AIK-6314 Attack Wave Detection & Stats #474
Conversation
also renames wrongly named "query_params_contain_dangerous_payload"
…tack wave detector
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
aikido_zen/vulnerabilities/attack_wave_detection/attack_wave_detector.py
Outdated
Show resolved
Hide resolved
aikido_zen/background_process/cloud_connection_manager/on_detected_attack_wave.py
Show resolved
Hide resolved
aikido_zen/vulnerabilities/attack_wave_detection/is_web_scan_method.py
Outdated
Show resolved
Hide resolved
aikido_zen/vulnerabilities/attack_wave_detection/query_params_contain_dangerous_strings.py
Outdated
Show resolved
Hide resolved
aikido_zen/vulnerabilities/attack_wave_detection/is_web_scan_path.py
Outdated
Show resolved
Hide resolved
…cify it contains malicious HTTP methods for web scan detection. More info
| """This will send something to the API when an attack is detected""" | ||
| return on_detected_attack(self, attack, context, blocked, stack) | ||
|
|
||
| def on_detected_attack_wave(self, context: Context, metadata): |
There was a problem hiding this comment.
CloudConnectionManager class handles too many unrelated concerns: API communication, configuration, statistics, rate limiting, user management, and attack detection.
Feedback
Post a comment with the following structure to provide feedback on this finding:
@AikidoSec feedback: [FEEDBACK]
Aikido will process this feedback into learnings to give better review comments in the future.
More info
| extract_strings_from_user_input_cached, | ||
| ) | ||
|
|
||
| keywords = { |
There was a problem hiding this comment.
Variable 'keywords' is too generic for a security context - should specify it contains malicious patterns for attack detection.
Feedback
Post a comment with the following structure to provide feedback on this finding:
@AikidoSec feedback: [FEEDBACK]
Aikido will process this feedback into learnings to give better review comments in the future.
More info
| time_to_live_in_ms=self.min_time_between_events, | ||
| ) | ||
|
|
||
| def is_attack_wave(self, ip: str) -> bool: |
There was a problem hiding this comment.
Complex attack detection algorithm lacks explanatory comments about threshold logic and detection strategy.
Feedback
Post a comment with the following structure to provide feedback on this finding:
@AikidoSec feedback: [FEEDBACK]
Aikido will process this feedback into learnings to give better review comments in the future.
More info
| logger.debug("Exception occurred whilst setting body: %s", e) | ||
|
|
||
| def reset_cache(self): | ||
| self.parsed_userinput = {} |
| Set the current context | ||
| Set the current context, called every time we change the context. | ||
| """ | ||
| self.reset_cache() |
| # Check if the item is still valid based on TTL | ||
| if ( | ||
| get_unixtime_ms(monotonic=True) - self.cache[key]["startTime"] | ||
| internal_time.get_unixtime_ms(monotonic=True) |
There was a problem hiding this comment.
is so we kan monkeypatch, doesnt change anything about the behaviour
| { | ||
| "aborted": 0, | ||
| "attacksDetected": {"blocked": 2, "total": 2}, | ||
| "attackWaves": {"total": 0, "blocked": 0}, |
There was a problem hiding this comment.
mm rather rely on the qa tests here?
https://aikido.atlassian.net/browse/AIK-6314