PRP: Request Web Application Fingerprint - Elasticsearch & Kibana

[C4o]

Hi there,

I would like to start the implementation for a web application fingerprint that detects the following software - Elasticsearch and Kibana

Docker hub image: https://hub.docker.com/_/elasticsearch https://hub.docker.com/_/kibana

Please let me know if this is in scope.

[maoning]

Hi @C4o ,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

[C4o]

Hi @maoning, I wonder that if I provide its fingerprint, do I need to provide the fingerprint of the full version and subsequent new versions? And BTW, could I request a PR of these issues?

205

223

224

[maoning]

Hi @C4o , please provide finger prints for at least the versions from the last 3-5 years, and also include an automation script that will update the prebuilt fingerprint database when there is a new release of the web application (this will cover subsequent new versions). I realized that we currently don't have an automation script as an example, I will see if I can add one asap.

It is hard to gauge the relevancy of pending detector requests without the fingerprinters to identify how often tsunami scanner encounters these software in the wild. I have already approved a confluence fingerprinting request https://github.com/google/tsunami-security-scanner-plugins/issues/64, once it is rolled out, it will help to measure how relevant #223 is.

[C4o]

Hi @maoning ,

I think it may be difficult to automatically update the fingerprint of the new version, cause it's hard to know what code is added in the new version and what features are caused by an automation script:(

Are there any feasible methods for reference? I'll try it.

[maoning]

Hi @C4o , https://github.com/google/tsunami-security-scanner-plugins/blob/44945935781404f2de649bf6f88dd3d60acdae6b/google/fingerprinters/web/scripts/updater/wordpress/update.sh is the automation script @magl0 submitted. It automatically spins up a version of the wordpress and update the fingerprint file with a new fingerprint (full commit: https://github.com/google/tsunami-security-scanner-plugins/commit/44945935781404f2de649bf6f88dd3d60acdae6b). You can put your update script at the same location under elasticsearch & kibana folder.

[C4o]

Copy that. Thanks. @maoning

[tooryx]

Also @C4o, I see that this request has been opened for quite some time. Are you still willing to contribute to this plugin or should I just close it out?

[C4o]

@tooryx Yes, I'll try to contribute to this plugin recently.

[C4o]

Hi @tooryx.

It seems that the latest version of elasticsearch cannot be fingerprinted by this way cause all static files cannot be requested directly. But the fingerprinter plugin for kibana seems okay.

......
INFO: No new fingerprints found.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 18s
6 actionable tasks: 1 executed, 5 up-to-date
fingerprint updating failed

And BTW, I tested other fingerprinter plugins, including wordpress/drupal/zabbix, I found errors occurred with no correct version when there are empty lines in versions.txt, and It worked after I delete the last line.

......
Fingerprint updated successfully
drupal_7.74
Fingerprinting Drupal version  ...
docker: invalid reference format.
See 'docker run --help'.

[tooryx]

Could you at least proceed with submitting the Kibana ones for now? We can look again in Kibana when I have more time.

~tooryx

[C4o]

@tooryx, yes of course, I'm working on fingerprinter with kibana in the past few days.