When creating an event driven or scheduled action you can choose to set up a managed action. These are out-of-the-box integrations provided by FireTail. There a various types of managed actions available:
- API Contract Testing - Test that your API's endpoints behave as defined in the OpenAPI specification.
- GraphQL Testing - Test your GraphQL API for vulnerabilities.
- API CVE Detection - Scan the entered endpoint for CVEs.
- SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
- Data Exposure Detection - Scan the entered endpoint for data exposure.
- Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
- Fuzzing Detection - Fuzz the entered endpoint.
GraphQL testing
This managed action will test your GraphQL API for vulnerabilities. The following tests are conducted:
- Alias Overloading (DoS) - The
alias_overloading
function checks for potential Denial of Service (DoS) vulnerabilities in a GraphQL API by sending a query with over 100 aliases. If the API can process the request and return data for alias100
, it indicates that the server may be susceptible to resource exhaustion. - Batch Queries (DoS) - The
batch_query
function tests a GraphQL API for potential Denial of Service (DoS) vulnerabilities by sending a request with 10 or more simultaneous queries. If the API can process and return results for these batch queries, it indicates that the server may be vulnerable to performance issues under heavy loads. - GET based Queries (CSRF) - The
get_method_support
function tests if a GraphQL endpoint supports queries via HTTP GET, which could expose it to CSRF risks. It sends a basic query using the GET method and checks for a valid response. - POST based Queries using url encoded payloads (CSRF) - The
post_based_csrf
function tests whether a GraphQL endpoint accepts queries via POST in a non-JSON format, which could make it vulnerable to CSRF attacks. It sends a URL-encoded query as POST data and checks if the server processes it successfully. - GraphQL Tracing / Debug Modes (Info Leak) - The
trace_mode
function checks if a GraphQL server has tracing enabled, which could reveal additional metadata about query processing. It sends a query and examines the response for tracing data under extensions
. - Field Duplication (DoS) - The
field_duplication
function tests a GraphQL API for handling excessive repetitions of the same field within a query. Specifically, it checks if the API can manage a query containing 500 duplicate instances of the __typename
field. If the API successfully processes this query and returns data, it indicates a potential vulnerability that could lead to a Denial of Service (DoS) by overloading the server with redundant data requests. - Field Suggestions (Info Leak) - The
field_suggestions
function checks if a GraphQL API exposes field suggestions, which can lead to information leaks. It sends a query to the API and looks for responses with the phrase "Did you mean" in error messages, indicating that the API hints at possible field names, posing a risk of exposing schema details. - GraphiQL (Info Leak) - The
detect_graphiql
function checks if the GraphiQL interface or other GraphQL IDEs (e.g., GraphQL Playground) are accessible on a given endpoint, which could indicate information leakage. It sends a request with modified headers to detect the presence of these tools by looking for specific keywords in the response. - Introspection (Info Leak) - The
introspection
function tests whether the GraphQL endpoint allows introspection queries, which could expose the schema and types used in the GraphQL service. It sends a query to check for the presence of schema details, and if the introspection is enabled, it flags the endpoint for information leakage. - Directives Overloading (DoS) - The
directive_overloading
function tests a GraphQL API to check if it can handle queries with excessive or repeated custom directives, which may lead to Denial of Service (DoS) conditions. If the API returns 10 errors in response to a query with repeated directives, this indicates a potential vulnerability where the server could be overwhelmed or affected by such malformed queries. - Circular Query using Introspection (DoS) - The
circular_query_introspection
function tests if a GraphQL endpoint is vulnerable to denial-of-service via recursive introspection queries. It sends a deeply nested query that repeatedly traverses type fields, assessing the server's response to detect potential weaknesses. - Mutation support over GET methods (CSRF) - The
get_based_mutation
function tests if GraphQL mutations can be executed using the HTTP GET method, which could potentially expose the API to Cross-Site Request Forgery (CSRF) attacks. It sends a mutation query as a GET request and checks for a successful response, indicating that mutation support over GET is enabled.
API contract testing
This managed action tests that your endpoints behave as defined in the OpenAPI specification.
Request Validation
Testing involves sending various types of requests to your API's endpoints and validating the responses. For instance, if an endpoint requires a request parameter to be an integer within the range of 0 to 1000, then contract testing will test by sending correct requests such as:
- A value of 0
- A value of 1000
- A value such as 634
To ensure robustness, the test will also send incorrect requests that fall outside the specified parameters. Examples include:
- A value of -1
- A value of -729
- A value of 5007
- A value of "foobar" (a string instead of an integer)
Response Validation
For each request, the test will check the received response against the responses defined in the OpenAPI specification. This includes:
- Verifying that the response status codes and formats match those listed in the specification.
- Ensuring that undefined responses, such as a "404 Not Found" when only "400 Bad Request" is specified, are flagged as findings.
- Any server errors (5xx responses) will also be flagged as findings, even if they are listed in the specification, as well-designed servers should not throw errors under normal circumstances.
Findings
If any of the requests result in responses not defined in the specification, such as a "404 Not Found" instead of "400 Bad Request", this will create a finding. Similarly, any server error responses (5xx) will also be reported as findings, indicating potential issues in the API's design or implementation.
API CVE detection
This managed action scans your endpoint for CVEs (common vulnerabilities and exposures) and generates observations. CVEs are identified by the year in which the vulnerability was discovered or publicly disclosed. Each CVE entry receives a unique identifier number. In total, 2302 checks are made. See the table below for some examples of CVEs that are scanned for in this managed action.
CVE identifier |
Name |
Description |
Severity |
CVE-2024-21893 |
Ivanti SAML - Server Side Request Forgery (SSRF) |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. |
High |
CVE-2023-49103 |
OwnCloud - Phpinfo Configuration |
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. |
High |
CVE-2023-42442 |
JumpServer > 3.6.4 - Information Disclosure |
JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed.Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`). |
Medium |
CVE-2023-48023 |
Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery |
The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
|
High |
SSL Vulnerabilities detection
This managed action will scan your endpoint for SSL Vulnerabilities and generate observations. SSL (Secure Sockets Layer) vulnerabilities refer to weaknesses or flaws in the SSL protocol or implementations that could potentially compromise the security of data transmitted over the internet. SSL is a cryptographic protocol used to establish secure connections between a web server and a client, typically a web browser, ensuring that data exchanged between them is encrypted and protected from interception or tampering. In total, 24 SSL checks are made. See the table below for examples of SSL vulnerability detections:
SSL examples:
ID |
Name |
Description |
Severity |
insecure-cipher-suite-detect |
Insecure Cipher Suite Detection |
Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length. |
Low |
mismatched-ssl-certificate |
Mismatched SSL Certificate |
Mismatched certificates occur when there is inconsistency between the common name to which the certificate was issued and the domain name in the URL. This issue impacts the trust value of the affected website.
|
Low |
untrusted-root-certificate |
Untrusted Root Certificate - Detection |
A root certificate is a digital certificate issued by a trusted certificate authority that acts as a basis for other digital certificates. An untrusted root certificate is a certificate that is issued by an authority that is not trusted by the computer, and therefore cannot be used to authenticate websites or other digital certificates.
|
Low |
metasploit-c2 |
Metasploit C2 - Detection |
A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks. |
Info |
Data exposure detection
This managed action will scan your endpoint for data exposure and generate observations. In total, 467 data exposure checks are made. See the table below for examples of data exposure detections:
ID |
Name |
Description |
Severity |
aws-config |
AWS Configuration - Detection |
AWS config found via /.aws/config. |
Medium |
aws-credentials |
AWS Credentials - Detection |
AWS credentials found via /.aws/credentials endpoint. |
High |
openapi |
OpenAPI - Detection |
OpenAPI was detected. |
Info |
swagger-api |
Public Swagger API - Detection |
Public Swagger API was detected. |
Info |
access-log-file |
Publicly accessible access-log file |
Log file was exposed. |
Low |
Default login detection
This managed action will scan your endpoint to see if you are hosting any services using default login credentials and generate observations. In total, 173 default login checks are made. See the table below for some examples of default login detections:
ID |
Name |
Description |
Severity |
rancher-default-login |
Rancher Default Login |
Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes. |
High |
solarwinds-default-admin |
SolarWinds Orion Default Login |
SolarWinds Orion default admin credentials were discovered. |
High |
elasticsearch-default-login |
ElasticSearch - Default Login |
Elasticsearch default credentials were discovered. |
High |
gitlab-weak-login |
Gitlab Default Login |
Gitlab default login credentials were discovered. |
High |
FUZZING detection
This managed action will fuzz your endpoint and generate observations.
Fuzzing an endpoint involves sending a large volume of invalid, unexpected, or random data inputs to the endpoint, to identify vulnerabilities, crashes, or unexpected behavior. This technique aims to discover security flaws, such as buffer overflows, injection vulnerabilities, or parsing errors, that may not be identified through traditional testing methods. In total, 11 fuzzing checks are made. See the table below for some examples:
ID |
Name |
Description |
Severity |
cache-poisoning-fuzz |
Cache Poison Fuzzing
|
Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker. |
Info |
xff-403-bypass |
X-Forwarded-For 403-forbidden bypass |
Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.
|
Info |
linux-lfi-fuzzing |
Linux - Local File Inclusion Fuzzing |
Multiple fuzzes for /etc/passwd on passed URLs were conducted, leading to multiple instances of local file inclusion vulnerability. |
High |
header-command-injection |
Header - Remote Command Injection |
Headers were tested for remote command injection vulnerabilities. |
Critical |