Packages
#0 1.421 SECURITY: URL redirect target contains control characters, rejecting.
#0 1.450 Err:11 http://mirrors.ustc.edu.cn/debian stretch-updates/main amd64 Packages
#0 1.450 SECURITY: URL redirect target contains control characters, rejecting.
#0 1.481 Ign:12 http://mirrors.ustc.edu.cn/debian stretch-updates/main all Packages
#0 1.484 Reading package lists...
#0 1.491 W: The repository 'http://mirrors.ustc.edu.cn/debian stretch Release' does not have a Release file.
#0 1.491 W: The repository 'http://mirrors.ustc.edu.cn/debian-security stretch/updates Release' does not have a Release file.
#0 1.491 W: The repository 'http://mirrors.ustc.edu.cn/debian stretch-updates Release' does not have a Release file.
#0 1.491 E: Failed to fetch http://mirrors.ustc.edu.cn/debian/dists/stretch/main/binary-amd64/Packages SECURITY: URL redirect target contains control characters, rejecting.
#0 1.491 E: Failed to fetch http://mirrors.ustc.edu.cn/debian-security/dists/stretch/updates/main/binary-amd64/Packages SECURITY: URL redirect target contains control characters, rejecting.
#0 1.491 E: Failed to fetch http://mirrors.ustc.edu.cn/debian/dists/stretch-updates/main/binary-amd64/Packages SECURITY: URL redirect target contains control characters, rejecting.
#0 1.491 E: Some index files failed to download. They have been ignored, or old ones used instead.

Dockerfile:9

8 |
9 | >>> RUN apt-get update &&
10 | >>> apt-get install -y wget curl procps
11 |

ERROR: failed to solve: process "/bin/sh -c apt-get update && apt-get install -y wget curl procps" did not complete successfully: exit code: 100
ERROR: Service 'rasp-cloud' failed to build : Build failed
'''

How do I deploy to kubernetes ?

进入rasp-cloud容易看了下，发现conf文件里配置的80端端口，不是8086，应该是copy conf文件build的时候失败了么，会有这种情况么。我在云主机上直接docker-compose up -d 也无法使用。

Building apache-php7.2
Step 1/13 : FROM php:7.2-apache
---> daddc1037fdf
Step 2/13 : LABEL MAINTAINER "OpenRASP [email protected]"
---> Using cache
---> 3efccf26469e
Step 3/13 : ARG RASP_VERSION
---> Using cache
---> 772c8b71f7da
Step 4/13 : RUN apt-get update && apt-get install -y wget unzip libpng-dev mysql-server
---> Running in 924ecce0eddc
Get:1 http://security-cdn.debian.org/debian-security buster/updates InRelease [39.1 kB]
Get:2 http://cdn-fastly.deb.debian.org/debian buster InRelease [122 kB]
Get:4 http://security-cdn.debian.org/debian-security buster/updates/main amd64 Packages [99.7 kB]
Get:3 http://cdn-fastly.deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:5 http://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages [7899 kB]
Get:6 http://cdn-fastly.deb.debian.org/debian buster-updates/main amd64 Packages [5792 B]
Fetched 8214 kB in 19s (433 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Package mysql-server is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'mysql-server' has no installation candidate
ERROR: Service 'apache-php7.2' failed to build: The command '/bin/sh -c apt-get update && apt-get install -y wget unzip libpng-dev mysql-server' returned a non-zero code: 100