/
appsec_test.go
96 lines (76 loc) · 2.94 KB
/
appsec_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016 Datadog, Inc.
package grpc
import (
"context"
"strings"
"testing"
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/mocktracer"
"gopkg.in/DataDog/dd-trace-go.v1/internal/appsec"
"github.com/stretchr/testify/require"
"google.golang.org/grpc/metadata"
)
func TestAppSec(t *testing.T) {
appsec.Start()
defer appsec.Stop()
if !appsec.Enabled() {
t.Skip("appsec disabled")
}
rig, err := newRig(false)
require.NoError(t, err)
defer rig.Close()
client := rig.client
t.Run("unary", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send a XSS attack in the payload along with the canary value in the RPC metadata
ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log"))
res, err := client.Ping(ctx, &FixtureRequest{Name: "<script>alert('xss');</script>"})
// Check that the handler was properly called
require.NoError(t, err)
require.Equal(t, "passed", res.Message)
finished := mt.FinishedSpans()
require.Len(t, finished, 1)
// The request should have the attack attempts
event, _ := finished[0].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "crs-941-100")) // XSS attack attempt
require.True(t, strings.Contains(event, "ua0-600-55x")) // canary rule attack attempt
})
t.Run("stream", func(t *testing.T) {
mt := mocktracer.Start()
defer mt.Stop()
// Send a XSS attack in the payload along with the canary value in the RPC metadata
ctx := metadata.NewOutgoingContext(context.Background(), metadata.Pairs("dd-canary", "dd-test-scanner-log"))
stream, err := client.StreamPing(ctx)
require.NoError(t, err)
// Send a XSS attack
err = stream.Send(&FixtureRequest{Name: "<script>alert('xss');</script>"})
require.NoError(t, err)
// Check that the handler was properly called
res, err := stream.Recv()
require.Equal(t, "passed", res.Message)
require.NoError(t, err)
// Send a SQLi attack
err = stream.Send(&FixtureRequest{Name: "something UNION SELECT * from users"})
require.NoError(t, err)
// Check that the handler was properly called
res, err = stream.Recv()
require.Equal(t, "passed", res.Message)
require.NoError(t, err)
err = stream.CloseSend()
require.NoError(t, err)
// to flush the spans
stream.Recv()
finished := mt.FinishedSpans()
require.Len(t, finished, 6)
// The request should have the attack attempts
event, _ := finished[5].Tag("_dd.appsec.json").(string)
require.NotNil(t, event)
require.True(t, strings.Contains(event, "crs-941-100")) // XSS attack attempt
require.True(t, strings.Contains(event, "crs-942-100")) // SQL-injection attack attempt
require.True(t, strings.Contains(event, "ua0-600-55x")) // canary rule attack attempt
})
}