OGNL injection attack attempts on routes parsing OGNL

Tactic:

TA0043-reconnaissance

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect OGNL injection attempts on routes with errors related to OGNL parsing. Such security activity generally indicates that an attacker is trying to exploit a potential OGNL vulnerability.

Strategy

Monitor OGNL injection attempts ((@appsec.rule_id:dog-000-002 or @appsec.security_activity:attack_attempt.java_code_injection)) on services generating errors related to OGNL expression parsing (@_dd.appsec.enrichment.error_types:ognl.ExpressionSyntaxException).

Generate an Application Security Signal with High severity.

Triage and response

  1. Consider blocking the attacking IP(s) temporarily to prevent them from reaching deeper parts of your production systems.
  2. Investigate the errors generated by this attack to identify if any vulnerabilities need to be fixed.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization