Detect missing header vulnerabilities (#3269)

* Detect X-Content-Type-Options missing header

* HSTS Header missing analyzer and refactor of xcontenttype-header-missing-aanalyzer

* Move function to class method

* use startswith instead of index===0

* Do not send evidence if value is undefined

* Fix comment in PR and add test

* Changes to support telemetry

* Rename method name

* Rename analyzer object key

Author: uurien

packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,6 +2,7 @@
 
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),
   'NO_HTTPONLY_COOKIE_ANALYZER': require('./no-httponly-cookie-analyzer'),
@@ -11,5 +12,6 @@ module.exports = {
   'SSRF': require('./ssrf-analyzer'),
   'UNVALIDATED_REDIRECT_ANALYZER': require('./unvalidated-redirect-analyzer'),
   'WEAK_CIPHER_ANALYZER': require('./weak-cipher-analyzer'),
-  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer')
+  'WEAK_HASH_ANALYZER': require('./weak-hash-analyzer'),
+  'XCONTENTTYPE_HEADER_MISSING_ANALYZER': require('./xcontenttype-header-missing-analyzer')
 }

packages/dd-trace/src/appsec/iast/analyzers/hsts-header-missing-analyzer.js

@@ -0,0 +1,45 @@
+'use strict'
+
+const { HSTS_HEADER_MISSING } = require('../vulnerabilities')
+const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
+
+const HSTS_HEADER_NAME = 'Strict-Transport-Security'
+const HEADER_VALID_PREFIX = 'max-age'
+class HstsHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
+  constructor () {
+    super(HSTS_HEADER_MISSING, HSTS_HEADER_NAME)
+  }
+  _isVulnerableFromRequestAndResponse (req, res) {
+    const headerToCheck = res.getHeader(HSTS_HEADER_NAME)
+    return !this._isHeaderValid(headerToCheck) && this._isHttpsProtocol(req)
+  }
+
+  _isHeaderValid (headerValue) {
+    if (!headerValue) {
+      return false
+    }
+    headerValue = headerValue.trim()
+
+    if (!headerValue.startsWith(HEADER_VALID_PREFIX)) {
+      return false
+    }
+
+    const semicolonIndex = headerValue.indexOf(';')
+    let timestampString
+    if (semicolonIndex > -1) {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1, semicolonIndex)
+    } else {
+      timestampString = headerValue.substring(HEADER_VALID_PREFIX.length + 1)
+    }
+
+    const timestamp = parseInt(timestampString)
+    // eslint-disable-next-line eqeqeq
+    return timestamp == timestampString && timestamp > 0
+  }
+
+  _isHttpsProtocol (req) {
+    return req.protocol === 'https' || req.headers['x-forwarded-proto'] === 'https'
+  }
+}
+
+module.exports = new HstsHeaderMissingAnalyzer()

packages/dd-trace/src/appsec/iast/analyzers/index.js

@@ -3,10 +3,10 @@
 const analyzers = require('./analyzers')
 const setCookiesHeaderInterceptor = require('./set-cookies-header-interceptor')
 
-function enableAllAnalyzers () {
-  setCookiesHeaderInterceptor.configure(true)
+function enableAllAnalyzers (tracerConfig) {
+  setCookiesHeaderInterceptor.configure({ enabled: true, tracerConfig })
   for (const analyzer in analyzers) {
-    analyzers[analyzer].configure(true)
+    analyzers[analyzer].configure({ enabled: true, tracerConfig })
   }
 }
 

packages/dd-trace/src/appsec/iast/analyzers/missing-header-analyzer.js

@@ -0,0 +1,66 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+
+const SC_MOVED_PERMANENTLY = 301
+const SC_MOVED_TEMPORARILY = 302
+const SC_NOT_MODIFIED = 304
+const SC_TEMPORARY_REDIRECT = 307
+const SC_NOT_FOUND = 404
+const SC_GONE = 410
+const SC_INTERNAL_SERVER_ERROR = 500
+
+const IGNORED_RESPONSE_STATUS_LIST = [SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_NOT_MODIFIED,
+  SC_TEMPORARY_REDIRECT, SC_NOT_FOUND, SC_GONE, SC_INTERNAL_SERVER_ERROR]
+const HTML_CONTENT_TYPES = ['text/html', 'application/xhtml+xml']
+
+class MissingHeaderAnalyzer extends Analyzer {
+  constructor (type, headerName) {
+    super(type)
+
+    this.headerName = headerName
+  }
+
+  onConfigure () {
+    this.addSub({
+      channelName: 'datadog:iast:response-end',
+      moduleName: 'http'
+    }, (data) => this.analyze(data))
+  }
+
+  _getLocation () {
+    return undefined
+  }
+
+  _checkOCE (context) {
+    return true
+  }
+
+  _createHashSource (type, evidence, location) {
+    return `${type}:${this.config.tracerConfig.service}`
+  }
+
+  _getEvidence ({ res }) {
+    return { value: res.getHeader(this.headerName) }
+  }
+
+  _isVulnerable ({ req, res }, context) {
+    if (!IGNORED_RESPONSE_STATUS_LIST.includes(res.statusCode) && this._isResponseHtml(res)) {
+      return this._isVulnerableFromRequestAndResponse(req, res)
+    }
+    return false
+  }
+
+  _isVulnerableFromRequestAndResponse (req, res) {
+    return false
+  }
+
+  _isResponseHtml (res) {
+    const contentType = res.getHeader('content-type')
+    return contentType && HTML_CONTENT_TYPES.some(htmlContentType => {
+      return htmlContentType === contentType || contentType.startsWith(htmlContentType + ';')
+    })
+  }
+}
+
+module.exports = { MissingHeaderAnalyzer }

packages/dd-trace/src/appsec/iast/analyzers/xcontenttype-header-missing-analyzer.js

@@ -0,0 +1,19 @@
+'use strict'
+
+const { XCONTENTTYPE_HEADER_MISSING } = require('../vulnerabilities')
+const { MissingHeaderAnalyzer } = require('./missing-header-analyzer')
+
+const XCONTENTTYPEOPTIONS_HEADER_NAME = 'X-Content-Type-Options'
+
+class XcontenttypeHeaderMissingAnalyzer extends MissingHeaderAnalyzer {
+  constructor () {
+    super(XCONTENTTYPE_HEADER_MISSING, XCONTENTTYPEOPTIONS_HEADER_NAME)
+  }
+
+  _isVulnerableFromRequestAndResponse (req, res) {
+    const headerToCheck = res.getHeader(XCONTENTTYPEOPTIONS_HEADER_NAME)
+    return !headerToCheck || headerToCheck.trim().toLowerCase() !== 'nosniff'
+  }
+}
+
+module.exports = new XcontenttypeHeaderMissingAnalyzer()

packages/dd-trace/src/appsec/iast/index.js

@@ -19,10 +19,11 @@ const iastTelemetry = require('./telemetry')
 //  order of the callbacks can be enforce
 const requestStart = dc.channel('dd-trace:incomingHttpRequestStart')
 const requestClose = dc.channel('dd-trace:incomingHttpRequestEnd')
+const iastResponseEnd = dc.channel('datadog:iast:response-end')
 
 function enable (config, _tracer) {
   iastTelemetry.configure(config, config.iast && config.iast.telemetryVerbosity)
-  enableAllAnalyzers()
+  enableAllAnalyzers(config)
   enableTaintTracking(config.iast, iastTelemetry.verbosity)
   requestStart.subscribe(onIncomingHttpRequestStart)
   requestClose.subscribe(onIncomingHttpRequestEnd)
@@ -72,6 +73,8 @@ function onIncomingHttpRequestEnd (data) {
     const topContext = web.getContext(data.req)
     const iastContext = iastContextFunctions.getIastContext(store, topContext)
     if (iastContext && iastContext.rootSpan) {
+      iastResponseEnd.publish(data)
+
       const vulnerabilities = iastContext.vulnerabilities
       const rootSpan = iastContext.rootSpan
       vulnerabilityReporter.sendVulnerabilities(vulnerabilities, rootSpan)

packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/index.js

@@ -54,7 +54,11 @@ class VulnerabilityFormatter {
 
   formatEvidence (type, evidence, sourcesIndexes, sources) {
     if (!evidence.ranges) {
-      return { value: evidence.value }
+      if (typeof evidence.value === 'undefined') {
+        return undefined
+      } else {
+        return { value: evidence.value }
+      }
     }
 
     return this._redactVulnearbilities

packages/dd-trace/src/appsec/iast/vulnerabilities.js

@@ -1,5 +1,6 @@
 module.exports = {
   COMMAND_INJECTION: 'COMMAND_INJECTION',
+  HSTS_HEADER_MISSING: 'HSTS_HEADER_MISSING',
   INSECURE_COOKIE: 'INSECURE_COOKIE',
   LDAP_INJECTION: 'LDAP_INJECTION',
   NO_HTTPONLY_COOKIE: 'NO_HTTPONLY_COOKIE',
@@ -9,5 +10,6 @@ module.exports = {
   SSRF: 'SSRF',
   UNVALIDATED_REDIRECT: 'UNVALIDATED_REDIRECT',
   WEAK_CIPHER: 'WEAK_CIPHER',
-  WEAK_HASH: 'WEAK_HASH'
+  WEAK_HASH: 'WEAK_HASH',
+  XCONTENTTYPE_HEADER_MISSING: 'XCONTENTTYPE_HEADER_MISSING'
 }

packages/dd-trace/src/appsec/iast/vulnerability-reporter.js

@@ -28,7 +28,7 @@ function addVulnerability (iastContext, vulnerability) {
 
 function isValidVulnerability (vulnerability) {
   return vulnerability && vulnerability.type &&
-    vulnerability.evidence && vulnerability.evidence.value &&
+    vulnerability.evidence &&
     vulnerability.location && vulnerability.location.spanId
 }
 

packages/dd-trace/test/appsec/iast/analyzers/hsts-header-missing-analyzer.spec.js

@@ -0,0 +1,104 @@
+'use strict'
+
+const { prepareTestServerForIast } = require('../utils')
+const Analyzer = require('../../../../src/appsec/iast/analyzers/vulnerability-analyzer')
+const { HSTS_HEADER_MISSING } = require('../../../../src/appsec/iast/vulnerabilities')
+const axios = require('axios')
+const analyzer = new Analyzer()
+
+describe('hsts header missing analyzer', () => {
+  it('Expected vulnerability identifier', () => {
+    expect(HSTS_HEADER_MISSING).to.be.equals('HSTS_HEADER_MISSING')
+  })
+
+  prepareTestServerForIast('hsts header missing analyzer',
+    (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability, config) => {
+      function makeRequestWithXFordwardedProtoHeader (done) {
+        axios.get(`http://localhost:${config.port}/`, {
+          headers: {
+            'X-Forwarded-Proto': 'https'
+          }
+        }).catch(done)
+      }
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html;charset=utf-8')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'application/xhtml+xml')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence).to.be.undefined
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=-100')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=-100; includeSubDomains')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('max-age=-100; includeSubDomains')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'invalid')
+        res.end('<html><body><h1>Test</h1></body></html>')
+      }, HSTS_HEADER_MISSING, 1, function (vulnerabilities) {
+        expect(vulnerabilities[0].evidence.value).to.be.equal('invalid')
+        expect(vulnerabilities[0].hash).to.be.equals(analyzer._createHash('HSTS_HEADER_MISSING:mocha'))
+      }, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'application/json')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=100')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', '  max-age=100  ')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=100;includeSubDomains')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+
+      testThatRequestHasNoVulnerability((req, res) => {
+        res.setHeader('content-type', 'text/html')
+        res.setHeader('Strict-Transport-Security', 'max-age=100   ;includeSubDomains')
+        res.end('{"key": "test}')
+      }, HSTS_HEADER_MISSING, makeRequestWithXFordwardedProtoHeader)
+    })
+})