Attacks

Get Attacks information for a customer in PDF/JSON/CSV format.

Get Attacks Information

GET https://k2io.net/centralmanager/api/v1/download/attack/{K2_CUSTOMER_ID}

This endpoint allows you to get attack information in JSON/PDF/CSV. Note - In case you're using K2 On-Premises Portal then replace https://k2io.net in the API with elastic IP address of your K2 On-Premises Cluster.

Path Parameters

Name	Type	Description
K2_CUSTOMER_ID	integer	customerId of customer For e.g. 533. It can be obtained by accessing customer profile on K2 Portal.

Query Parameters

Name	Type	Description
startTime	integer	startTime of the attacks(time duration field in milliseconds).
endTime	integer	endTime of the attacks(time duration field in milliseconds).
fileType	string	Specify download file type for e.g. csv,json,pdf.
attackType	string	Filter field to get attacks info of particular attack type. This is comma separated values with different type of attacks for e.g. 'SQL Injection%2CFile Access Attack'.
filtredApplicationPattern	string	Filter field to get attacks info of particular application for e.g. ForkExec-Demo.
filtredURIPattern	string	Filter field to get attack info of particular URI for e.g. /forkexec-demo .
ipAddress	string	Filter field to get attack info of particular IP for e.g. 192.168.5.149.
nodeName	string	Filter field to get attack info of particular node name for e.g. QA-centos-74-001.

Headers

Name	Type	Description
K2_API_ACCESSOR_TOKEN	string	K2 API Accessor token obtained from Accounts sections of K2 Portal for e.g. 5b2bf1fa-f4e1-daf9-a787-bd5eXXXXXXXX

200 Attacks successfully retrieved.

{
  "data": [
    {
      "timestamp": 1617723778548,
      "defaultIp": "192.168.5.253",
      "agent": "IC",
      "intcodeAttackDescription": "SSRF",
      "details": {
        "incidentId": "81a973bd-6471-11eb-8981-73c1c09862f573da2480-25ce-4f13-9a24-8025ce1f13e91617723542988",
        "fileName": "com.k2.testapp.k2javavulnerableperf.controller.ssrf.OkHttp",
        "methodName": "connect",
        "lineNumber": 43,
        "serverInfo": {
          "name": "Apache Tomcat/9.0.33",
          "homePath": "",
          "basePath": "",
          "customConfigPath": null,
          "ports": null,
          "deployedApplications": [
            {
              "deployedPath": "/k2-java-vulnerable-perf-1.0.0.jar",
              "appName": "K2 Java Vulnerable Performance Application",
              "sha256": "6875e08eaf0f144a347acd8bca80f5e54c39b37170dfee442399201f24664abd",
              "size": "112 MB",
              "ports": [
                8080
              ],
              "contextPath": "/"
            }
          ]
        },
        "ports": [
          [
            8080
          ]
        ],
        "httpUrl": "/ssrf/okhttpclient",
        "method": "POST",
        "parameterMap": {
          "count": [
            "50"
          ],
          "url": [
            "http://192.168.5.78:8282/forkexec-demo"
          ]
        },
        "executedQuery": [
          "http://192.168.5.78:8282/forkexec-demo"
        ],
        "vulnerabilityCaseType": "HTTP_REQUEST"
      }
    },
    {
      "timestamp": 1617724343425,
      "defaultIp": "192.168.5.78",
      "agent": "IC",
      "intcodeAttackDescription": "Remote Code Execution",
      "details": {
        "incidentId": "ade61d73-8be6-11eb-b2e9-c3c422b368fa38ac09ba-34ee-4582-ac09-ba34ee3582261617722213618",
        "fileName": "com.k2.fork.and.exec.ProcessBuilderServlet",
        "methodName": "doPost",
        "lineNumber": 44,
        "serverInfo": {
          "name": "Apache Tomcat/8.5.34",
          "homePath": "",
          "basePath": "",
          "customConfigPath": null,
          "ports": null,
          "deployedApplications": [
            {
              "deployedPath": "/etc/apache-tomcat/webapps/forkexec-demo",
              "appName": "ForkExec-Demo",
              "sha256": "fd48e6804d3b07dd7ec23d3b287f37e80ca514f17205df93a2fcd8649ab401a7",
              "size": "27 KB",
              "ports": [
                8080
              ],
              "contextPath": "/forkexec-demo"
            }
          ]
        },
        "ports": [
          [
            8080
          ]
        ],
        "httpUrl": "/forkexec-demo/ProcessBuilderServlet",
        "method": "POST",
        "parameterMap": {
          "command": [
            "ls .;"
          ]
        },
        "cookie": "jenkins-timestamper-offset=-19800000; remember-me=YWRtaW46MTU3NjUwMDYzMTc5Mjo1OTNiYTBiMTZkYzQyODU5Mzc1Y2MwMzU1NDM4ZGM0NQ; SESSIONID=java_server",
        "executedQuery": [
          "/bin/sh -c ls .;"
        ],
        "vulnerabilityCaseType": "SYSTEM_COMMAND"
      }
    }
  ]
}

401 Firing Request with incorrect K2_API_ACCESSOR_TOKEN

500 Firing Request without required fields

Query Param Possible Values

attackTypes

[ "Application Integrity Violation", "Attack Detected", "Cross-Site Scripting", "FILE_INTEGRITY API call made via Deserialisation API", "FILE_OPERATION API call made via Deserialisation API", "FILE_OPERATION API call made via Deserialisation API.", "FILE_OPERATION API call made via XXE API", "FILE_OPERATION API call made via XXE API.", "File Access", "File Access Attack", "HTTP_REQUEST API call made via XXE API", "HTTP_REQUEST API call made via XXE API.", "Insecure Cookie", "JavaScript Code Injection", "JavaScript Code Injection Attack", "LDAP Attack detected", "LDAP Injection", "NoSQL Injection", "NoSQL Injection Attack", "Reflected XSS", "Reflected XSS Attack", "Remote Code Execution", "Remote Code Execution via RCI", "Remote Code Injection", "Reverse Shell", "Reverse Shell Attack", "SQL Injection", "SQL Injection Attack", "SQL_DB_COMMAND API call made via Deserialisation API", "SSRF", "SYSTEM_COMMAND API call made via Deserialisation API", "SYSTEM_COMMAND API call made via Deserialisation API.", "Stored XSS", "Stored XSS Attack", "Trust Boundary Vulnerability", "Weak Encryption Algorithm", "Weak Hash Algorithm", "Weak Random Invoke", "Weak Random Invoked", "XPATH API call made via Deserialisation API", "XPath Injection", "XPath Injection Attack", "XQuery Injection", "XQuery Injection Attack" ]

cURL Example

curl --location --request GET 'https://k2io.net/centralmanager/api/v1/download/attack/${K2_CUSTOMER_ID}?startTime=${START_TIME}&endTime=${END_TIME}&fileType=${DOWNLOAD_FILE_TYPE}' --header 'K2_API_ACCESSOR_TOKEN: ${YOUR_K2_API_ACCESSOR_TOKEN}'

For e.g.

curl --location --request GET 'https://k2io.net/centralmanager/api/v1/download/attack/533?startTime=0&endTime=1617297401705&fileType=csv' --header 'K2_API_ACCESSOR_TOKEN: 5b2bf1fa-f4e1-daf9-a787-bd5eXXXXXXXX'

Make sure to use --output flag in curl command and pass output pdf file name when you are using fileType=pdf option.

Responses

Here we will go through various kinds of response returned by attacks API

JSON

{
  "data": [
    {
      "timestamp": 1617723778548,
      "defaultIp": "192.168.5.253",
      "agent": "IC",
      "intcodeAttackDescription": "SSRF",
      "details": {
        "incidentId": "81a973bd-6471-11eb-8981-73c1c09862f573da2480-25ce-4f13-9a24-8025ce1f13e91617723542988",
        "fileName": "com.k2.testapp.k2javavulnerableperf.controller.ssrf.OkHttp",
        "methodName": "connect",
        "lineNumber": 43,
        "serverInfo": {
          "name": "Apache Tomcat/9.0.33",
          "homePath": "",
          "basePath": "",
          "customConfigPath": null,
          "ports": null,
          "deployedApplications": [
            {
              "deployedPath": "/k2-java-vulnerable-perf-1.0.0.jar",
              "appName": "K2 Java Vulnerable Performance Application",
              "sha256": "6875e08eaf0f144a347acd8bca80f5e54c39b37170dfee442399201f24664abd",
              "size": "112 MB",
              "ports": [
                8080
              ],
              "contextPath": "/"
            }
          ]
        },
        "ports": [
          [
            8080
          ]
        ],
        "httpUrl": "/ssrf/okhttpclient",
        "method": "POST",
        "parameterMap": {
          "count": [
            "50"
          ],
          "url": [
            "http://192.168.5.78:8282/forkexec-demo"
          ]
        },
        "executedQuery": [
          "http://192.168.5.78:8282/forkexec-demo"
        ],
        "vulnerabilityCaseType": "HTTP_REQUEST"
      }
    },
    {
      "timestamp": 1617724343425,
      "defaultIp": "192.168.5.78",
      "agent": "IC",
      "intcodeAttackDescription": "Remote Code Execution",
      "details": {
        "incidentId": "ade61d73-8be6-11eb-b2e9-c3c422b368fa38ac09ba-34ee-4582-ac09-ba34ee3582261617722213618",
        "fileName": "com.k2.fork.and.exec.ProcessBuilderServlet",
        "methodName": "doPost",
        "lineNumber": 44,
        "serverInfo": {
          "name": "Apache Tomcat/8.5.34",
          "homePath": "",
          "basePath": "",
          "customConfigPath": null,
          "ports": null,
          "deployedApplications": [
            {
              "deployedPath": "/etc/apache-tomcat/webapps/forkexec-demo",
              "appName": "ForkExec-Demo",
              "sha256": "fd48e6804d3b07dd7ec23d3b287f37e80ca514f17205df93a2fcd8649ab401a7",
              "size": "27 KB",
              "ports": [
                8080
              ],
              "contextPath": "/forkexec-demo"
            }
          ]
        },
        "ports": [
          [
            8080
          ]
        ],
        "httpUrl": "/forkexec-demo/ProcessBuilderServlet",
        "method": "POST",
        "parameterMap": {
          "command": [
            "ls .;"
          ]
        },
        "cookie": "jenkins-timestamper-offset=-19800000; remember-me=YWRtaW46MTU3NjUwMDYzMTc5Mjo1OTNiYTBiMTZkYzQyODU5Mzc1Y2MwMzU1NDM4ZGM0NQ; SESSIONID=java_server",
        "executedQuery": [
          "/bin/sh -c ls .;"
        ],
        "vulnerabilityCaseType": "SYSTEM_COMMAND"
      }
    }
  ]
}

CSV

CSV Response Returned by Attacks API

PDF

PDF Response Returned by Attacks API

Accessing Attacks API Data On K2 Portal

You can access the data reported by attacks API on K2 Portal by using below link.

Use Advanced Filter and get filtered data.

Attacks | K2 Portal