A neo4j procedure for tabby (dev)

Related tags

Spring Boot tabby-path-finder
Overview

tabby-path-finder

#0 简介

A neo4j procedure for tabby

tabby污点分析扩展,用于根据tabby生成的代码属性图做动态剪枝+深度搜索符合条件的利用链/漏洞链路。

#1 用法

生成jar文件

mvn clean package -DskipTests

在neo4j的plugin目录添加jar文件

neo4j server需要在配置中添加上以下内容

dbms.security.procedures.unrestricted=apoc.*,tabby.*
dbms.security.procedures.allowlist=apoc.*,gds.*,tabby.*

#2 语法

help

call tabby.help("all")

根据内置的sink污点信息进行路径检索

tabby.algo.allSimplePaths(
        sink, sources, 
        maxNodes, parallel, depthFirst) YIELD path

例子

// templates
match (source:Method {NAME:"readObject"})
with collect(source) as sources
match (sink:Method {IS_SINK:true, NAME:"invoke"})
call tabby.algo.allSimplePaths(sink, sources, 8, false, true) yield path
return path limit 1

提供sink节点的污点信息进行路径检索

tabby.algo.allSimplePathsWithState(
                sink, sources, 
                maxNodes, state, 
                parallel, depthFirst) YIELD path

例子

// templates
match (source:Method {NAME:"readObject"})
with collect(source) as sources
match (sink:Method {NAME:"invoke"})
call tabby.algo.allSimplePathsWithState(sink, sources, 8, "[-1,0]", false, true) yield path
return path limit 1

Note: 由于neo4j底层并不支持多线程,所有这两个方法在多线程的情况下有时候会不太稳定,推荐设置parallel为false,牺牲点时间

Note: 关于效果的说明:

  1. 速度上:相比较直接查询路径连通性的算法,加了污点分析的算法会增加几次数据库查询,但污点分析增加了动态剪枝,减少了路径遍历的次数。目前,暂时没有进行速度上的分析,无法确定是增加耗时还是减少查询时间。
  2. 检出率:由于加了污点分析,出来的结果都是tabby污点分析算法所认为可连续数据传递的链路。简单测试了一个小项目,从2k+链路能减少到10+链路。误报极大的降低,但同时,由于算法分析的不准确性,使得相应的增加了漏报率

Note: tricks:

  1. 如果需要大而全的链路输出,选择apoc.algo.allSimplePaths。但相应存在大量的误报链路
  2. 如果使用了污点分析扩展,建议先看污点分析出来的链路,后看对应sink的调用节点是否都准确
  3. 类似tabby、codeql等静态分析工具,不是万金油,能用工具直接检测出来的漏洞是非常少的(ps:捡漏还是可以的 XD),但这些工具能给你带来审计上效率的提升,明确思路等

#3 案例

见cyphers目录

目前,查询结果基于tabby 2.0,暂未测试tabby 1.x

You might also like...

Projeto criado na semana Spring React organizado pela escola Dev Superior com foco na prática/aprendizado das tecnologias Spring e React.

DSVendas Projeto criado na semana Spring React organizado pela escola Dev Superior com foco na prática/aprendizado das tecnologias Spring e React. htt

May 18, 2021

DeV Tools - Swiss Army Knife of command line utilities

dvt aims to bundle all small utilities used by developers (typically a mix of cli and online tools) into one binary that you can simply use in the console. No need for complex pipe-ing, copy-pasting on different sites or keep installing cli utilities for every need.

Sep 15, 2022

Mc-msa-token-getter - Scripts to retrieve MC authentication tokens for use in modding dev envs.

Minecraft MSA Token Getter Python and Java scripts to retrieve MC authentication tokens for use in modding dev envs. Requires a properly configured Az

Jan 3, 2022

Sportheca Mobile DEV Week - Simulador de Partidas 🎲

Sportheca Mobile DEV Week - Simulador de Partidas 🎲

Sportheca Mobile DEV Week - Simulador de Partidas 🎲 Projeto desenvolvido no bootcamp Sportheca da DIO. Desenvolvimento Mobile Nativo Para Android Obj

Aug 5, 2022

Very briefly capturing some of new/ update in API that were introduced after Java 8 that may come handy for dev folks while programming

Very briefly capturing some of new/ update in API that were introduced after Java 8 that may come handy for dev folks while programming. Also have created tests demonstrating those APIs and playaround with it.

Jan 24, 2022

Projeto criado no Santander Dev Week 2022 + DIO com o intuito de desenvolver uma camada de APIs (backend) que será utilizada pelo frontend.

Santader Dev Week + DIO 2022 - APIs Backend da aplicação de movimentação financeira Este repositório contém o backend da aplicação que foi desenvolvid

Sep 7, 2022

Repositório destinado para projeto da semana Spring React do Dev superior. Utilizando Java, TypeScript e Frameworks

Repositório destinado para projeto da semana Spring React do Dev superior. Utilizando Java, TypeScript e Frameworks

⚛️ DS Meta - Semana Spring-React Repositório destinado para projeto da semana Spring React do Dev superior. Utilizando Java, JavaScript e Frameworks.

Sep 11, 2022
Comments
  • findJavaGadget不返回结果

    findJavaGadget不返回结果

    2022长城杯-b4bycoffee

    按照春秋伽玛的文章,安装了插件,也分析了所有jdk依赖 和题目相关依赖的jar包,但是跑不出来文章中的结果。

    match (source:Method {NAME:"readObject",CLASSNAME:"java.util.HashMap"})
match (sink:Method {NAME:"toString"})
with source, collect(sink) as sinks
call tabby.algo.findJavaGadget(source, sinks, 12, false) yield path where none(n in nodes(path) where n.CLASSNAME in ["javax.management.BadAttributeValueExpException","com.sun.jmx.snmp.SnmpEngineId","com.sun.xml.internal.ws.api.BindingID","javax.swing.text.html.HTML$UnknownTag"])
return path limit 1

    image image

    opened by Le1a 5
  • 使用findJavaGadget不知道为什么一直不会返回结果。

    使用findJavaGadget不知道为什么一直不会返回结果。

    之前的格式match (source:Method {NAME:"readObject"}) // 限定source match (sink:Method {IS_SINK:true, NAME:"invoke"}) // 限定sink with source, collect(sink) as sinks // 聚合sink call tabby.algo.findJavaGadget(source, sinks, 8, false) yield path where none(n in nodes(path) where n.CLASSNAME in ["java.io.ObjectInputStream","org.apache.commons.beanutils.BeanMap","org.apache.commons.collections4.functors.PrototypeFactory$PrototypeCloneFactory"]) return path limit 1 不知道为什么不会返回结果,使用call tabby.help("all"),参数如下: "procedure" | "tabby.algo.allSimplePath" | "tabby.algo.allSimplePath(sink, sources, maxNodes, state, depthFirst) YIELD path, weight - run allSimplePath with maxNodes and state" | "tabby.algo.allSimplePath(sinkNode :: NODE?, sourceNodes :: LIST? OF NODE?, maxNodes :: INTEGER?, state :: STRING?, depthFirst :: BOOLEAN?) :: (path :: PATH?)" | null | null | true 2 | "procedure" | "tabby.algo.allSimplePaths" | "tabby.algo.allSimplePaths(sinks, sources, maxNodes, depthFirst) YIELD path, weight - run allSimplePaths with maxNodes and state" | "tabby.algo.allSimplePaths(sinkNodes :: LIST? OF NODE?, sourceNodes :: LIST? OF NODE?, maxNodes :: INTEGER?, depthFirst :: BOOLEAN?) :: (path :: PATH?)" | null | null | true 3 | "procedure" | "tabby.algo.findAllJavaGadget" | "tabby.algo.findAllJavaGadget(sources, sinks, maxNodes, depthFirst) YIELD path, weight - run findAllJavaGadget with maxNodes from source to sink" | "tabby.algo.findAllJavaGadget(startNodes :: LIST? OF NODE?, endNodes :: LIST? OF NODE?, maxLength :: INTEGER?, depthFirst :: BOOLEAN?) :: (path :: PATH?)" | null | null | true 4 | "procedure" | "tabby.algo.findAllVul" | "tabby.algo.findAllVul(sourceNodes, sinkNodes, maxLength, depthFirst) YIELD path, weight - run findAllVul from source node to sink nodes" | "tabby.algo.findAllVul(startNode :: LIST? OF NODE?, endNodes :: LIST? OF NODE?, maxLength :: INTEGER?, depthFirst :: BOOLEAN?) :: (path :: PATH?)" | null | null | true 好像是只有tabby.algo.findAllJavaGadget参数,但是查询格式好像和原先不太一样,大佬能帮忙解决一下么?

    opened by scr1pt-k1ddi3 1
Owner
wh1t3P1g
Study On Web Security && Code review (semi-auto and manual)
wh1t3P1g
GitHub
Mc-msa-token-getter - Scripts to retrieve MC authentication tokens for use in modding dev envs.

Minecraft MSA Token Getter Python and Java scripts to retrieve MC authentication tokens for use in modding dev envs. Requires a properly configured Az

Ryan 1 Jan 3, 2022
Sportheca Mobile DEV Week - Simulador de Partidas 🎲

Sportheca Mobile DEV Week - Simulador de Partidas ?? Projeto desenvolvido no bootcamp Sportheca da DIO. Desenvolvimento Mobile Nativo Para Android Obj

Lucas Magalhães 8 Aug 5, 2022
Very briefly capturing some of new/ update in API that were introduced after Java 8 that may come handy for dev folks while programming

Very briefly capturing some of new/ update in API that were introduced after Java 8 that may come handy for dev folks while programming. Also have created tests demonstrating those APIs and playaround with it.

Jayaramanan Kumar 3 Jan 24, 2022
Projeto criado no Santander Dev Week 2022 + DIO com o intuito de desenvolver uma camada de APIs (backend) que será utilizada pelo frontend.

Santader Dev Week + DIO 2022 - APIs Backend da aplicação de movimentação financeira Este repositório contém o backend da aplicação que foi desenvolvid

Pedro Antunes Negrão 2 Sep 7, 2022
Repositório destinado para projeto da semana Spring React do Dev superior. Utilizando Java, TypeScript e Frameworks

⚛️ DS Meta - Semana Spring-React Repositório destinado para projeto da semana Spring React do Dev superior. Utilizando Java, JavaScript e Frameworks.

João Vítor Queiroz 2 Sep 11, 2022
Ribbon is a Inter Process Communication (remote procedure calls) library with built in software load balancers. The primary usage model involves REST calls with various serialization scheme support.

Ribbon Ribbon is a client side IPC library that is battle-tested in cloud. It provides the following features Load balancing Fault tolerance Multiple

Netflix, Inc. 4.4k Jan 1, 2023
Ribbon is a Inter Process Communication (remote procedure calls) library with built in software load balancers. The primary usage model involves REST calls with various serialization scheme support.

Ribbon Ribbon is a client side IPC library that is battle-tested in cloud. It provides the following features Load balancing Fault tolerance Multiple

Netflix, Inc. 4.4k Jan 4, 2023
Training materials for NODES 2021 training on Neo4j Aura

NODES 2021: Neo4j Aura Training Event page: Hands-on with Neo4j Aura - NODES 2021 training series This repository contains the materials needed for th

null 17 Oct 30, 2021
A scale demo of Neo4j Fabric spanning up to 1129 machines/shards running a 100TB (LDBC) dataset with 1.2tn nodes and relationships.

Demo application instructions Overview This repository contains the code necessary to reproduce the results for the Trillion Entity demonstration that

Neo4j 84 Nov 23, 2022
Full Featured Google Chrome Dev Tools to JavaFX WebView browser debugging.

JavaFX WebView Debugger Via WebSocket connection to Google Chrome Dev Tools JavaFx WebView debugging with Chrome Dev tools is highly dependent on Goog

Vladimir Schneider 56 Dec 19, 2022