Merge pull request #101 from AikidoSec/AIK-4287

AIK-4287 Include user in attack event

Author: willem-delbare

agent_api/src/main/java/dev/aikido/agent_api/background/cloud/api/events/DetectedAttack.java

@@ -3,6 +3,7 @@
 import dev.aikido.agent_api.background.cloud.CloudConnectionManager;
 import dev.aikido.agent_api.background.cloud.GetManagerInfo;
 import dev.aikido.agent_api.context.ContextObject;
+import dev.aikido.agent_api.context.User;
 import dev.aikido.agent_api.vulnerabilities.Attack;
 
 import java.util.Map;
@@ -40,7 +41,8 @@ public record AttackData (
             // Auxiliary attack data :
             String module,
             boolean blocked,
-            String stack
+            String stack,
+            User user
     ) {};
 
     public static DetectedAttackEvent createAPIEvent(Attack attack, ContextObject context, CloudConnectionManager connectionManager) {
@@ -56,7 +58,7 @@ public static DetectedAttackEvent createAPIEvent(Attack attack, ContextObject co
         );
         AttackData attackData = new AttackData(
             attack.kind, attack.operation, attack.source, attack.pathToPayload, attack.payload, attack.metadata,
-            "MODULE?", connectionManager.shouldBlock(), attack.stack
+            "module", connectionManager.shouldBlock(), attack.stack, attack.user
         );
         return new DetectedAttackEvent(
         "detected_attack", // type

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/Attack.java

@@ -1,5 +1,7 @@
 package dev.aikido.agent_api.vulnerabilities;
 
+import dev.aikido.agent_api.context.User;
+
 import java.util.Map;
 
 public class Attack {
@@ -10,14 +12,16 @@ public class Attack {
     public final Map<String, String> metadata;
     public final String payload;
     public final String stack;
-    public Attack(String op, Vulnerabilities.Vulnerability vulnerability, String source, String pathToPayload, Map<String, String> metadata, String payload, String stack) {
+    public final User user;
+    public Attack(String op, Vulnerabilities.Vulnerability vulnerability, String source, String pathToPayload, Map<String, String> metadata, String payload, String stack, User user) {
         this.operation = op;
         this.kind = vulnerability.getKind();
         this.source = source;
         this.pathToPayload = pathToPayload;
         this.metadata = metadata;
         this.payload = payload;
         this.stack = stack;
+        this.user = user;
     }
 
     @Override
@@ -30,6 +34,6 @@ public String toString() {
                 ", metadata=" + metadata +
                 ", payload='" + payload + '\'' +
                 ", stack='" + stack + '\'' +
-                '}';
+                ", user=" + user.id() + '}';
     }
 }

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/Scanner.java

@@ -44,7 +44,10 @@ public static void scanForGivenVulnerability(Vulnerabilities.Vulnerability vulne
                     exception = Optional.of(detectorResult.getException());
                     // Report attack :
                     reportAttack(
-                        new Attack(operation, vulnerability, source, path, detectorResult.getMetadata(), userInput, getCurrentStackTrace()), ctx
+                        new Attack(
+                                operation, vulnerability, source,
+                                path, detectorResult.getMetadata(), userInput,
+                                getCurrentStackTrace(), ctx.getUser()), ctx
                     );
                     break;
                 }

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/ssrf/SSRFDetector.java

@@ -54,7 +54,8 @@ public Attack run(String hostname, int port, List<String> ipAddresses, String op
                         "port", String.valueOf(port)
                     ),
                     attackFindings.payload(),
-                    getCurrentStackTrace()
+                    getCurrentStackTrace(),
+                    context.getUser()
             );
         }
 

agent_api/src/test/java/vulnerabilities/AttackTest.java

@@ -1,5 +1,6 @@
 package vulnerabilities;
 
+import dev.aikido.agent_api.context.User;
 import dev.aikido.agent_api.vulnerabilities.Attack;
 import dev.aikido.agent_api.vulnerabilities.Vulnerabilities;
 import org.junit.jupiter.api.Test;
@@ -22,9 +23,10 @@ public void testAttackConstructor() {
         metadata.put("userId", "123");
         String payload = "SELECT * FROM users WHERE id = 1";
         String stack = "Stack trace here";
+        User user = new User("id", "name", "1.1.1.1", 0);
 
         // Act
-        Attack attack = new Attack(operation, vulnerability, source, pathToPayload, metadata, payload, stack);
+        Attack attack = new Attack(operation, vulnerability, source, pathToPayload, metadata, payload, stack, user);
 
         // Assert
         assertEquals(operation, attack.operation);
@@ -34,8 +36,9 @@ public void testAttackConstructor() {
         assertEquals(metadata, attack.metadata);
         assertEquals(payload, attack.payload);
         assertEquals(stack, attack.stack);
+        assertEquals(user, attack.user);
         assertEquals(
-                "Attack{operation='SQL Injection', kind='sql_injection', source='User Input', pathToPayload='/api/vulnerable', metadata={userId=123}, payload='SELECT * FROM users WHERE id = 1', stack='Stack trace here'}",
+                "Attack{operation='SQL Injection', kind='sql_injection', source='User Input', pathToPayload='/api/vulnerable', metadata={userId=123}, payload='SELECT * FROM users WHERE id = 1', stack='Stack trace here', user=id}",
                 attack.toString()
         );
     }
@@ -50,9 +53,10 @@ public void testAttackWithEmptyMetadata() {
         Map<String, String> metadata = new HashMap<>(); // Empty metadata
         String payload = "<script>alert('XSS');</script>";
         String stack = "Stack trace here";
+        User user = new User("123", "name", "1.1.1.1", 0);
 
         // Act
-        Attack attack = new Attack(operation, vulnerability, source, pathToPayload, metadata, payload, stack);
+        Attack attack = new Attack(operation, vulnerability, source, pathToPayload, metadata, payload, stack, user);
 
         // Assert
         assertEquals(operation, attack.operation);
@@ -63,7 +67,7 @@ public void testAttackWithEmptyMetadata() {
         assertEquals(payload, attack.payload);
         assertEquals(stack, attack.stack);
         assertEquals(
-                "Attack{operation='XSS Attack', kind='sql_injection', source='User Input', pathToPayload='/api/vulnerable', metadata={}, payload='<script>alert('XSS');</script>', stack='Stack trace here'}",
+                "Attack{operation='XSS Attack', kind='sql_injection', source='User Input', pathToPayload='/api/vulnerable', metadata={}, payload='<script>alert('XSS');</script>', stack='Stack trace here', user=123}",
                 attack.toString()
         );
     }

end2end/spring_boot_mysql.py

@@ -16,8 +16,8 @@
 
 event_handler = EventHandler()
 event_handler.reset()
-test_safe_vs_unsafe_payloads(payloads, urls) # Test MySQL driver
-test_safe_vs_unsafe_payloads(payloads, urls, "/mariadb") # Also test MariaDB driver
+test_safe_vs_unsafe_payloads(payloads, urls, user_id="123") # Test MySQL driver
+test_safe_vs_unsafe_payloads(payloads, urls, "/mariadb", user_id="456") # Also test MariaDB driver
 
 # Test blocklists :
 test_ip_blocking("http://localhost:8082/")

end2end/spring_boot_mysql/test_two_sql_attacks.py

@@ -19,4 +19,6 @@ def test_two_sql_attacks(event_handler):
     assert_eq(val1=attack1["source"], val2=attack2["source"], equals="body")
     # Different :
     assert_eq(attack1["operation"], equals="(MySQL Connector/J) java.sql.Connection.prepareStatement")
-    assert_eq(attack2["operation"], equals="(MariaDB Connector/J) java.sql.Connection.prepareStatement")
+    assert_eq(attack2["operation"], equals="(MariaDB Connector/J) java.sql.Connection.prepareStatement")
+    assert_eq(attack1["user"]["id"], equals="123")
+    assert_eq(attack2["user"]["id"], equals="456")

end2end/utils/make_requests.py

@@ -2,8 +2,11 @@
 import urllib.parse
 
 # Function to make a POST request
-def make_post_request(url, data, status_code):
-    response = requests.post(url, json=data)
+def make_post_request(url, data, status_code, user_id=None):
+    headers = {}
+    if user_id is not None:
+        headers['user'] = user_id
+    response = requests.post(url, json=data, headers=headers)
 
     # Assert that the status code is 200
     assert response.status_code == status_code, f"Expected status code {status_code} but got {response.status_code}"

end2end/utils/test_safe_vs_unsafe_payloads.py

@@ -1,14 +1,14 @@
 from .make_requests import  make_post_request, make_path_var_request
 
-def test_safe_vs_unsafe_payloads(payloads, urls, route=""):
+def test_safe_vs_unsafe_payloads(payloads, urls, route="", user_id=None):
     print("Safe req to : (1) " + urls["enabled"])
-    make_post_request(urls["enabled"]  + route, payloads["safe"], status_code=200)
+    make_post_request(urls["enabled"]  + route, payloads["safe"], status_code=200, user_id=user_id)
     print("Safe req to : (0) " + urls["disabled"])
-    make_post_request(urls["disabled"] + route, payloads["safe"], status_code=200)
+    make_post_request(urls["disabled"] + route, payloads["safe"], status_code=200, user_id=user_id)
     print("Unsafe req to : (1) " + urls["enabled"])
-    make_post_request(urls["enabled"] + route, payloads["unsafe"], status_code=500)
+    make_post_request(urls["enabled"] + route, payloads["unsafe"], status_code=500, user_id=user_id)
     print("Unsafe req to : (0) " + urls["disabled"])
-    make_post_request(urls["disabled"] + route, payloads["unsafe"], status_code=200)
+    make_post_request(urls["disabled"] + route, payloads["unsafe"], status_code=200, user_id=user_id)
 
 def test_payloads_path_variables(payloads, urls, route=""):
     print("Safe req to : (1) " + urls["enabled"])