security-gem 0.1.4 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1861d7d816f659f59c15391e75fb1e95aeac0088dff85af4ee111f76e743b936
-  data.tar.gz: 63dba123845017c076c57b52b64fa1be6425de43ced46e74d628deab1e0db29f
+  metadata.gz: 2f2eecdfc5fb7ffdb08c8233fbc0c31528364e5e787241bc89351b3ceb54c844
+  data.tar.gz: e5d719157b9158bca6784763a1f8e0d6fcbcb08f11bc11246d6e14b979352753
 SHA512:
-  metadata.gz: c70695d1dffa5d4b06710182dc885854f95eccaee3f90efaca572d1f1b4487edc29cf2fbe169291dfb2d58e7dcbdbabe257e89d5360677df307d9c2e8a6f85ad
-  data.tar.gz: b8150a3d21a3a0aada6f788d0ffe5f30dcd31fd27e29cd1a71a1ca5b5bb814e5677078e59cb24801bc518006040cb4858f43e5bfd4f61204031db14b6fd686a1
+  metadata.gz: 19bf4b7bf2291c2a4c5f704829f7f78b03e0726d977fdf3c72171f01c51993c3e5ee21b854407f6ff72ab089fac36822a3be9ed113603e934884c166dc039d63
+  data.tar.gz: c5914aa0c01e1978d1a2774ad2d13866e8d6bf3c3b3f20b3a40e3debb8c9588d0a748f48201754a34ca528350662eb5a8271109d2fbd917536e02ae7ae324233

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    security-gem (0.1.4)
+    security-gem (0.1.5)
 
 GEM
   remote: https://rubygems.org/

data/lib/security/gem/security.rb

@@ -1,14 +1,43 @@
+=begin   
+
+    SecurityLogger 
+    ______________
+
+    Description:
+    This module provides a simple and unified format to log security events
+
+    Classes: 
+    Sql_Injection, Xss_Injection, User_Agent
+
+    Owner:
+    Tucker Weibell - 05/09/2022
+
+=end
+
 require 'json'
 require 'logger'
 require 'logger/formatter'
 require 'net/http'
-require 'open-uri'
 require 'dotenv'
 Dotenv.load
 
 module SecurityLogger
 
-    #Create logs used for SQL Injection detections
+=begin
+
+    Sql_Injection Class
+    ___________________
+    
+    Description:
+    - Checks inputs against most commonly used sql injection commands.
+    - Inputs that match or contain probably sql commands will be logged.
+    - Payloads can be replaced by simply changing the ENV varibles
+      and pointing the URI to any custom text file
+
+    Usage: SecurityLogger::Sql_Injection.new(ip_origin: request.ip).check_input(input)
+
+=end 
+
     class Sql_Injection
         def initialize (ip_origin:)
             @ip_origin = ip_origin
@@ -25,8 +54,9 @@ module SecurityLogger
                 }.to_json + $/  
             end
 
-            error = {:threat => "sql_injection_attack", :input => input, :ip_origin => @ip_origin}
-            logger.warn(JSON.parse(error.to_json))
+            message = {:threat => "sql_injection_attack", :input => input, :ip_origin => @ip_origin}
+            logger.warn(JSON.parse(message.to_json))
+            return
         end
 
         def check_input(input)
@@ -36,13 +66,39 @@ module SecurityLogger
             file.each_line do |file|
                 if file.strip == input.strip
                     self.log(input.strip)
-                    break
+                    return
                 end
             end
 
+          uri = ENV['PATH_TO_SQL_COMMON_COMMANDS']
+          uri = URI(uri)
+          file = Net::HTTP.get(uri)
+            file.each_line do |file|
+                if  input.strip.downcase.include?(file.strip.downcase)
+                    self.log(input.strip)
+                    return
+                end
+            end  
+
         end
     end
 
+
+=begin  
+
+    Xss_Injection Class
+    ___________________
+    
+    Description:
+    - Checks inputs against most commonly used xss scripts.
+    - Inputs that match or contain common keywords will be logged.
+    - Payloads can be replaced by simply changing the ENV varibles
+      and pointing the URI to any custom text file
+
+    Usage: SecurityLogger::Xss_Injection.new(ip_origin: request.ip).check_input(input)
+
+=end 
+
     class Xss_Injection
         def initialize (ip_origin:)
             @ip_origin = ip_origin
@@ -59,8 +115,8 @@ module SecurityLogger
                 }.to_json + $/  
             end
 
-            error = {:threat => "xss_attack", :input => input, :ip_origin => @ip_origin}
-            logger.warn(JSON.parse(error.to_json))
+            message = {:threat => "xss_attack", :input => input, :ip_origin => @ip_origin}
+            logger.warn(JSON.parse(message.to_json))
         end
 
         def check_input(input)
@@ -70,10 +126,74 @@ module SecurityLogger
             file.each_line do |file|
                 if file.strip == input.strip
                     self.log(input.strip)
-                    break
+                    return
                 end
             end
 
+          uri = ENV['PATH_TO_XSS_COMMON_SCRIPTS']
+          uri = URI(uri)
+          file = Net::HTTP.get(uri)
+            file.each_line do |file|
+                if  input.strip.downcase.include?(file.strip.downcase)
+                    self.log(input.strip)
+                    return
+                end
+            end 
+
+        end
+    end
+
+
+=begin  
+
+    User_Agent Class
+    ___________________
+    
+    Description:
+    - Checks inputs against most common user_agents (approx. top 1000).
+    - Inputs that DO NOT match any of the most common user agents will be logged.
+    - Payloads can be replaced by simply changing the ENV varibles
+      and pointing the URI to any custom text file
+
+    Usage: SecurityLogger::User_Agent.new(ip_origin: request.ip).check_input(input)
+
+=end 
+
+    class User_Agent
+        def initialize (ip_origin:)
+            @ip_origin = ip_origin
+        end
+
+        def log(input)
+            logger = Logger.new(STDOUT)
+            logger.formatter = proc do |severity, datetime, progname, msg|
+                {
+                  severity: severity,
+                  timestamp: datetime.to_s,
+                  app: progname,
+                  message: msg
+                }.to_json + $/  
+            end
+
+            message = {:threat => "uncommon_user_agent", :input => input, :ip_origin => @ip_origin}
+            logger.warn(JSON.parse(message.to_json))
+        end
+
+        def check_input(input)
+          uri = ENV['PATH_TO_USER_AGENT_PAYLOAD']
+          uri = URI(uri)
+          file = Net::HTTP.get(uri)
+          @matches = 0
+            file.each_line do |file|
+                if file.strip == input.strip
+                @matches += 1
+                end
+            end
+
+            if @matches == 0
+                self.log(input.strip)
+                return
+            end
         end
     end
 end

data/lib/security/gem/version.rb

@@ -2,6 +2,6 @@
 
 module Security
   module Gem
-    VERSION = "0.1.4"
+    VERSION = "0.1.5"
   end
 end

data/lib/security/test.rb

@@ -1,12 +1,17 @@
 require_relative "gem/security"
 
 # Sample SQL input
-input = "or 1=1"
+input = "ALTER TABLE"
 
 # Using the gem to log injection attempts
 SecurityLogger::Sql_Injection.new(ip_origin: "123.123.123.1").check_input(input)
 
-input = "<script>alert(0)</script>"
+input = "<svg"
 
 # Using gem to log xss attempts
-SecurityLogger::Xss_Injection.new(ip_origin: "123.123.123.1").check_input(input)
+SecurityLogger::Xss_Injection.new(ip_origin: "123.123.123.1").check_input(input)
+
+input = "evilhacker"
+
+# Using gem to log xss attempts
+SecurityLogger::User_Agent.new(ip_origin: "123.123.123.1").check_input(input)

data/sql_common_commands.txt

@@ -0,0 +1,37 @@
+SELECT
+FROM
+SELECT FROM
+UNION
+UNION ALL
+UNION ALL SELECT
+COLLATE
+DELETE
+INSERT INTO
+CREATE DATABASE
+ALTER DATABASE
+CREATE TABLE
+ALTER TABLE
+DROP TABLE
+CREATE INDEX
+DROP INDEX
+DECLARE
+/*!32302 1/0, */
+/*!32302
+CONCAT
+1--
+admin' --
+admin' #
+admin'/*
+' or 1=1--
+' or 1=1#
+' or 1=1/*
+') or '1'='1--
+') or ('1'='1--
+' HAVING 1=1 --
+GROUP BY
+ORDER BY
+WAITFOR DELAY
+NULL--
+;
+IF EXISTS
+mysql.user

data/sql_payloads.txt

@@ -1823,4 +1823,4 @@ t'exec master..xp_cmdshell 'nslookup www.google.com'--
 %21
 ' or ''='
 ' or 3=3
- or 3=3 --
+' or 3=3 --