Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect Tomcat's host manager tomcat application as admin console #6867

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Detect Tomcat's host manager tomcat application as admin console #6867

merged 1 commit into from
Apr 16, 2024

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Apr 2, 2024
edited
Loading

What Does This Do

  • Parameterize Admin console active report implementation to be able to report more Admin consoles and not only Tomcat Manager Application

  • Report Admin console active vulnerability when <display-name>Tomcat Host Manager Application</display-name> is found in application web.xml

Motivation

Report Admin console active vulnerability if Tomcat Host Manager Application is deployed in a Tomcat server

Additional Notes

Jira ticket: [PROJ-IDENT]

@pr-commenter
Copy link

pr-commenter bot commented Apr 2, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/IW_admin_console_active_improve
git_commit_date 1713264800 1713266276
git_commit_sha 0e0654b 558fed6
release_version 1.33.0-SNAPSHOT~0e0654b855 1.33.0-SNAPSHOT~558fed6ed9
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1713269523 1713269523
ci_job_id 487666257 487666257
ci_pipeline_id 32184421 32184421
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 50 metrics, 13 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.075 s) : 0, 1074562
Total [baseline] (10.405 s) : 0, 10405317
Agent [candidate] (1.078 s) : 0, 1077886
Total [candidate] (10.412 s) : 0, 10412245
section appsec
Agent [baseline] (1.194 s) : 0, 1193832
Total [baseline] (10.431 s) : 0, 10430573
Agent [candidate] (1.2 s) : 0, 1199988
Total [candidate] (10.472 s) : 0, 10471979
section iast
Agent [baseline] (1.196 s) : 0, 1195698
Total [baseline] (10.837 s) : 0, 10837469
Agent [candidate] (1.2 s) : 0, 1199987
Total [candidate] (10.754 s) : 0, 10754429
section profiling
Agent [baseline] (1.269 s) : 0, 1269296
Total [baseline] (10.574 s) : 0, 10573829
Agent [candidate] (1.269 s) : 0, 1269265
Total [candidate] (10.618 s) : 0, 10617845
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.075 s -
Agent appsec 1.194 s 119.271 ms (11.1%)
Agent iast 1.196 s 121.136 ms (11.3%)
Agent profiling 1.269 s 194.734 ms (18.1%)
Total tracing 10.405 s -
Total appsec 10.431 s 25.256 ms (0.2%)
Total iast 10.837 s 432.151 ms (4.2%)
Total profiling 10.574 s 168.511 ms (1.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.078 s -
Agent appsec 1.2 s 122.102 ms (11.3%)
Agent iast 1.2 s 122.1 ms (11.3%)
Agent profiling 1.269 s 191.379 ms (17.8%)
Total tracing 10.412 s -
Total appsec 10.472 s 59.733 ms (0.6%)
Total iast 10.754 s 342.184 ms (3.3%)
Total profiling 10.618 s 205.6 ms (2.0%) 
gantt
    title petclinic - break down per module: candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.187 ms) : 0, 673187
BytebuddyAgent [candidate] (675.031 ms) : 0, 675031
GlobalTracer [baseline] (309.341 ms) : 0, 309341
GlobalTracer [candidate] (310.755 ms) : 0, 310755
AppSec [baseline] (49.369 ms) : 0, 49369
AppSec [candidate] (49.428 ms) : 0, 49428
Remote Config [baseline] (664.475 µs) : 0, 664
Remote Config [candidate] (658.776 µs) : 0, 659
Telemetry [baseline] (7.647 ms) : 0, 7647
Telemetry [candidate] (7.562 ms) : 0, 7562
section appsec
BytebuddyAgent [baseline] (693.292 ms) : 0, 693292
BytebuddyAgent [candidate] (695.319 ms) : 0, 695319
GlobalTracer [baseline] (290.332 ms) : 0, 290332
GlobalTracer [candidate] (291.993 ms) : 0, 291993
AppSec [baseline] (149.293 ms) : 0, 149293
AppSec [candidate] (149.479 ms) : 0, 149479
IAST [baseline] (18.676 ms) : 0, 18676
IAST [candidate] (18.898 ms) : 0, 18898
Remote Config [baseline] (600.328 µs) : 0, 600
Remote Config [candidate] (606.445 µs) : 0, 606
Telemetry [baseline] (7.344 ms) : 0, 7344
Telemetry [candidate] (9.389 ms) : 0, 9389
section iast
BytebuddyAgent [baseline] (792.881 ms) : 0, 792881
BytebuddyAgent [candidate] (794.753 ms) : 0, 794753
GlobalTracer [baseline] (287.089 ms) : 0, 287089
GlobalTracer [candidate] (289.097 ms) : 0, 289097
AppSec [baseline] (50.033 ms) : 0, 50033
AppSec [candidate] (48.079 ms) : 0, 48079
IAST [baseline] (23.53 ms) : 0, 23530
IAST [candidate] (26.737 ms) : 0, 26737
Remote Config [baseline] (568.522 µs) : 0, 569
Remote Config [candidate] (557.545 µs) : 0, 558
Telemetry [baseline] (7.273 ms) : 0, 7273
Telemetry [candidate] (6.527 ms) : 0, 6527
section profiling
BytebuddyAgent [baseline] (678.133 ms) : 0, 678133
BytebuddyAgent [candidate] (677.586 ms) : 0, 677586
GlobalTracer [baseline] (380.137 ms) : 0, 380137
GlobalTracer [candidate] (380.951 ms) : 0, 380951
AppSec [baseline] (50.339 ms) : 0, 50339
AppSec [candidate] (50.405 ms) : 0, 50405
Remote Config [baseline] (757.937 µs) : 0, 758
Remote Config [candidate] (744.139 µs) : 0, 744
Telemetry [baseline] (7.442 ms) : 0, 7442
Telemetry [candidate] (7.437 ms) : 0, 7437
ProfilingAgent [baseline] (96.108 ms) : 0, 96108
ProfilingAgent [candidate] (95.857 ms) : 0, 95857
Profiling [baseline] (96.132 ms) : 0, 96132
Profiling [candidate] (95.881 ms) : 0, 95881
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.075 s) : 0, 1075355
Total [baseline] (8.537 s) : 0, 8537381
Agent [candidate] (1.083 s) : 0, 1083349
Total [candidate] (8.562 s) : 0, 8561686
section iast
Agent [baseline] (1.196 s) : 0, 1195818
Total [baseline] (9.029 s) : 0, 9028537
Agent [candidate] (1.198 s) : 0, 1198172
Total [candidate] (9.024 s) : 0, 9023761
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.196 s) : 0, 1196085
Total [baseline] (8.99 s) : 0, 8989569
Agent [candidate] (1.197 s) : 0, 1196718
Total [candidate] (8.968 s) : 0, 8967982
section iast_TELEMETRY_OFF
Agent [baseline] (1.198 s) : 0, 1198396
Total [baseline] (9.013 s) : 0, 9012740
Agent [candidate] (1.204 s) : 0, 1204182
Total [candidate] (9.046 s) : 0, 9046252
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.075 s -
Agent iast 1.196 s 120.463 ms (11.2%)
Agent iast_HARDCODED_SECRET_DISABLED 1.196 s 120.73 ms (11.2%)
Agent iast_TELEMETRY_OFF 1.198 s 123.041 ms (11.4%)
Total tracing 8.537 s -
Total iast 9.029 s 491.156 ms (5.8%)
Total iast_HARDCODED_SECRET_DISABLED 8.99 s 452.188 ms (5.3%)
Total iast_TELEMETRY_OFF 9.013 s 475.359 ms (5.6%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.083 s -
Agent iast 1.198 s 114.824 ms (10.6%)
Agent iast_HARDCODED_SECRET_DISABLED 1.197 s 113.369 ms (10.5%)
Agent iast_TELEMETRY_OFF 1.204 s 120.833 ms (11.2%)
Total tracing 8.562 s -
Total iast 9.024 s 462.075 ms (5.4%)
Total iast_HARDCODED_SECRET_DISABLED 8.968 s 406.296 ms (4.7%)
Total iast_TELEMETRY_OFF 9.046 s 484.566 ms (5.7%) 
gantt
    title insecure-bank - break down per module: candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (673.461 ms) : 0, 673461
BytebuddyAgent [candidate] (677.997 ms) : 0, 677997
GlobalTracer [baseline] (309.874 ms) : 0, 309874
GlobalTracer [candidate] (312.436 ms) : 0, 312436
AppSec [baseline] (49.516 ms) : 0, 49516
AppSec [candidate] (49.973 ms) : 0, 49973
Remote Config [baseline] (651.824 µs) : 0, 652
Remote Config [candidate] (667.568 µs) : 0, 668
Telemetry [baseline] (7.558 ms) : 0, 7558
Telemetry [candidate] (7.731 ms) : 0, 7731
section iast
BytebuddyAgent [baseline] (793.0 ms) : 0, 793000
BytebuddyAgent [candidate] (793.449 ms) : 0, 793449
GlobalTracer [baseline] (287.105 ms) : 0, 287105
GlobalTracer [candidate] (288.422 ms) : 0, 288422
AppSec [baseline] (50.723 ms) : 0, 50723
AppSec [candidate] (48.731 ms) : 0, 48731
IAST [baseline] (23.616 ms) : 0, 23616
IAST [candidate] (26.263 ms) : 0, 26263
Remote Config [baseline] (573.594 µs) : 0, 574
Remote Config [candidate] (559.097 µs) : 0, 559
Telemetry [baseline] (6.642 ms) : 0, 6642
Telemetry [candidate] (6.526 ms) : 0, 6526
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (793.628 ms) : 0, 793628
BytebuddyAgent [candidate] (792.619 ms) : 0, 792619
GlobalTracer [baseline] (287.393 ms) : 0, 287393
GlobalTracer [candidate] (288.029 ms) : 0, 288029
AppSec [baseline] (50.056 ms) : 0, 50056
AppSec [candidate] (50.911 ms) : 0, 50911
IAST [baseline] (23.395 ms) : 0, 23395
IAST [candidate] (22.179 ms) : 0, 22179
Remote Config [baseline] (597.973 µs) : 0, 598
Remote Config [candidate] (580.771 µs) : 0, 581
Telemetry [baseline] (6.615 ms) : 0, 6615
Telemetry [candidate] (8.162 ms) : 0, 8162
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (794.154 ms) : 0, 794154
BytebuddyAgent [candidate] (798.11 ms) : 0, 798110
GlobalTracer [baseline] (288.404 ms) : 0, 288404
GlobalTracer [candidate] (290.305 ms) : 0, 290305
AppSec [baseline] (48.732 ms) : 0, 48732
AppSec [candidate] (52.346 ms) : 0, 52346
IAST [baseline] (25.568 ms) : 0, 25568
IAST [candidate] (20.121 ms) : 0, 20121
Remote Config [baseline] (578.782 µs) : 0, 579
Remote Config [candidate] (579.039 µs) : 0, 579
Telemetry [baseline] (6.542 ms) : 0, 6542
Telemetry [candidate] (8.104 ms) : 0, 8104
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-04-16T11:44:16 2024-04-16T12:06:14
git_branch master alejandro.gonzalez/IW_admin_console_active_improve
git_commit_date 1713264800 1713266276
git_commit_sha 0e0654b 558fed6
release_version 1.33.0-SNAPSHOT~0e0654b855 1.33.0-SNAPSHOT~558fed6ed9
start_time 2024-04-16T11:44:02 2024-04-16T12:06:01
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1713269523 1713269523
ci_job_id 487666257 487666257
ci_pipeline_id 32184421 32184421
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 13 metrics, 15 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.334 ms) : 1314, 1355
.   : milestone, 1334,
appsec (1.704 ms) : 1679, 1728
.   : milestone, 1704,
appsec_no_iast (1.746 ms) : 1722, 1770
.   : milestone, 1746,
iast (1.499 ms) : 1476, 1522
.   : milestone, 1499,
profiling (1.494 ms) : 1469, 1518
.   : milestone, 1494,
tracing (1.477 ms) : 1452, 1501
.   : milestone, 1477,
section candidate
no_agent (1.356 ms) : 1337, 1374
.   : milestone, 1356,
appsec (1.719 ms) : 1695, 1743
.   : milestone, 1719,
appsec_no_iast (1.736 ms) : 1712, 1760
.   : milestone, 1736,
iast (1.486 ms) : 1463, 1509
.   : milestone, 1486,
profiling (1.494 ms) : 1469, 1519
.   : milestone, 1494,
tracing (1.482 ms) : 1457, 1507
.   : milestone, 1482,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.334 ms [1.314 ms, 1.355 ms] -
appsec 1.704 ms [1.679 ms, 1.728 ms] 369.647 µs (27.7%)
appsec_no_iast 1.746 ms [1.722 ms, 1.77 ms] 412.037 µs (30.9%)
iast 1.499 ms [1.476 ms, 1.522 ms] 164.892 µs (12.4%)
profiling 1.494 ms [1.469 ms, 1.518 ms] 159.464 µs (12.0%)
tracing 1.477 ms [1.452 ms, 1.501 ms] 142.709 µs (10.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.356 ms [1.337 ms, 1.374 ms] -
appsec 1.719 ms [1.695 ms, 1.743 ms] 363.436 µs (26.8%)
appsec_no_iast 1.736 ms [1.712 ms, 1.76 ms] 380.821 µs (28.1%)
iast 1.486 ms [1.463 ms, 1.509 ms] 130.132 µs (9.6%)
profiling 1.494 ms [1.469 ms, 1.519 ms] 138.474 µs (10.2%)
tracing 1.482 ms [1.457 ms, 1.507 ms] 126.534 µs (9.3%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.33.0-SNAPSHOT~558fed6ed9, baseline=1.33.0-SNAPSHOT~0e0654b855
    dateFormat X
    axisFormat %s
section baseline
no_agent (365.332 µs) : 346, 385
.   : milestone, 365,
iast (480.83 µs) : 460, 502
.   : milestone, 481,
iast_FULL (544.02 µs) : 523, 565
.   : milestone, 544,
iast_GLOBAL (499.284 µs) : 477, 521
.   : milestone, 499,
iast_HARDCODED_SECRET_DISABLED (477.254 µs) : 456, 499
.   : milestone, 477,
iast_INACTIVE (447.714 µs) : 427, 469
.   : milestone, 448,
iast_TELEMETRY_OFF (466.133 µs) : 446, 487
.   : milestone, 466,
tracing (450.168 µs) : 429, 471
.   : milestone, 450,
section candidate
no_agent (372.753 µs) : 353, 392
.   : milestone, 373,
iast (480.183 µs) : 459, 501
.   : milestone, 480,
iast_FULL (540.628 µs) : 520, 562
.   : milestone, 541,
iast_GLOBAL (509.559 µs) : 486, 533
.   : milestone, 510,
iast_HARDCODED_SECRET_DISABLED (479.064 µs) : 459, 500
.   : milestone, 479,
iast_INACTIVE (449.404 µs) : 429, 470
.   : milestone, 449,
iast_TELEMETRY_OFF (472.184 µs) : 451, 493
.   : milestone, 472,
tracing (449.421 µs) : 429, 470
.   : milestone, 449,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 365.332 µs [345.542 µs, 385.122 µs] -
iast 480.83 µs [459.767 µs, 501.894 µs] 115.498 µs (31.6%)
iast_FULL 544.02 µs [522.913 µs, 565.126 µs] 178.688 µs (48.9%)
iast_GLOBAL 499.284 µs [477.26 µs, 521.309 µs] 133.952 µs (36.7%)
iast_HARDCODED_SECRET_DISABLED 477.254 µs [455.843 µs, 498.664 µs] 111.922 µs (30.6%)
iast_INACTIVE 447.714 µs [426.78 µs, 468.649 µs] 82.382 µs (22.6%)
iast_TELEMETRY_OFF 466.133 µs [445.713 µs, 486.552 µs] 100.8 µs (27.6%)
tracing 450.168 µs [429.491 µs, 470.846 µs] 84.836 µs (23.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 372.753 µs [353.166 µs, 392.341 µs] -
iast 480.183 µs [459.166 µs, 501.2 µs] 107.43 µs (28.8%)
iast_FULL 540.628 µs [519.734 µs, 561.522 µs] 167.875 µs (45.0%)
iast_GLOBAL 509.559 µs [486.375 µs, 532.743 µs] 136.806 µs (36.7%)
iast_HARDCODED_SECRET_DISABLED 479.064 µs [458.603 µs, 499.525 µs] 106.311 µs (28.5%)
iast_INACTIVE 449.404 µs [428.741 µs, 470.066 µs] 76.65 µs (20.6%)
iast_TELEMETRY_OFF 472.184 µs [451.114 µs, 493.254 µs] 99.431 µs (26.7%)
tracing 449.421 µs [428.733 µs, 470.11 µs] 76.668 µs (20.6%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_admin_console_active_improve branch 2 times, most recently from 35e6f66 to 41c35af Compare April 4, 2024 10:00
Base automatically changed from alejandro.gonzalez/session_rewriting_detection to master April 8, 2024 07:58
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_admin_console_active_improve branch from 41c35af to a84474c Compare April 9, 2024 11:04
@jandro996 jandro996 changed the base branch from master to alejandro.gonzalez/change_admin_console_active_impl April 9, 2024 11:17
@jandro996 jandro996 changed the title Add tomcat and jetty default app detection support Add Admin console active support for hot manager tomcat application Apr 9, 2024
@jandro996 jandro996 changed the title Add Admin console active support for hot manager tomcat application IW - I - Add Admin console active support for hot manager tomcat application Apr 9, 2024
@jandro996 jandro996 changed the title IW - I - Add Admin console active support for hot manager tomcat application IW - I - Add Admin console active support for host manager tomcat application Apr 9, 2024
@smola smola added comp: asm iast Application Security Management (IAST) R&D labels Apr 15, 2024
@jandro996 jandro996 force-pushed the alejandro.gonzalez/change_admin_console_active_impl branch from a5edcf6 to 99b05dd Compare April 16, 2024 06:26
@smola smola changed the title IW - I - Add Admin console active support for host manager tomcat application Add Admin console active support for host manager tomcat application Apr 16, 2024
@smola smola changed the title Add Admin console active support for host manager tomcat application IW - I - Add Admin console active support for host manager tomcat application Apr 16, 2024
Base automatically changed from alejandro.gonzalez/change_admin_console_active_impl to master April 16, 2024 10:53
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_admin_console_active_improve branch from a84474c to 558fed6 Compare April 16, 2024 11:18
@jandro996 jandro996 force-pushed the alejandro.gonzalez/IW_admin_console_active_improve branch from 20c9efd to cbeea3a Compare April 16, 2024 11:24
@jandro996 jandro996 changed the title IW - I - Add Admin console active support for host manager tomcat application Add Admin console active support for host manager tomcat application Apr 16, 2024
@jandro996 jandro996 marked this pull request as ready for review April 16, 2024 11:26
@jandro996 jandro996 requested a review from a team as a code owner April 16, 2024 11:26
@smola smola changed the title Add Admin console active support for host manager tomcat application Detect Tomcat's host manager tomcat application as admin console Apr 16, 2024
@jandro996 jandro996 merged commit 3052df4 into master Apr 16, 2024
76 of 77 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/IW_admin_console_active_improve branch April 16, 2024 12:25
@github-actions github-actions bot added this to the 1.33.0 milestone Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@smola smola smola approved these changes

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov ValentinZakharov is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) R&D
Projects
None yet
Milestone
1.33.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jandro996 @smola @manuel-alvarez-alvarez