{"_id":"5804e1281642890f00803630","category":{"_id":"55e4c701177b6e0d003330fa","pages":["55e4c718177b6e0d003330fb","55e4c7ea40cda60d003bad38","55e4c823e252ac0d00303a54","55e4c9333325e60d007fbeb8","55e4c97540cda60d003bad3e","55e4c9903325e60d007fbebc","55e4c9c33325e60d007fbebe","55e4c9ce40cda60d003bad41"],"project":"55db8f8f1a91690d007ad975","version":"55db8f901a91690d007ad978","__v":8,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-08-31T21:28:33.497Z","from_sync":false,"order":2,"slug":"dashboard","title":"Dashboard"},"user":"574c9889a1f0be2000ae376e","__v":0,"githubsync":"","parentDoc":null,"version":{"_id":"55db8f901a91690d007ad978","project":"55db8f8f1a91690d007ad975","__v":17,"createdAt":"2015-08-24T21:41:36.034Z","releaseDate":"2015-08-24T21:41:36.034Z","categories":["55db8f901a91690d007ad979","55db9856b3d6540d00886426","55dc751b00a8811900c230e3","55dc766255be9f21004ee250","55dc769200a8811900c230ed","55e4c701177b6e0d003330fa","55f4915caf0bc71900a53130","55f491b2be9c2b2100f0635d","560b22739c7be70d00100bd8","57488c53e8c6a420000b729c","574cefd95953e20e00f40f9f","5798edfd7700d30e00ad250c","579ac88234b5fd0e00b9e140","57c81c6d690c200e0047b72e","57d9b8fbda17c30e003897f1","57d9b90e608ea00e00f358d8","57d9b91cda17c30e003897f4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"project":"55db8f8f1a91690d007ad975","updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-10-17T14:33:12.404Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":7,"body":"The Remote Command Execution (RCE) Dashboard is provided for each protected application. It consists of two views:\n1. Vulnerabilities Overview\n2. Tuning\n\n#Vulnerabilities Overview\n----\nVulnerabilities is a list of routes and files containing vulnerable code targeted in the occurrences listed within. As new vulnerabilities are discovered, they will appear in this list.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/54234f3-Screen_Shot_2016-10-17_at_10.35.55_AM.png\",\n        \"Screen Shot 2016-10-17 at 10.35.55 AM.png\",\n        1644,\n        176,\n        \"#f2f2f2\"\n      ]\n    }\n  ]\n}\n[/block]\nEach vulnerability is represented with the following information:\n\n* Vulnerability *Route*\n* *File* where the vulnerable code resides when available\n* *Line of Code* that is vulnerable when available\n* *Protection Mode* indicates Normal when IMMUNIO is functioning properly\n* *Learned* shows the number of learned commands for the vulnerable route\n* *New* counts the number of new RCE structures reported for the reported file\n* *Attacks* represents the total number of attacks targeting this vulnerability\n* *Blocked* is the number of RCE attacks that IMMUNIO was able to block\n* *Last Occurrence* shows the most recent date and time an RCE threat was raised\n* *Action* offers a remove link for any manually learned behaviors\n\n#Tuning\n----\nThe Tuning section shows information on manually learned RCE behavior.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/f5f55c9-Screen_Shot_2016-10-17_at_10.40.18_AM.png\",\n        \"Screen Shot 2016-10-17 at 10.40.18 AM.png\",\n        1639,\n        174,\n        \"#f0f1f0\"\n      ]\n    }\n  ]\n}\n[/block]\nEach Tuning item is represented with the following information:\n\n* *File* where the reported code resides\n* *Line of Code* that was reported for that file\n* *Protection Mode* indicates Normal when IMMUNIO is functioning properly\n* *Learned* shows the number of learned structures for the reported file\n* *Attacks* represents the total number of attacks against the file on that line before it was learned\n* *Escaped* is the number of RCE attempts IMMUNIO was able to block\n* *Last Occurred* shows the most recent date and time an XSS threat was raised\n* *Action* ???\n\n#Remote Command Execution Vulnerability Details\n----\nThe Vulnerability Details page shows additional information about individual requests that induced the reported behavior including runtime parameters and stack trace information about that request, as well as options to tune those events if desired.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/081e438-Screen_Shot_2016-10-17_at_1.20.28_PM.png\",\n        \"Screen Shot 2016-10-17 at 1.20.28 PM.png\",\n        1632,\n        471,\n        \"#f0f0ee\"\n      ]\n    }\n  ]\n}\n[/block]\nFrom the top of the page, this information includes:\nExpected Commands:\n         Command structures learned via automated learning (indicated with an \"A\") or manually learned via the Action menu (indicated with an \"M\").\nDetected Command Structures:\n         Overview of HTTP requests that induced the same application behavior over time sorted by command string that triggered the alert and number of occurrences.\nOccurrence Details:\n         Specific information about the selected Occurrence from the left hand panel.\nProtected:\n         Indicates whether protection was enabled at the time the event occurred.\nURL:\n         URL that was targeted with the HTTP request for this occurrence.\nMethod:\n         Method employed during the attempted exploit.\nTimestamp:\n         Day and time when the selected event occurred.\nRoute:\n         Route affected by the reported command structure.\nCommand:\n         Sanitized version of the command string employed in the reported request.\nAction:\n         Menu of available tuning options for occurrences using this structure. (More information below)\nStacktrace:\n         Full execution trace that represents the vulnerability.\n    \n#Tuning Options\n----\nIf IMMUNIO detects suspicious RCE requests that were not recorded in the Analysis Mode phase and this request is valid, you can update the sensors during vulnerability review.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/5b309fe-Screen_Shot_2016-10-17_at_1.34.32_PM.png\",\n        \"Screen Shot 2016-10-17 at 1.34.32 PM.png\",\n        388,\n        69,\n        \"#dfdfdd\"\n      ]\n    }\n  ]\n}\n[/block]\nThe following Tuning Options are available:\n\nAccept this command:\n         Learn this specific command structure, so that future requests employing this structure are allowed and no longer reported.\n    \nAccept any command:\n         Do not inspect or alert on any command structures for this route.","excerpt":"","slug":"remote-command-execution-rce","type":"basic","title":"Remote Command Execution (RCE)"}

Remote Command Execution (RCE)


The Remote Command Execution (RCE) Dashboard is provided for each protected application. It consists of two views: 1. Vulnerabilities Overview 2. Tuning #Vulnerabilities Overview ---- Vulnerabilities is a list of routes and files containing vulnerable code targeted in the occurrences listed within. As new vulnerabilities are discovered, they will appear in this list. [block:image] { "images": [ { "image": [ "https://files.readme.io/54234f3-Screen_Shot_2016-10-17_at_10.35.55_AM.png", "Screen Shot 2016-10-17 at 10.35.55 AM.png", 1644, 176, "#f2f2f2" ] } ] } [/block] Each vulnerability is represented with the following information: * Vulnerability *Route* * *File* where the vulnerable code resides when available * *Line of Code* that is vulnerable when available * *Protection Mode* indicates Normal when IMMUNIO is functioning properly * *Learned* shows the number of learned commands for the vulnerable route * *New* counts the number of new RCE structures reported for the reported file * *Attacks* represents the total number of attacks targeting this vulnerability * *Blocked* is the number of RCE attacks that IMMUNIO was able to block * *Last Occurrence* shows the most recent date and time an RCE threat was raised * *Action* offers a remove link for any manually learned behaviors #Tuning ---- The Tuning section shows information on manually learned RCE behavior. [block:image] { "images": [ { "image": [ "https://files.readme.io/f5f55c9-Screen_Shot_2016-10-17_at_10.40.18_AM.png", "Screen Shot 2016-10-17 at 10.40.18 AM.png", 1639, 174, "#f0f1f0" ] } ] } [/block] Each Tuning item is represented with the following information: * *File* where the reported code resides * *Line of Code* that was reported for that file * *Protection Mode* indicates Normal when IMMUNIO is functioning properly * *Learned* shows the number of learned structures for the reported file * *Attacks* represents the total number of attacks against the file on that line before it was learned * *Escaped* is the number of RCE attempts IMMUNIO was able to block * *Last Occurred* shows the most recent date and time an XSS threat was raised * *Action* ??? #Remote Command Execution Vulnerability Details ---- The Vulnerability Details page shows additional information about individual requests that induced the reported behavior including runtime parameters and stack trace information about that request, as well as options to tune those events if desired. [block:image] { "images": [ { "image": [ "https://files.readme.io/081e438-Screen_Shot_2016-10-17_at_1.20.28_PM.png", "Screen Shot 2016-10-17 at 1.20.28 PM.png", 1632, 471, "#f0f0ee" ] } ] } [/block] From the top of the page, this information includes: Expected Commands: Command structures learned via automated learning (indicated with an "A") or manually learned via the Action menu (indicated with an "M"). Detected Command Structures: Overview of HTTP requests that induced the same application behavior over time sorted by command string that triggered the alert and number of occurrences. Occurrence Details: Specific information about the selected Occurrence from the left hand panel. Protected: Indicates whether protection was enabled at the time the event occurred. URL: URL that was targeted with the HTTP request for this occurrence. Method: Method employed during the attempted exploit. Timestamp: Day and time when the selected event occurred. Route: Route affected by the reported command structure. Command: Sanitized version of the command string employed in the reported request. Action: Menu of available tuning options for occurrences using this structure. (More information below) Stacktrace: Full execution trace that represents the vulnerability. #Tuning Options ---- If IMMUNIO detects suspicious RCE requests that were not recorded in the Analysis Mode phase and this request is valid, you can update the sensors during vulnerability review. [block:image] { "images": [ { "image": [ "https://files.readme.io/5b309fe-Screen_Shot_2016-10-17_at_1.34.32_PM.png", "Screen Shot 2016-10-17 at 1.34.32 PM.png", 388, 69, "#dfdfdd" ] } ] } [/block] The following Tuning Options are available: Accept this command: Learn this specific command structure, so that future requests employing this structure are allowed and no longer reported. Accept any command: Do not inspect or alert on any command structures for this route.