Exposed spark UI and api

[timoles]

@maoning this is the first part of the PR for https://github.com/google/tsunami-security-scanner-plugins/issues/416

The detector for the exposed WEB UI is missing. However, I though I first make sure everything is correct before adapting the detector for the exposed WEB UI. As the web ui is a simple http code check and regex, it should be less complex.

[timoles]

An additional remark: The RCE payload executes asynchronously and sometimes takes a few seconds to execute. In some instances the plugin queries the callback server before the payload had a chance to trigger the interaction. This leads to false-negatives.

What is the usual approach for this issue? I assume implementing a sleep (as I did in testing) is not satisfactory. Can we have an asynchronous lookup for the payload at a later time?

[am0o0]

Hi, I faced this before, according to current merged plugins, they are using Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(10));

[maoning]

@timoles Yes, let's go with sleep for now. If you are interested in implementing an asynchronous lookup for the payload as part of payload generator framework, please let me know. I can make it as part of the patch reward. We will need to track all the interactions and finding templates from plugins that want to do asynchronous lookup and add an additional step before the scanner exits.

[timoles]

@timoles Yes, let's go with sleep for now. If you are interested in implementing an asynchronous lookup for the payload as part of payload generator framework, please let me know. I can make it as part of the patch reward. We will need to track all the interactions and finding templates from plugins that want to do asynchronous lookup and add an additional step before the scanner exits.

Hi @maoning I'm using the sleep for now. Also I implemented a check which does some pre-validation before we wait for run into the sleep timeout. I guess this should keep unnecessary sleeps to a minimum.

Regarding the implementation of the payload generator framework. I really appreciate the offer. However, I currently don't have the time (and most likely the "professional Java expertise" to realise such a project.

[timoles]

Both plugins (exposed api to rce and web ui info disclosure) are done and ready to review :)

Thank you very much

[timoles]

I resolved all open issues. However, there appear some build issues due to com.google.guava. As far as I can tell this issue appeared recently, for my and other plugins. Is there some dependency issue?

[am0o0]

@timoles I think you should update the base branch to latest commit, because they are using gradle 7 now

[pisqu4red]

Correct, @timoles - please sync with master. We have upgraded gradle to 7.0 in this commit so this should resolve the last failures.

[pisqu4red]

Hi @timoles,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!