contrast-agent 5.1.0 → 6.0.0

data/lib/contrast/agent/protect/input_analyzer/input_analyzer.rb

@@ -0,0 +1,147 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/reporting/input_analysis/input_analysis'
+require 'contrast/agent/protect/rule/no_sqli/no_sqli_input_classification'
+require 'contrast/agent/protect/rule/sqli/sqli_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload/unsafe_file_upload_input_classification'
+require 'contrast/agent/protect/rule/unsafe_file_upload'
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/rule/cmdi/cmdi_input_classification'
+require 'contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification'
+require 'json'
+
+module Contrast
+  module Agent
+    module Protect
+      # InputAnalyzer will extract input form current request context and will analyze it.
+      # This will be used in for the SQLI and CMDI worth_watching_v2 implementations.
+      module InputAnalyzer
+        DISPOSITION_NAME = 'name'
+        DISPOSITION_FILENAME = 'filename'
+
+        class << self
+          include Contrast::Agent::Reporting::InputType
+          include Contrast::Agent::Reporting::ScoreLevel
+          include Contrast::Agent::Protect::Rule::SqliWorthWatching
+          include Contrast::Utils::ObjectShare
+          include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+
+          PROTECT_RULES = {
+              sqli: {
+                  rule_name: 'sql-injection',
+                  classification: Contrast::Agent::Protect::Rule::SqliInputClassification
+              },
+              cmdi: {
+                  rule_name: 'cmd-injection',
+                  classification: Contrast::Agent::Protect::Rule::CmdiInputClassification
+              },
+              method_tampering: {
+                  rule_name: 'method-tampering',
+                  classification: Contrast::Agent::Protect::Rule::HttpMethodTamperingInputClassification
+              },
+              unsafe_file_upload: {
+                  rule_name: 'unsafe-file-upload',
+                  classification: Contrast::Agent::Protect::Rule::UnsafeFileUploadInputClassification
+              },
+              nosqli: {
+                  rule_name: 'nosql-injection',
+                  classification: Contrast::Agent::Protect::Rule::NoSqliInputClassification
+              }
+          }.cs__freeze
+
+          # This method with analyze the user input from the context of the
+          # current request and run each of the protect rules against all
+          # found input types
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def analyse request
+            return unless Contrast::SETTINGS.protect_state.enabled
+            return if request.nil?
+
+            inputs = extract_input request
+            return unless inputs
+
+            input_analysis = Contrast::Agent::Reporting::InputAnalysis.new
+            input_analysis.request = request
+            # each rule against each input
+            input_classification inputs, input_analysis
+            input_analysis
+          end
+
+          private
+
+          # classify input by rule implementation of worth_watching_v2 for the rules supporting it.
+          #
+          # @param inputs [String, Array<String>] user input to be analysed.
+          # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Here we will keep all the results
+          #                                                       for each protect rule.
+          # @return input_analysis [Contrast::Agent::Reporting::InputAnalysis, nil]
+          def input_classification inputs, input_analysis
+            # key = input type, value = user_input
+            inputs.each do |input_type, value|
+              next if value.nil? || value.empty?
+
+              PROTECT_RULES.each do |_key, rule|
+                # check if rule is enabled
+                next unless Contrast::PROTECT.rule(rule[:rule_name]).enabled?
+
+                # method tampering doesn't take value
+                if rule[:rule_name] == Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+                  rule[:classification].send(:classify, input_type, input_analysis)
+                else
+                  rule[:classification].send(:classify, input_type, value, input_analysis)
+                end
+              end
+            end
+            input_analysis
+          end
+
+          # Extract the inputs from the request context and label them with Protect
+          # input type tags. Each tag will contain one or more user inputs.
+          #
+          # This methods is to be expanded and modified as needed by other Protect rules
+          # and sub-rules for their requirements.
+          #
+          # @param request [Contrast::Agent::Request] current request context.
+          # @return inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          def extract_input request
+            inputs = {}
+            inputs[BODY] = request.body
+            inputs[COOKIE_NAME] = request.cookies.keys
+            inputs[COOKIE_VALUE] = request.cookies.values
+            inputs[HEADER] = request.headers
+            inputs[PARAMETER_NAME] = request.parameters.keys
+            inputs[PARAMETER_VALUE] = request.parameters.values
+            inputs[QUERYSTRING] = request.query_string
+            inputs[METHOD] = request.request_method
+            extract_multipart inputs, request
+            inputs.compact!
+            inputs
+          end
+
+          # Extract the filename and name of the  Content Disposition Header.
+          #
+          # @param inputs [Hash<Contrast::Agent::Protect::InputType => user_inputs>]
+          # @param request [Contrast::Agent::Request] current request context.
+          def extract_multipart inputs, request
+            disposition = request.rack_request.env['Content-Disposition']
+            disposition = request.rack_request.env['CONTENT_DISPOSITION'] if disposition.nil? || disposition.empty?
+            return unless disposition
+
+            pairs = {}
+            disposition.split(SEMICOLON).each do |elem|
+              new_pair = elem.strip.split(EQUALS, 2)
+              pairs[new_pair[0].downcase] = new_pair[1] if new_pair
+            end
+            inputs[MULTIPART_NAME] = pairs[DISPOSITION_NAME]
+            inputs[MULTIPART_FIELD_NAME] = pairs[DISPOSITION_FILENAME]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/policy/applies_no_sqli_rule.rb

@@ -41,7 +41,8 @@ module Contrast
             private
 
             def valid_input? args
-              return false unless args&.any?
+              return false unless args
+              return false unless args.cs__is_a?(Array) && args.any?
 
               args[0]
             end

data/lib/contrast/agent/protect/policy/applies_path_traversal_rule.rb

@@ -65,7 +65,7 @@ module Contrast
             end
 
             def path_traversal_rule path, possible_write, object, method
-              return unless applies_to?(path, possible_write)
+              return unless applies_to?(path, possible_write: possible_write)
 
               rule.infilter(Contrast::Agent::REQUEST_TRACKER.current, method, path)
             rescue Contrast::SecurityException => e
@@ -90,7 +90,7 @@ module Contrast
               end
             end
 
-            def applies_to? path, possible_write = false
+            def applies_to? path, possible_write: false
               # any possible write is a potential risk
               return true if possible_write
 

data/lib/contrast/agent/protect/rule/base.rb

@@ -3,6 +3,7 @@
 
 require 'contrast/components/logger'
 require 'contrast/components/scope'
+require 'contrast/api/decorators/response_type'
 
 module Contrast
   module Agent
@@ -173,6 +174,23 @@ module Contrast
             context.activity.results << result if result
           end
 
+          # With this we log to CEF
+          #
+          # @param result [Contrast::Api::Dtm::AttackResult]
+          # @param attack [Symbol] the type of message we want to send
+          # @param value [String] the input value we want to log
+          def cef_logging result, attack = :ineffective_attack, value = nil
+            sample_to_json = Contrast::Api::Dtm::RaspRuleSample.to_controlled_hash result.samples[0]
+            outcome = if result.response.cs__is_a? Hash
+                        Contrast::Agent::Reporting::ResponseType.cs__const_get(result.response[:name])
+                      else
+                        Contrast::Api::Dtm::AttackResult::ResponseType.get_name_by_tag(result.response)
+                      end
+            input_type = extract_input_type sample_to_json[:user_input].input_type
+            input_value = value || sample_to_json[:user_input].value
+            cef_logger.send(attack, result.rule_id, outcome, input_type, input_value)
+          end
+
           protected
 
           def mode_from_settings
@@ -232,10 +250,14 @@ module Contrast
 
           def update_perimeter_attack_response context, ia_result, result
             if mode == Contrast::Api::Settings::ProtectionRule::Mode::BLOCK_AT_PERIMETER
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+              result.response = if blocked_rule?(ia_result)
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED
+                                else
+                                  Contrast::Api::Dtm::AttackResult::ResponseType::BLOCKED_AT_PERIMETER
+                                end
               log_rule_matched(context, ia_result, result.response)
             elsif ia_result.nil? || ia_result.attack_count.zero?
-              result.response = Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+              result.response = assign_reporter_response_type ia_result
               log_rule_probed(context, ia_result)
             end
 
@@ -293,12 +315,49 @@ module Contrast
                          result: response)
           end
 
+          # This method returns the symbol for the enum
+          #
+          # @param enum [Enumerable]
+          # @return [Symbol]
+          def extract_input_type enum
+            Contrast::Api::Dtm::UserInput::InputType.get_name_by_tag enum
+          end
+
           private
 
+          # Block At Perimeter mode has been deprecated in sqli_worth_watching_v2
+          # and should be treated equivalent to Blocked mode if set
+          def blocked_rule? ia_result
+            [
+              Contrast::Agent::Protect::Rule::Sqli::NAME,
+              Contrast::Agent::Protect::Rule::NoSqli::NAME
+            ].include?(ia_result&.rule_id)
+          end
+
           def log_rule_probed _context, ia_result
             logger.debug('An unsuccessful attack was detected', rule: rule_name, type: ia_result&.input_type,
                                                                 name: ia_result&.key, input: ia_result&.value)
           end
+
+          # Handles the Response type for different Protect rules.
+          # Some rules need to report SUSPICIOUS over PROBED in
+          # MONITORED mode.
+          #
+          # @param ia_result [Contrast::Agent::Reporting::InputAnalysis]
+          # @return [Contrast::Agent::Reporting::ResponseType,
+          # Contrast::Api::Dtm::AttackResult::ResponseType]
+          def assign_reporter_response_type ia_result
+            if (ia_result&.rule_id == Contrast::Agent::Protect::Rule::Xss::NAME ||
+                  Contrast::Agent::Protect::Rule::UnsafeFileUpload::NAME) &&
+                  Contrast::CONTRAST_SERVICE.use_agent_communication?
+
+              # Here we'll have xss or unsafe file upload in monitoring mode
+              # and we have to report it as SUSPICIOUS, not as PROBED.
+              Contrast::Agent::Reporting::ResponseType::SUSPICIOUS
+            else
+              Contrast::Api::Dtm::AttackResult::ResponseType::PROBED
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/base_service.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -10,6 +11,8 @@ module Contrast
         # Encapsulate common code for protect rules that do their
         # input analysis on Speedracer rather in ruby code
         class BaseService < Contrast::Agent::Protect::Rule::Base
+          include Contrast::Components::Logger::InstanceMethods
+
           def rule_name
             'base-service'
           end
@@ -41,6 +44,7 @@ module Contrast
             result = find_postfilter_attacker(context, nil)
             return unless result&.samples&.any?
 
+            cef_logging result
             append_to_activity(context, result)
             return unless result.response == :BLOCKED
 
@@ -83,7 +87,14 @@ module Contrast
           def find_postfilter_attacker context, potential_attack_string, **kwargs
             ia_results = gather_ia_results(context)
             ia_results.select! do |ia_result|
-              ia_result.score_level == Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+              ia_result.score_level == if ia_result.rule_id == Contrast::Agent::Protect::Rule::Sqli::NAME ||
+                    ia_result.rule_id == Contrast::Agent::Protect::Rule::CmdInjection::NAME
+
+                                         Contrast::Agent::Reporting::ScoreLevel::WORTHWATCHING
+                                       else
+                                         # legacy implementation for DEFINITEATATACK
+                                         Contrast::Api::Settings::InputAnalysisResult::ScoreLevel::DEFINITEATTACK
+                                       end
             end
             find_attacker_with_results(context, potential_attack_string, ia_results, **kwargs)
           end

data/lib/contrast/agent/protect/rule/cmd_injection.rb

@@ -5,6 +5,7 @@ require 'contrast/agent/protect/rule/base_service'
 require 'contrast/utils/stack_trace_utils'
 require 'contrast/utils/object_share'
 require 'contrast/components/logger'
+require 'contrast/agent/reporting/input_analysis/input_type'
 
 module Contrast
   module Agent
@@ -13,9 +14,15 @@ module Contrast
         # The Ruby implementation of the Protect Command Injection rule.
         class CmdInjection < Contrast::Agent::Protect::Rule::BaseService
           include Contrast::Components::Logger::InstanceMethods
+          include Contrast::Agent::Reporting::InputType
 
           NAME = 'cmd-injection'
           CHAINED_COMMAND_CHARS = /[;&|<>]/.cs__freeze
+          APPLICABLE_USER_INPUTS = [
+            BODY, COOKIE_VALUE, HEADER, PARAMETER_NAME,
+            PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE,
+            MULTIPART_FIELD_NAME, XML_VALUE, DWR_VALUE
+          ].cs__freeze
 
           def rule_name
             NAME
@@ -39,6 +46,8 @@ module Contrast
             return unless result
 
             append_to_activity(context, result)
+            cef_logging result, :successful_attack
+
             return unless blocked?
 
             raise Contrast::SecurityException.new(self,
@@ -125,6 +134,12 @@ module Contrast
           def report_any_command_execution?
             ::Contrast::PROTECT.report_any_command_execution?
           end
+
+          def gather_ia_results context
+            context.agent_input_analysis.results.select do |ia_result|
+              ia_result.rule_id == rule_name
+            end
+          end
         end
       end
     end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_input_classification.rb

@@ -0,0 +1,83 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/reporting/input_analysis/input_type'
+require 'contrast/agent/protect/rule/cmd_injection'
+require 'contrast/agent/reporting/input_analysis/score_level'
+require 'contrast/agent/protect/rule/cmdi/cmdi_worth_watching'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/utils/input_classification'
+require 'contrast/components/logger'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of CMD Injection rule
+        # as a result input would be marked as WORTHWATCHING or IGNORE,
+        # to be analyzed at the sink level.
+        module CmdiInputClassification
+          class << self
+            include InputClassificationBase
+            include Contrast::Agent::Protect::Rule::CmdiWorthWatching
+            include Contrast::Components::Logger::InstanceMethods
+
+            WORTHWATCHING_MATCH = 'cmdi-worth-watching-v2'
+            CMDI_KEYS_NEEDED = [
+              COOKIE_VALUE, PARAMETER_VALUE, JSON_VALUE, MULTIPART_VALUE, XML_VALUE, DWR_VALUE
+            ].cs__freeze
+
+            # This method will determine actually if the user input is WORTHWATCHING
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+            # @param value [String, Array<String>] the value of the input
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+            # analysis from the current request.
+            def classify input_type, value, input_analysis
+              return unless Contrast::Agent::Protect::Rule::CmdInjection::APPLICABLE_USER_INPUTS.include?(input_type)
+              return unless super
+
+              rule_id = Contrast::Agent::Protect::Rule::CmdInjection::NAME
+
+              Array(value).each do |val|
+                Array(val).each do |v|
+                  input_analysis.results << cmdi_create_new_input_result(input_analysis.request, rule_id, input_type, v)
+                end
+              end
+
+              input_analysis
+            rescue StandardError => e
+              logger.debug('An Error was recorded in the input classification of the cmdi.')
+              logger.debug(e)
+            end
+
+            private
+
+            # This methods checks if input is tagged WORTHWATCHING or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            # @param value [String, Array<String>] the value of the input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def cmdi_create_new_input_result request, rule_id, input_type, value
+              ia_result = new_ia_result rule_id, input_type, request.path, value
+              if cmdi_worth_watching? value
+                ia_result.score_level = WORTHWATCHING
+                ia_result.ids << WORTHWATCHING_MATCH
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              add_needed_key request, ia_result, input_type, value if CMDI_KEYS_NEEDED.include? input_type
+              ia_result
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/cmdi/cmdi_worth_watching.rb

@@ -0,0 +1,64 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module implements the cmdi-worth-watching-v2 check to determine whether input
+        # is IGNORED or WORTH_WATCHING. If WORTH_WATCHING => analyze at sink level.
+        # https://protect-spec.prod.dotnet.contsec.com/rules/cmd-injection.html#input-tracing
+        module CmdiWorthWatching
+          POSSIBLE_CHAINING_ELEMENTS = %w[& ; | $ < > `].cs__freeze
+          UNIX_COMMANDS = %w[
+            uname echo cat ping nestat nc whoami wget curl dir ls ps rm chmod cp kill
+            grep sleep mkdir pwd shutdown system touch timeout fetch bash sh
+          ].cs__freeze
+          UNIX_PATHS = %w[tmp opt etc home mnt proc lib bin sbin sys usr var root run].cs__freeze
+          WINDOWS_COMMANDS = %w[
+            sc net reg cmd query cmd.exe powershell powershell.exe hostname ifconfig ipconfig netsh
+            netstat systeminfo sysinfo whoami wscript cscript wmic PowerShell_ISE pskill psexec qprocess
+            regedit regini rename winrm wpeutil ntdsutil taskkill certutil mapisend shellrunas
+          ].cs__freeze
+          # This method will determine if a user input is Worth watching and return true if it is.
+          # This is done by running checks, and if the inputs is worth to watch it would be
+          # saved for the later sink cmdi input analysis.
+          #
+          # @param input [String] the user input to be inspected
+          # @return true | false
+          def cmdi_worth_watching? input
+            return false if input.nil? || input.empty? || input.length < 3
+
+            exploitable?(input) && worth_watching?(input)
+          end
+
+          private
+
+          # This method will check if the input is exploitable
+          #
+          # @param input [String] the user input to be inspected
+          def exploitable? input
+            contains_substring?(input, POSSIBLE_CHAINING_ELEMENTS)
+          end
+
+          def worth_watching? input
+            return true if contains_substring?(input, UNIX_COMMANDS)
+            return true if contains_substring?(input, UNIX_PATHS)
+            return true if contains_substring?(input, WINDOWS_COMMANDS)
+
+            false
+          end
+
+          def contains_substring? input, values
+            return true if values.any? { |val| input.include?(val) }
+            return true if values.include?(Contrast::Utils::ObjectShare::SPACE)
+
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/deserialization.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require 'contrast/agent/protect/rule/base'
+require 'contrast/components/logger'
 
 module Contrast
   module Agent
@@ -11,6 +12,8 @@ module Contrast
         # Deserialization Protect rule.
         class Deserialization < Contrast::Agent::Protect::Rule::Base
           # The TeamServer recognized name of this rule
+          include Contrast::Components::Logger::InstanceMethods
+
           NAME = 'untrusted-deserialization'
 
           # The rule specific reason for raising a security exception.
@@ -78,6 +81,8 @@ module Contrast
             result = build_attack_with_match(context, ia_result, nil, serialized_input, **kwargs)
             append_to_activity(context, result)
 
+            cef_logging result, :successful_attack
+
             raise Contrast::SecurityException.new(self, block_message) if blocked?
           end
 
@@ -97,6 +102,7 @@ module Contrast
             ia_result = build_evaluation(gadget_command)
             result = build_attack_with_match(context, ia_result, nil, gadget_command, **kwargs)
             append_to_activity(context, result)
+            cef_logging result, :successful_attack, gadget_command
             raise Contrast::SecurityException.new(self, BLOCK_MESSAGE) if blocked?
           end
 

data/lib/contrast/agent/protect/rule/http_method_tampering/http_method_tampering_input_classification.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
+# frozen_string_literal: true
+
+require 'contrast/utils/object_share'
+require 'contrast/agent/protect/input_analyzer/input_analyzer'
+require 'contrast/agent/reporting/attack_result/attack_result'
+require 'contrast/agent/reporting/attack_result/rasp_rule_sample'
+require 'contrast/utils/input_classification'
+
+module Contrast
+  module Agent
+    module Protect
+      module Rule
+        # This module will do the Input Classification stage of HttpMethodTampering rule
+        # as a result input would be marked as DEFINETEATTACK or IGNORE,
+        # to be analyzed at the sink level.
+        module HttpMethodTamperingInputClassification
+          class << self
+            include InputClassificationBase
+
+            # This method will determine actually if the user input is DEFINITEATTACK or IGNORE
+            #
+            # @param input_type [Contrast::Agent::Reporting::InputType] the type of the user input
+            # @param input_analysis [Contrast::Agent::Reporting::InputAnalysis] Holds all the results from the input
+            # analysis from the current request.
+            def classify input_type, input_analysis
+              return unless input_analysis.request
+              return unless input_type == METHOD
+
+              rule_id = Contrast::Agent::Protect::Rule::HttpMethodTampering::NAME
+
+              ia_result = method_tampering_new_input_analysis(input_analysis.request, rule_id, input_type)
+              input_analysis.results << ia_result
+
+              return input_analysis if ia_result.score_level == IGNORE
+
+              attack_result = build_attack_result ia_result, rule_id
+
+              if Contrast::Api::Settings::ProtectionRule::Mode::BLOCK != Contrast::PROTECT.rule_mode(rule_id)
+                attack_result.response = :EXPLOITED
+                Contrast::Agent::EXPLOITS.push attack_result
+                return input_analysis
+              end
+
+              attack_result.response = :BLOCKED
+              context.activity.results << attack_result
+              raise Contrast::SecurityException.new(self,
+                                                    'HTTP Method Tampering rule triggered. '\
+                                                    "Call to #{ input_analysis.request.path } with " \
+                                                    "#{ input_analysis.request.request_method } blocked.")
+            end
+
+            private
+
+            # @param request [Contrast::Agent::Request] the current request context.
+            def method_tampering_exploited? request
+              !Contrast::Agent::Protect::Rule::HttpMethodTampering::APPLICABLE_METHODS_INPUTS.include?(request.request_method) # rubocop:disable Layout/LineLength
+            end
+
+            # This methods checks if input is tagged DEFINITEATTACK or IGNORE matches value with it's
+            # key if needed and Creates new instance of InputAnalysisResult.
+            #
+            # @param request [Contrast::Agent::Request] the current request context.
+            # @param rule_id [String] The name of the Protect Rule.
+            # @param input_type [Contrast::Agent::Reporting::InputType] The type of the user input.
+            #
+            # @return res [Contrast::Agent::Reporting::InputAnalysisResult]
+            def method_tampering_new_input_analysis request, rule_id, input_type
+              ia_result = new_ia_result rule_id, input_type, request.path
+              if method_tampering_exploited? request
+                ia_result.score_level = DEFINITEATTACK
+                ia_result.ids << rule_id
+              else
+                ia_result.score_level = IGNORE
+              end
+
+              ia_result
+            end
+
+            def build_attack_result ia_result, rule_id
+              rasp_rule_sample = Contrast::Agent::Reporting::RaspRuleSample.new.build context, ia_result
+              result = Contrast::Agent::Reporting::AttackResult.new
+              result.rule_id = rule_id
+              result.samples << rasp_rule_sample
+              result
+            end
+
+            def context
+              Contrast::Agent::REQUEST_TRACKER.current
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/contrast/agent/protect/rule/http_method_tampering.rb

@@ -12,6 +12,14 @@ module Contrast
           NAME = 'method-tampering'
           STANDARD_METHODS = %w[GET HEAD POST PUT DELETE CONNECT OPTIONS TRACE PATCH].cs__freeze
 
+          APPLICABLE_METHODS_INPUTS = %w[
+            ACL BASELINE-CONTROL CHECKIN CHECKOUT CONNECT COPY
+            DELETE GET HEAD LABEL LOCK MERGE MKACTIVITY MKCALENDAR
+            MKCOL MKWORKSPACE MOVE OPTIONS ORDERPATCH PATCH POST
+            PROPFIND PROPPATCH PUT REPORT SEARCH TRACE UNCHECKOUT
+            UNLOCK UPDATE VERSION-CONTROL
+          ].cs__freeze
+
           def rule_name
             NAME
           end
@@ -34,7 +42,11 @@ module Contrast
                      else
                        build_attack_with_match(context, nil, nil, nil, method: method, response_code: response_code)
                      end
-            append_to_activity(context, result) if result
+
+            return unless result
+
+            append_to_activity(context, result)
+            cef_logging result, :ineffective_attack
           end
 
           protected