Managed actions

Created:
August 20, 2024
Updated:
August 20, 2024

When creating an event driven or scheduled action you can choose to set up a managed action. These are out-of-the-box integrations provided by FireTail. There a various types of managed actions available:

  • API Contract Testing
  • API CVE Detection - Scan the entered endpoint for CVEs.
  • SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
  • Data Exposure Detection - Scan the entered endpoint for data exposure.
  • Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
  • Fuzzing Detection - Fuzz the entered endpoint.

API Contract Testing

This managed action tests that your endpoints behave as defined in the OpenAPI specification. 

Request Validation

Testing involves sending various types of requests to your API's endpoints and validating the responses. For instance, if an endpoint requires a request parameter to be an integer within the range of 0 to 1000, then contract testing will test by sending correct requests such as: 

  • A value of 0
  • A value of 1000
  • A value such as 634

To ensure robustness, the test will also send incorrect requests that fall outside the specified parameters. Examples include:

  • A value of -1
  • A value of -729
  • A value of 5007
  • A value of "foobar" (a string instead of an integer)

Response Validation

For each request, the test will check the received response against the responses defined in the OpenAPI specification. This includes:

  • Verifying that the response status codes and formats match those listed in the specification.
  • Ensuring that undefined responses, such as a "404 Not Found" when only "400 Bad Request" is specified, are flagged as findings.
  • Any server errors (5xx responses) will also be flagged as findings, even if they are listed in the specification, as well-designed servers should not throw errors under normal circumstances.

Findings

If any of the requests result in responses not defined in the specification, such as a "404 Not Found" instead of "400 Bad Request", this will create a finding. Similarly, any server error responses (5xx) will also be reported as findings, indicating potential issues in the API's design or implementation.

API CVE Detection

This managed action scans your endpoint for CVEs (common vulnerabilities and exposures) and generates observations. CVEs are identified by the year in which the vulnerability was discovered or publicly disclosed. Each CVE entry receives a unique identifier number. In total, 2302 checks are made. See the table below for some examples of CVEs that are scanned for in this managed action.

CVE identifier Name Description Severity
CVE-2024-21893 Ivanti SAML - Server Side Request Forgery (SSRF) A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons
for ZTA allows an attacker to access certain restricted resources without authentication.
High
CVE-2023-49103 OwnCloud - Phpinfo Configuration An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL.
When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver.
In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.
High
CVE-2023-42442 JumpServer > 3.6.4 - Information Disclosure JumpServer is an open source bastion host and a professional operation and maintenance security audit system.
Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication.
Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously.
SessionViewSet permission classes set to `[RBACPermission | IsSessionAssignee]`, relation is or, so any permission matched will be allowed.Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`.
The expected http response code is 401 (`not_authenticated`).
Medium
CVE-2023-48023 Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint.
The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.
High

SSL Vulnerabilities Detection

This managed action will scan your endpoint for SSL Vulnerabilities and generate observations. SSL (Secure Sockets Layer) vulnerabilities refer to weaknesses or flaws in the SSL protocol or implementations that could potentially compromise the security of data transmitted over the internet. SSL is a cryptographic protocol used to establish secure connections between a web server and a client, typically a web browser, ensuring that data exchanged between them is encrypted and protected from interception or tampering. In total, 24 SSL checks are made. See the table below for examples of SSL vulnerability detections:

SSL examples:

ID Name Description Severity
insecure-cipher-suite-detect Insecure Cipher Suite Detection Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length. Low
mismatched-ssl-certificate Mismatched SSL Certificate Mismatched certificates occur when there is inconsistency between the common name to which the certificate was issued and the domain name in the URL.
This issue impacts the trust value of the affected website.
Low
untrusted-root-certificate Untrusted Root Certificate - Detection A root certificate is a digital certificate issued by a trusted certificate authority that acts as a basis for other digital certificates. An untrusted root certificate is a certificate that is issued by an authority that is not trusted by the computer,
and therefore cannot be used to authenticate websites or other digital certificates.

Low
metasploit-c2 Metasploit C2 - Detection A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between.
Metasploit which serves as both exploitation and C2 frameworks.
Info

Data Exposure Detection

This managed action will scan your endpoint for data exposure and generate observations. In total, 467 data exposure checks are made. See the table below for examples of data exposure detections:

ID Name Description Severity
aws-config AWS Configuration - Detection AWS config found via /.aws/config. Medium
aws-credentials AWS Credentials - Detection AWS credentials found via /.aws/credentials endpoint. High
openapi OpenAPI - Detection OpenAPI was detected. Info
swagger-api Public Swagger API - Detection Public Swagger API was detected. Info
access-log-file Publicly accessible access-log file Log file was exposed. Low

Default Login Detection

This managed action will scan your endpoint to see if you are hosting any services using default login credentials and generate observations. In total, 173 default login checks are made. See the table below for some examples of default login detections:

ID Name Description Severity
rancher-default-login Rancher Default Login Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes. High
solarwinds-default-admin SolarWinds Orion Default Login SolarWinds Orion default admin credentials were discovered. High
elasticsearch-default-login ElasticSearch - Default Login Elasticsearch default credentials were discovered. High
gitlab-weak-login Gitlab Default Login Gitlab default login credentials were discovered. High

FUZZING Detection

This managed action will fuzz your endpoint and generate observations.

Fuzzing an endpoint involves sending a large volume of invalid, unexpected, or random data inputs to the endpoint, to identify vulnerabilities, crashes, or unexpected behavior. This technique aims to discover security flaws, such as buffer overflows, injection vulnerabilities, or parsing errors, that may not be identified through traditional testing methods. In total, 11 fuzzing checks are made. See the table below for some examples:

ID Name Description Severity
cache-poisoning-fuzz Cache Poison Fuzzing
Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker. Info
xff-403-bypass X-Forwarded-For 403-forbidden bypass Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.
Info
linux-lfi-fuzzing Linux - Local File Inclusion Fuzzing Multiple fuzzes for /etc/passwd on passed URLs were conducted, leading to multiple instances of local file inclusion vulnerability. High
header-command-injection Header - Remote Command Injection Headers were tested for remote command injection vulnerabilities. Critical