Actions

Created:

February 7, 2024

Updated:

May 29, 2024



Actions refer to the automated tasks that can be performed on the API. You can create an action against an API. The action can be triggered by an event or you can set up an action that is triggered by a schedule.

Create an action

Navigate to the APIs tab on the dashboard.
Select the API you want to create the action against.
Click Actions. Then click Create Action.
Select to create an Event Driven Action or a Scheduled Action.

Create an Event Driven Action

Fill out the Event Driven Action form:

‍Name: Enter a name for the action.
‍Description: Enter a description for the action.
‍Events: Select which event or events will trigger the action.
‍Integration Type: Chose from Custom or Managed:
- ‍Custom: Select from a previously created Lambda or Webhook integration. Alternatively, click Create to create a new one.
- Managed:
  - API CVE Detection - Scan the entered endpoint for CVEs.
  - SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
  - Data Exposure Detection - Scan the entered endpoint for data exposure.
  - Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
  - Fuzzing Detection - Fuzz the entered endpoint.

Note: See below for further information on each of the managed actions.

Scheduled action

Set up an Action to trigger on a schedule. Fill out the Event Driven Action form:

‍Name: Enter a name for the action.
‍Description: Enter a description for the action.
‍Scheduled rate minutes: The rate in minutes at which the action should be run.
‍Integration Type: Chose from Custom or Managed:
- ‍Custom: Select from a previously created Lambda or Webhook integration. Alternatively, click Create to create a new one.
- ‍Managed:
  - API CVE Detection - Scan the entered endpoint for CVEs.
  - SSL Vulnerabilities Detection - Scan the entered endpoint for SSL vulnerabilities.
  - Data Exposure Detection - Scan the entered endpoint for data exposure.
  - Default Login Detection - Scan the entered endpoint to check if you are hosting any services using default login credentials.
  - Fuzzing Detection - Fuzz the entered endpoint.

Note: See below for further information on each of the managed actions.

Custom integration example

Below is a FireTail actions event payload. See the GitHub Repo for details on how to call back to FireTail with your own findings.


{
    'api_details': {
        'UUID': 'ded296d8-daed-450c-b83f-b4b8d89cbe95',
        'api_appUUID': 'cca39d04-7b6e-4727-9688-3f908492b620',
        'api_orgUUID': '665002ee-0066-435f-9654-20eb209cdd18',
        'api_type': 'rest',
        'createdBy': 'example@example.com',
        'dateAddedInMicroSeconds': 1710854022659491,
        'g_apiUUID': 'ded296d8-daed-450c-b83f-b4b8d89cbe95',
        'g_appUUID': 'cca39d04-7b6e-4727-9688-3f908492b620',
        'g_orgUUID': '665002ee-0066-435f-9654-20eb209cdd18',
        'name': 'api name'
    },
    'action_type': 'api_schedule_action',
    'invoke_epoch_time': 1712227639,
    'jwt_token': 'example.example.example',
    'action_details': {
        'UUID': '13eec790-73a7-4612-ab09-c122240b52b7',
        'actionType': 'api_schedule_action',
        'actionVersion': 'v0.0.1',
        'action_apiUUID': 'ded296d8-daed-450c-b83f-b4b8d89cbe95',
        'action_appUUID': 'cca39d04-7b6e-4727-9688-3f908492b620',
        'action_orgUUID': '665002ee-0066-435f-9654-20eb209cdd18',
        'createdBy': 'example@example.com',
        'dateAddedInMicroSeconds': 1711050404116639,
        'description': '',
        'enabled': True,
        'g_orgUUID': '665002ee-0066-435f-9654-20eb209cdd18',
        'integrationType': 'custom',
        'integrationUUID': 'd0b7faa9-6ec6-41dd-ae58-e6f528908252',
        'itemType': 'action',
        'name': 'lambda function',
        'scheduledRate': 15,
    },
    'context': {
        'inputs': {
            'api_endpoint': 'https://example.com/health'
        }
    },
    'callback_url': 
    'https://api.saas.eu-west-1.prod.firetail.app
    /organisations/665002ee-0066-435f-9654-20eb209cdd18/
    actions/13eec790-73a7-4612-ab09-c122240b52b7/callback'
}

API CVE Detection

This managed action scans your endpoint for CVEs (common vulnerabilities and exposures) and generates observations. CVEs are identified by the year in which the vulnerability was discovered or publicly disclosed. Each CVE entry receives a unique identifier number. In total, 2302 checks are made. See the table below for some examples of CVEs that are scanned for in this managed action.

CVE identifier	Name	Description	Severity
CVE-2024-21893	Ivanti SAML - Server Side Request Forgery (SSRF)	A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.	High
CVE-2023-49103	OwnCloud - Phpinfo Configuration	An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.	High
CVE-2023-42442	JumpServer > 3.6.4 - Information Disclosure	JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not affected. The api `/api/v1/terminal/sessions/` permission control is broken and can be accessed anonymously. SessionViewSet permission classes set to `[RBACPermission \| IsSessionAssignee]`, relation is or, so any permission matched will be allowed.Versions 3.5.5 and 3.6.4 have a fix. After upgrading, visit the api `$HOST/api/v1/terminal/sessions/?limit=1`. The expected http response code is 401 (`not_authenticated`).	Medium
CVE-2023-48023	Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery	The Ray Dashboard API is affected by a Server-Side Request Forgery (SSRF) vulnerability in the url parameter of the /log_proxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid.	High

‍

SSL Vulnerabilities Detection

This managed action will scan your endpoint for SSL Vulnerabilities and generate observations. SSL (Secure Sockets Layer) vulnerabilities refer to weaknesses or flaws in the SSL protocol or implementations that could potentially compromise the security of data transmitted over the internet. SSL is a cryptographic protocol used to establish secure connections between a web server and a client, typically a web browser, ensuring that data exchanged between them is encrypted and protected from interception or tampering. In total, 24 SSL checks are made. See the table below for examples of SSL vulnerability detections:

SSL examples:

D	Name	Description	Severity
insecure-cipher-suite-detect	Insecure Cipher Suite Detection	Weak ciphers are those encryption algorithms vulnerable to attack, often as a result of an insufficient key length.	Low
mismatched-ssl-certificate	Mismatched SSL Certificate	Mismatched certificates occur when there is inconsistency between the common name to which the certificate was issued and the domain name in the URL. This issue impacts the trust value of the affected website.	Low
untrusted-root-certificate	Untrusted Root Certificate - Detection	A root certificate is a digital certificate issued by a trusted certificate authority that acts as a basis for other digital certificates. An untrusted root certificate is a certificate that is issued by an authority that is not trusted by the computer, and therefore cannot be used to authenticate websites or other digital certificates.	Low
metasploit-c2	Metasploit C2 - Detection	A Metasploit Framework is a powerful tool that provides a universal interface to work with vulnerability exploit code. It has to exploit code for a wide range of vulnerabilities that impact web servers, OSes, network equipment, and everything in between. Metasploit which serves as both exploitation and C2 frameworks.	Info

‍

Data Exposure Detection

This managed action will scan your endpoint for data exposure and generate observations. In total, 467 data exposure checks are made. See the table below for examples of data exposure detections:

ID	Name	Description	Severity
aws-config	AWS Configuration - Detection	AWS config found via /.aws/config.	Medium
aws-credentials	AWS Credentials - Detection	AWS credentials found via /.aws/credentials endpoint.	High
openapi	OpenAPI - Detection	OpenAPI was detected.	Info
swagger-api	Public Swagger API - Detection	Public Swagger API was detected.	Info
access-log-file	Publicly accessible access-log file	Log file was exposed.	Low

‍

Default Login Detection

This managed action will scan your endpoint to see if you are hosting any services using default login credentials and generate observations. In total, 173 default login checks are made. See the table below for some examples of default login detections:

ID	Name	Description	Severity
rancher-default-login	Rancher Default Login	Rancher default admin credentials were discovered. Rancher is an open-source multi-cluster orchestration platform that lets operations teams deploy, manage and secure enterprise Kubernetes.	High
solarwinds-default-admin	SolarWinds Orion Default Login	SolarWinds Orion default admin credentials were discovered.	High
elasticsearch-default-login	ElasticSearch - Default Login	Elasticsearch default credentials were discovered.	High
gitlab-weak-login	Gitlab Default Login	Gitlab default login credentials were discovered.	High

‍

FUZZING Detection

This managed action will fuzz your endpoint and generate observations.

Fuzzing an endpoint involves sending a large volume of invalid, unexpected, or random data inputs to the endpoint, to identify vulnerabilities, crashes, or unexpected behavior. This technique aims to discover security flaws, such as buffer overflows, injection vulnerabilities, or parsing errors, that may not be identified through traditional testing methods. In total, 11 fuzzing checks are made. See the table below for some examples:

ID	Name	Description	Severity
cache-poisoning-fuzz	Cache Poison Fuzzing	Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker.	Info
xff-403-bypass	X-Forwarded-For 403-forbidden bypass	Template to detect 403 forbidden endpoint bypass behind Nginx/Apache proxy & load balancers, based on X-Forwarded-For header.	Info
linux-lfi-fuzzing	Linux - Local File Inclusion Fuzzing	Multiple fuzzes for /etc/passwd on passed URLs were conducted, leading to multiple instances of local file inclusion vulnerability.	High
header-command-injection	Header - Remote Command Injection	Headers were tested for remote command injection vulnerabilities.	Critical

‍