search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.35k stars 159 forks source link

GraphQL: mitreId filter not returning any results in testcases query #211

Closed nheiniger closed 1 year ago

nheiniger commented 1 year ago

Describe the bug When using GraphQL queries to search for testcases, the filter based on MITRE ID isn't working properly (it never returns any testcase).

To Reproduce Use the following python script or perform the same API calls with another method. This assumes you have at least one testcase with T1007 in the name and the mitreId fields.

import requests
# Vectr API endpoint
url = "https://example.com/graphql"
headers = {"Authorization":"VEC1 <APIKEY>:<SECRETKEY>"}

body1 = """
query {
    testcases(
        db: "ExampleDB",
        filter: {
            name: {contains: "T1007"}
        }
    )
    { nodes {id, name, mitreId}}
}
"""

body2 = """
query {
    testcases(
        db: "ExampleDB",
        filter: {
            mitreId: {contains: "T1007"}
        }
    )
    { nodes {id, name, mitreId}}
}
"""

body3 = """
query {
    testcases(
        db: "ExampleDB",
        filter: {
            mitreId: {eq: "T1007"}
        }
    )
    { nodes {id, name, mitreId}}
}
"""

response = requests.post(url=url, headers=headers, json={"query": body1}, verify=True)
print("response status code: ", response.status_code)
if response.status_code == 200:
    print("response : ", response.content)

response = requests.post(url=url, headers=headers, json={"query": body2}, verify=True)
print("response status code: ", response.status_code)
if response.status_code == 200:
    print("response : ", response.content)

response = requests.post(url=url, headers=headers, json={"query": body3}, verify=True)
print("response status code: ", response.status_code)
if response.status_code == 200:
    print("response : ", response.content)

For my database, the result is:

response status code:  200
response :  b'{"data":{"testcases":{"nodes":[{"id":"c863f5e1-61ec-4ca9-8666-a3f3f9afa725","name":"T1007 - System Service Discovery","mitreId":"T1007"},{"id":"560c02ac-abb0-4381-b702-452d81a3186a","name":"T1007 - System Service Discovery","mitreId":"T1007"},{"id":"8e0f27b0-5417-4ec9-bf11-8776b7bc1c42","name":"T1007 - System Service Discovery - net.exe","mitreId":"T1007"},{"id":"49cd84b2-71a4-49e0-ac0e-fbda9e64123a","name":"T1007 - System Service Discovery - net.exe","mitreId":"T1007"}]}}}'
response status code:  200
response :  b'{"data":{"testcases":{"nodes":[]}}}'
response status code:  200
response :  b'{"data":{"testcases":{"nodes":[]}}}'

You can see with the first request that there are multiple testcases with T1007 in their names and in their MITRE IDs. However, in the second and third request, we have no results.

Expected behavior The same set of testcases is returned for all 3 queries.

Screenshots N/A

Desktop (please complete the following information):

Additional context I know it's an API bug and those have no priority for the community edition. I just thought you might be interested to know nonetheless.

nheiniger commented 1 year ago

Update: I just upgraded our instance to community edition 8.7.0. The same behavior is still observed.

doodleincode commented 1 year ago

Thanks for reporting the issue. Confirming that it does appear to be a bug. We'll investigate and provide a fix in a future release.

thebleucheese commented 1 year ago

This will be fixed in the next planned VECTR release

thebleucheese commented 1 year ago

Fixed mitre ID Test Case filter behavior in 8.8.0