Using the FAST Extensions

Connecting the FAST Extension

To use the created extensions, you need to connect them to the FAST proxy.

You can do this in either of the following ways:

  • Place the extensions in a directory and mount this directory into the FAST proxy Docker container using the -v option of the docker run command.

    $ sudo docker run --name <container name> --env-file=<file with environment variables> -v <directory with extensions>:/opt/custom_extensions -p <target port>:8080 wallarm/fast
    

    Example: run the command below to launch the FAST proxy in the Docker container with the following arguments:

    1. The name of the container: fast-proxy.
    2. The environment variables file: /home/user/fast.cfg.
    3. The FAST extensions directory path: /home/user/extensions.
    4. The port to which the 8080 port of the container is published: 9090.

    $ sudo docker run --name fast-proxy --env-file=/home/user/fast.cfg -v /home/user/extensions:/opt/custom_extensions -p 9090:8080 wallarm/fast
    
  • Place the extensions into a public Git repository and define the environment variable, which refers to the necessary repository, in the FAST proxy Docker container.

    To do this, perform the following:

    1. Add the GIT_EXTENSIONS variable into the file that contains the environment variables.

      Example: if your extensions are in the https://github.com/wallarm/fast-detects Git repository, define the following environment variable:

      GIT_EXTENSIONS=https://github.com/wallarm/fast-detects
      
    2. Run the FAST proxy Docker container using the file containing the environment variables as follows:

      $ sudo docker run --name <container name> --env-file=<file with environment variables> -p <target port>:8080 wallarm/fast
      

      Example: run the command below to launch the FAST proxy in the Docker container with the following arguments:

      1. The name of the container: fast-proxy.
      2. The environment variables file: /home/user/fast.cfg.
      3. The port to which the 8080 port of the container is published: 9090.

      $ sudo docker run --name fast-proxy --env-file=/home/user/fast.cfg -p 9090:8080 wallarm/fast
      

If the FAST proxy launches successfully, it writes to the console the following output that informs about the successful connection to the Wallarm Cloud and the number of extensions loaded:

Successful FAST proxy launch

If an error occurs during the proxy launch, the error information is written to the console. The message about the extension syntax error is shown in the following example:

Information about the mistakes in the extension syntax

Extensions location requirements

The extensions from the nested directories will not be connected (for example, if the extension is placed into the extensions/level-2/ directory). Depending on the chosen method of connection, the extensions should be placed either into the root of the directory that is mounted into the FAST proxy Docker container or into the root of the Git repository.

Checking the Operation of the FAST Extension

To check the operation of the my-extension.yaml extension that was created earlier, perform the following actions:

  1. Connect the extension to the FAST proxy.

    Launched FAST proxy with the extension connected

  2. Create the necessary testing policy. It should allow inserting the payload into the POST parameter and testing the application for vulnerabilities.

    The test policy

    Because the extension tests for SQLi vulnerabilities, you can test for vulnerabilities of other types (for example, RCE) using the detects provided by Wallarm. The testing policy will be the following:

    X-Wallarm-Test-Policy: type=rce; insertion=include:'POST_.*';
    
  3. Create a test run for your FAST proxy node based on the created testing policy.

    Test run

  4. Wait until the FAST proxy writes an informational message to the console similar to the following: Recording baselines for TestRun#. This means that the FAST proxy is ready to record the baseline requests.

    FAST proxy ready for recording baselines

  5. Create and send the POST request with the random parameters to the OWASP Juice Shop login page through the FAST proxy, as shown in the following example:

    curl --proxy http://<FAST proxy IP address> \
        --request POST \
        --url http://ojs.example.local/rest/user/login \
        --header 'accept-language: en-US,en;q=0.9' \
        --header 'content-type: application/json' \
        --header 'host: ojs.example.local' \
        --data '{"email":"test@example.com", "password":"12345"}'
    

    You may use curl or other tools to send the request.

  6. You can see the vulnerability tests being performed and the FAST extension running for the POST parameters in the FAST proxy console.

    Vulnerability found

    You can see the full log of the request processing by opening the test run information on the Wallarm web interface and clicking the “Details” link.

    Detailed test run information

    Full log of request processing

  7. You can also see the information about the detected vulnerabilities by clicking the link that contains the number of detected issues, e.g., “1 issue.” The “Vulnerabilities” page will open.

    Vulnerabilities on the Wallarm web interface

    The “Risk,” “Type,” and “Title” columns will contain the values that were specified in the meta-info section of the extension for the vulnerabilities that are detected with the help of the FAST extension.

  8. You can click a vulnerability to view detailed information about it, including its description (from the meta-info section of the extension) and an example of the request that exploits it.

    Vulnerability detailed information

results matching ""

    No results matching ""