search

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
860 stars 178 forks source link

Mlflow weak credential tester #455

Closed lanced00m closed 1 month ago

lanced00m commented 3 months ago

https://github.com/google/tsunami-security-scanner-plugins/issues/412

Hi @maoning I couldn't test the plugin on a vulnerable target because of this error:

Apr 06, 2024 4:43:41 AM com.google.tsunami.workflow.DefaultScanningWorkflow runAsync
INFO: Staring Tsunami scanning workflow.
Apr 06, 2024 4:43:41 AM com.google.tsunami.workflow.DefaultScanningWorkflow fingerprintNetworkServices
INFO: Port scanning phase done, moving to service fingerprinting phase with '0' fingerprinter(s) selected.
Apr 06, 2024 4:43:41 AM com.google.tsunami.main.cli.TsunamiCli main
SEVERE: Exiting due to workflow execution exceptions.
java.util.concurrent.ExecutionException: com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Error in custom provider, java.lang.IllegalAccessError: class com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.ServiceDefaultCredentials tried to access method 'com.google.protobuf.LazyStringArrayList com.google.protobuf.LazyStringArrayList.emptyList()' (com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.ServiceDefaultCredentials and com.google.protobuf.LazyStringArrayList are in unnamed module of loader 'app')

  at com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetectorBootstrapModule.providesDefaultCredentialsData(GenericWeakCredentialDetectorBootstrapModule.java:166) (via modules: com.google.tsunami.main.cli.TsunamiCli$TsunamiCliModule -> com.google.tsunami.plugin.PluginLoadingModule -> com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetectorBootstrapModule)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.proto.DefaultCredentialsData
    for the 1st parameter of com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.DefaultCredentials.<init>(DefaultCredentials.java:37)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.DefaultCredentials
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.CredentialProvider annotated with @com.google.inject.internal.Element(setName=,uniqueId=11, type=MULTIBINDER, keyType=)
  while locating java.util.Set<com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.provider.CredentialProvider>
    for the 1st parameter of com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetector.<init>(GenericWeakCredentialDetector.java:103)
  while locating com.google.tsunami.plugins.detectors.credentials.genericweakcredentialdetector.GenericWeakCredentialDetector
  while locating com.google.tsunami.plugin.TsunamiPlugin annotated with @com.google.inject.internal.Element(setName=,uniqueId=13, type=MAPBINDER, keyType=com.google.tsunami.plugin.PluginDefinition)

but I'm sure it works because of the Comprehensive test cases I've implemented.

what I'm doing is simply running ./gradlew build in google/detectors/credentials/generic_weak_credential_detector directory and then I copy the Nmap plugin to google/detectors/credentials/generic_weak_credential_detector/build/libs/ because it is needed. finally, I run this command:

java -cp "tsunami-main-0.0.22-SNAPSHOT-cli.jar:/absolute/path/to/tsunami-security-scanner-plugins/google/detectors/credentials/generic_weak_credential_detector/build/libs/*" com.google.tsunami.main.cli.TsunamiCli --uri-target=http://127.0.0.1:5000

I'm working with openjdk-11.

lanced00m commented 2 months ago

@pisqu4red The error is because of the tsunami CLI, when I compiled it with the docker command and copied the final tsunami CLI jar file from docker to my environment, everything was normal. the Gradle version was the same from the beginning. Maybe The reason is that I was building the tsunami CLI with OpenJDK 11 and it should be 13 instead.

pisqu4red commented 2 months ago

@lanced00m could you please sync with master branch?

We have upgraded gradle to 7.0 in this commit so this should resolve the last failures.

The reason for asking for the gradle --version command is that it gives other information about the JVM and OS environment as well.

Could you please address my previous comments before doing another round of review. Thanks!

lanced00m commented 2 months ago

@pisqu4red Sorry I didn't understand fully your last comment. I updated the branch and I tested the compilation now and the ./gradlew compile worked fine. should I still show you the gradle --version output? because my problem is solved. I double-checked the first round of reviews and I applied the changes, do you mean that I should mark the comments as resolved in this pull request? Also, I'm sorry I put all the changes in one commit so from diff, it seems that it is really hard to compare the code, I'll revert the additional spaces now so I hope it gets better.

lanced00m commented 2 months ago

@pisqu4red Now you can compare the initial commit with the last commit easier 0de8e9a581b994cce339d60f1743c17b3e2c8d30. I'm going to add one more commit to add proper spaces and google format.

pisqu4red commented 1 month ago

Hi @lanced00m,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!