Using the FAST Extensions

Connecting the FAST Extension

To use the created extensions, you need to connect them to the FAST node.

You can do this in either of the following ways:

  • Place the extensions in a directory and mount this directory into the FAST node Docker container using the -v option of the docker run command.

    $ sudo docker run --name <container name> --env-file=<file with environment variables> -v <directory with extensions>:/opt/custom_extensions -p <target port>:8080 wallarm/fast
    

    Example:

    Run the command below to launch the FAST node in the Docker container with the following arguments:

    1. The name of the container: fast-node.
    2. The environment variables file: /home/user/fast.cfg.
    3. The FAST extensions directory path: /home/user/extensions.
    4. The port to which the 8080 port of the container is published: 9090.
    $ sudo docker run --name fast-node --env-file=/home/user/fast.cfg -v /home/user/extensions:/opt/custom_extensions -p 9090:8080 wallarm/fast
    
  • Place the extensions into a public Git repository and define the environment variable, which refers to the necessary repository, in the FAST node Docker container.

    To do this, perform the following:

    1. Add the GIT_EXTENSIONS variable into the file that contains the environment variables.

      Example:

      If your extensions are in the https://github.com/wallarm/fast-detects Git repository, define the following environment variable:

      GIT_EXTENSIONS=https://github.com/wallarm/fast-detects
      
    2. Run the FAST node Docker container using the file containing the environment variables as follows:

      $ sudo docker run --name <container name> --env-file=<file with environment variables> -p <target port>:8080 wallarm/fast
      

      Example:

      Run the command below to launch the FAST node in the Docker container with the following arguments:

      1. The name of the container: fast-node.
      2. The environment variables file: /home/user/fast.cfg.
      3. The port to which the 8080 port of the container is published: 9090.

      $ sudo docker run --name fast-node --env-file=/home/user/fast.cfg -p 9090:8080 wallarm/fast
      

If the FAST node launches successfully, it writes to the console the following output that informs about the successful connection to the Wallarm Cloud and the number of extensions loaded:

[info] Node connected to Wallarm Cloud
[info] Loaded 1 custom extensions for fast scanner
[info] Loaded 30 default extensions for fast scanner
[info] Waiting for TestRun to check...

If an error occurs during the node launch, the error information is written to the console. The message about the extension syntax error is shown in the following example:

[info] Node connected to Wallarm Cloud
[error] Invalid custom extension 'my-extension.yaml': (<unknown>): did not find expected key while parsing a block mapping at line 2 column 3
[info] Loaded 0 custom extensions for fast scanner

Extensions location requirements

The extensions from the nested directories will not be connected (for example, if the extension is placed into the extensions/level-2/ directory). Depending on the chosen method of connection, the extensions should be placed either into the root of the directory that is mounted into the FAST node Docker container or into the root of the Git repository.

Checking the Operation of the FAST Extension

To check the operation of the my-extension.yaml extension that was created earlier, perform the following actions:

  1. Connect the extension to the FAST node.

  2. Create the necessary testing policy. It should allow inserting the payload into the POST parameter and testing the application for vulnerabilities.

    The test policy

    Because the extension tests for SQLi vulnerabilities, you can test for vulnerabilities of other types (for example, RCE) using the detects provided by Wallarm. The testing policy will be the following:

    X-Wallarm-Test-Policy: type=rce; insertion=include:'POST_.*';
    
  3. Create a test run for your FAST node based on the created testing policy.

    Test run

  4. Wait until the FAST node writes an informational message to the console similar to the following: Recording baselines for TestRun#. This means that the FAST node is ready to record the baseline requests.

    [info] Node connected to Wallarm Cloud
    [info] Loaded 1 custom extensions for fast scanner
    [info] Loaded 30 default extensions for fast scanner
    [info] Waiting for TestRun to check...
    [info] Recording baselines for TestRun#N 'DEMO TEST RUN'
    
  5. Create and send the POST request with the random parameters to the OWASP Juice Shop login page through the FAST node, as shown in the following example:

    curl --proxy http://<FAST node IP address> \
        --request POST \
        --url http://ojs.example.local/rest/user/login \
        --header 'accept-language: en-US,en;q=0.9' \
        --header 'content-type: application/json' \
        --header 'host: ojs.example.local' \
        --data '{"email":"test@example.com", "password":"12345"}'
    

    You may use curl or other tools to send the request.

  6. You can see the vulnerability tests being performed and the FAST extension running for the POST parameters in the FAST node console.

    [info] Proxy request POST http://ojs.example.local/rest/user/login
    [info] Running a test set for the baseline #X
    ...
    [info] Running custom extension 'my-extension' tests for the parameter 'POST_JSON_DOC_HASH_email_value'
    [info] SQLI vulnerability found at host ojs.example.local ...
    ...
    [info] Found 1 vulnerabilities, marking the test set for baseline #X as failed
    

    You can see the full log of the request processing by opening the test run information on the Wallarm web interface and clicking the “Details” link.

    Detailed test run information

    Full log of request processing

  7. You can also see the information about the detected vulnerabilities by clicking the link that contains the number of detected issues, e.g., “1 issue.” The “Vulnerabilities” page will open.

    Vulnerabilities on the Wallarm web interface

    The “Risk,” “Type,” and “Title” columns will contain the values that were specified in the meta-info section of the extension for the vulnerabilities that are detected with the help of the FAST extension.

  8. You can click a vulnerability to view detailed information about it, including its description (from the meta-info section of the extension) and an example of the request that exploits it.

    Vulnerability detailed information

results matching ""

    No results matching ""