Attacks
Get Attacks information for a customer in PDF/JSON/CSV format.
Get Attacks Information
GET https://k2io.net/centralmanager/api/v1/download/attack/{K2_CUSTOMER_ID}
This endpoint allows you to get attack information in JSON/PDF/CSV. Note - In case you're using K2 On-Premises Portal then replace https://k2io.net in the API with elastic IP address of your K2 On-Premises Cluster.
Path Parameters
K2_CUSTOMER_ID
integer
customerId of customer For e.g. 533. It can be obtained by accessing customer profile on K2 Portal.
Query Parameters
startTime
integer
startTime of the attacks(time duration field in milliseconds).
endTime
integer
endTime of the attacks(time duration field in milliseconds).
fileType
string
Specify download file type for e.g. csv,json,pdf.
attackType
string
Filter field to get attacks info of particular attack type. This is comma separated values with different type of attacks for e.g. 'SQL Injection%2CFile Access Attack'.
filtredApplicationPattern
string
Filter field to get attacks info of particular application for e.g. ForkExec-Demo.
filtredURIPattern
string
Filter field to get attack info of particular URI for e.g. /forkexec-demo .
ipAddress
string
Filter field to get attack info of particular IP for e.g. 192.168.5.149.
nodeName
string
Filter field to get attack info of particular node name for e.g. QA-centos-74-001.
Headers
K2_API_ACCESSOR_TOKEN
string
K2 API Accessor token obtained from Accounts sections of K2 Portal for e.g. 5b2bf1fa-f4e1-daf9-a787-bd5eXXXXXXXX
{
"data": [
{
"timestamp": 1617723778548,
"defaultIp": "192.168.5.253",
"agent": "IC",
"intcodeAttackDescription": "SSRF",
"details": {
"incidentId": "81a973bd-6471-11eb-8981-73c1c09862f573da2480-25ce-4f13-9a24-8025ce1f13e91617723542988",
"fileName": "com.k2.testapp.k2javavulnerableperf.controller.ssrf.OkHttp",
"methodName": "connect",
"lineNumber": 43,
"serverInfo": {
"name": "Apache Tomcat/9.0.33",
"homePath": "",
"basePath": "",
"customConfigPath": null,
"ports": null,
"deployedApplications": [
{
"deployedPath": "/k2-java-vulnerable-perf-1.0.0.jar",
"appName": "K2 Java Vulnerable Performance Application",
"sha256": "6875e08eaf0f144a347acd8bca80f5e54c39b37170dfee442399201f24664abd",
"size": "112 MB",
"ports": [
8080
],
"contextPath": "/"
}
]
},
"ports": [
[
8080
]
],
"httpUrl": "/ssrf/okhttpclient",
"method": "POST",
"parameterMap": {
"count": [
"50"
],
"url": [
"http://192.168.5.78:8282/forkexec-demo"
]
},
"executedQuery": [
"http://192.168.5.78:8282/forkexec-demo"
],
"vulnerabilityCaseType": "HTTP_REQUEST"
}
},
{
"timestamp": 1617724343425,
"defaultIp": "192.168.5.78",
"agent": "IC",
"intcodeAttackDescription": "Remote Code Execution",
"details": {
"incidentId": "ade61d73-8be6-11eb-b2e9-c3c422b368fa38ac09ba-34ee-4582-ac09-ba34ee3582261617722213618",
"fileName": "com.k2.fork.and.exec.ProcessBuilderServlet",
"methodName": "doPost",
"lineNumber": 44,
"serverInfo": {
"name": "Apache Tomcat/8.5.34",
"homePath": "",
"basePath": "",
"customConfigPath": null,
"ports": null,
"deployedApplications": [
{
"deployedPath": "/etc/apache-tomcat/webapps/forkexec-demo",
"appName": "ForkExec-Demo",
"sha256": "fd48e6804d3b07dd7ec23d3b287f37e80ca514f17205df93a2fcd8649ab401a7",
"size": "27 KB",
"ports": [
8080
],
"contextPath": "/forkexec-demo"
}
]
},
"ports": [
[
8080
]
],
"httpUrl": "/forkexec-demo/ProcessBuilderServlet",
"method": "POST",
"parameterMap": {
"command": [
"ls .;"
]
},
"cookie": "jenkins-timestamper-offset=-19800000; remember-me=YWRtaW46MTU3NjUwMDYzMTc5Mjo1OTNiYTBiMTZkYzQyODU5Mzc1Y2MwMzU1NDM4ZGM0NQ; SESSIONID=java_server",
"executedQuery": [
"/bin/sh -c ls .;"
],
"vulnerabilityCaseType": "SYSTEM_COMMAND"
}
}
]
}Query Param Possible Values
attackTypes
[ "Application Integrity Violation", "Attack Detected", "Cross-Site Scripting", "FILE_INTEGRITY API call made via Deserialisation API", "FILE_OPERATION API call made via Deserialisation API", "FILE_OPERATION API call made via Deserialisation API.", "FILE_OPERATION API call made via XXE API", "FILE_OPERATION API call made via XXE API.", "File Access", "File Access Attack", "HTTP_REQUEST API call made via XXE API", "HTTP_REQUEST API call made via XXE API.", "Insecure Cookie", "JavaScript Code Injection", "JavaScript Code Injection Attack", "LDAP Attack detected", "LDAP Injection", "NoSQL Injection", "NoSQL Injection Attack", "Reflected XSS", "Reflected XSS Attack", "Remote Code Execution", "Remote Code Execution via RCI", "Remote Code Injection", "Reverse Shell", "Reverse Shell Attack", "SQL Injection", "SQL Injection Attack", "SQL_DB_COMMAND API call made via Deserialisation API", "SSRF", "SYSTEM_COMMAND API call made via Deserialisation API", "SYSTEM_COMMAND API call made via Deserialisation API.", "Stored XSS", "Stored XSS Attack", "Trust Boundary Vulnerability", "Weak Encryption Algorithm", "Weak Hash Algorithm", "Weak Random Invoke", "Weak Random Invoked", "XPATH API call made via Deserialisation API", "XPath Injection", "XPath Injection Attack", "XQuery Injection", "XQuery Injection Attack" ]
cURL Example
curl --location --request GET 'https://k2io.net/centralmanager/api/v1/download/attack/${K2_CUSTOMER_ID}?startTime=${START_TIME}&endTime=${END_TIME}&fileType=${DOWNLOAD_FILE_TYPE}' --header 'K2_API_ACCESSOR_TOKEN: ${YOUR_K2_API_ACCESSOR_TOKEN}'For e.g.
curl --location --request GET 'https://k2io.net/centralmanager/api/v1/download/attack/533?startTime=0&endTime=1617297401705&fileType=csv' --header 'K2_API_ACCESSOR_TOKEN: 5b2bf1fa-f4e1-daf9-a787-bd5eXXXXXXXX'Make sure to use --output flag in curl command and pass output pdf file name when you are using fileType=pdf option.
Responses
Here we will go through various kinds of response returned by attacks API
JSON
{
"data": [
{
"timestamp": 1617723778548,
"defaultIp": "192.168.5.253",
"agent": "IC",
"intcodeAttackDescription": "SSRF",
"details": {
"incidentId": "81a973bd-6471-11eb-8981-73c1c09862f573da2480-25ce-4f13-9a24-8025ce1f13e91617723542988",
"fileName": "com.k2.testapp.k2javavulnerableperf.controller.ssrf.OkHttp",
"methodName": "connect",
"lineNumber": 43,
"serverInfo": {
"name": "Apache Tomcat/9.0.33",
"homePath": "",
"basePath": "",
"customConfigPath": null,
"ports": null,
"deployedApplications": [
{
"deployedPath": "/k2-java-vulnerable-perf-1.0.0.jar",
"appName": "K2 Java Vulnerable Performance Application",
"sha256": "6875e08eaf0f144a347acd8bca80f5e54c39b37170dfee442399201f24664abd",
"size": "112 MB",
"ports": [
8080
],
"contextPath": "/"
}
]
},
"ports": [
[
8080
]
],
"httpUrl": "/ssrf/okhttpclient",
"method": "POST",
"parameterMap": {
"count": [
"50"
],
"url": [
"http://192.168.5.78:8282/forkexec-demo"
]
},
"executedQuery": [
"http://192.168.5.78:8282/forkexec-demo"
],
"vulnerabilityCaseType": "HTTP_REQUEST"
}
},
{
"timestamp": 1617724343425,
"defaultIp": "192.168.5.78",
"agent": "IC",
"intcodeAttackDescription": "Remote Code Execution",
"details": {
"incidentId": "ade61d73-8be6-11eb-b2e9-c3c422b368fa38ac09ba-34ee-4582-ac09-ba34ee3582261617722213618",
"fileName": "com.k2.fork.and.exec.ProcessBuilderServlet",
"methodName": "doPost",
"lineNumber": 44,
"serverInfo": {
"name": "Apache Tomcat/8.5.34",
"homePath": "",
"basePath": "",
"customConfigPath": null,
"ports": null,
"deployedApplications": [
{
"deployedPath": "/etc/apache-tomcat/webapps/forkexec-demo",
"appName": "ForkExec-Demo",
"sha256": "fd48e6804d3b07dd7ec23d3b287f37e80ca514f17205df93a2fcd8649ab401a7",
"size": "27 KB",
"ports": [
8080
],
"contextPath": "/forkexec-demo"
}
]
},
"ports": [
[
8080
]
],
"httpUrl": "/forkexec-demo/ProcessBuilderServlet",
"method": "POST",
"parameterMap": {
"command": [
"ls .;"
]
},
"cookie": "jenkins-timestamper-offset=-19800000; remember-me=YWRtaW46MTU3NjUwMDYzMTc5Mjo1OTNiYTBiMTZkYzQyODU5Mzc1Y2MwMzU1NDM4ZGM0NQ; SESSIONID=java_server",
"executedQuery": [
"/bin/sh -c ls .;"
],
"vulnerabilityCaseType": "SYSTEM_COMMAND"
}
}
]
}CSV
PDF
Accessing Attacks API Data On K2 Portal
You can access the data reported by attacks API on K2 Portal by using below link.
Use Advanced Filter and get filtered data.
Last updated
Was this helpful?