Skip to content

Tomcat CVE-2025-24813: Haag Story 3: Attack Analytics to the Rescue #3421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 1, 2025
Merged

Tomcat CVE-2025-24813: Haag Story 3: Attack Analytics to the Rescue #3421

merged 6 commits into from
Apr 1, 2025

Conversation

MHaggis
Copy link
Contributor

@MHaggis MHaggis commented Mar 25, 2025

"There's a snake in my Tomcat!"

When malicious serialized objects started showing up at Sunnyside Server Farm, Security Sheriff Haag rounded up a posse of new detections to keep the web applications safe.

This PR delivers:

  • Two new best friends: tomcat_session_file_upload_attempt and tomcat_session_deserialization_attempt
  • A brand new playset: "Apache Tomcat Session Deserialization Attacks" analytic story
  • No more crying when the bad toys try to upload .session files
  • The claw of justice comes down when suspicious JSESSIONID cookies appear

Remember what Security Ranger Haag always says: "To HTTP response codes and beyond!"

@MHaggis
Haag Story 3: Attack Analytics to the Rescue
20cb440 
"There's a snake in my Tomcat!"

When malicious serialized objects started showing up at Sunnyside Server Farm, Security Sheriff Haag rounded up a posse of new detections to keep the web applications safe.

This PR delivers:
- Two new best friends: tomcat_session_file_upload_attempt and tomcat_session_deserialization_attempt
- A brand new playset: "Apache Tomcat Session Deserialization Attacks" analytic story
- No more crying when the bad toys try to upload .session files
- The claw of justice comes down when suspicious JSESSIONID cookies appear

Remember what Security Ranger Haag always says: "To HTTP response codes and beyond!"
patel-bhavin
patel-bhavin reviewed Mar 28, 2025
View reviewed changes
detections/web/tomcat_session_file_upload_attempt.yml Outdated
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View all PUT requests to .session files
search: '%original_detection_search% | fields + uri_path, status, dest'
Copy link
Contributor

@patel-bhavin patel-bhavin Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MHaggis T0 view all PUT requests update the search to some like

| from datamodel Web.Web | search http_method = PUT uri_path="*.session" src=$src$ | table src dest http_method uri_path http_user_agent status

@patel-bhavin
Copy link
Contributor

Reviewed the PR with the author and updated!

@MHaggis MHaggis changed the title Haag Story 3: Attack Analytics to the Rescue Tomcat CVE-2025-24813: Haag Story 3: Attack Analytics to the Rescue Apr 1, 2025
@patel-bhavin patel-bhavin merged commit 4524115 into develop Apr 1, 2025
4 checks passed
@patel-bhavin patel-bhavin deleted the sunnyside branch April 1, 2025 21:19
@patel-bhavin patel-bhavin added this to the v5.3.0 milestone Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees
No one assigned
Labels
Detections Stories
Projects
None yet
Milestone
v5.3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@MHaggis @patel-bhavin