File Coverage

lib/ThreatDetector/Handlers/EncodedPayload.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition			n/a
subroutine	7	7	100.0
pod	0	2	0.0
total	29	32	90.6

line	stmt	bran	sub	pod	time	code
1						package ThreatDetector::Handlers::EncodedPayload;
2
3	3		3		139766	use strict;
	3				26
	3				233
4	3		3		19	use warnings;
	3				20
	3				161
5	3		3		29	use Exporter 'import';
	3				6
	3				98
6	3		3		774	use JSON;
	3				16595
	3				35
7	3		3		399	use Time::HiRes qw(gettimeofday);
	3				8
	3				28
8
9						our $VERBOSE = 0;
10						our @EXPORT_OK = qw(handle_encoded get_encoded_payload_events);
11						our @ENCODED_PAYLOAD_EVENTS;
12						our $VERSION = '0.04';
13
14						sub handle_encoded {
15	1		1	0	227262	my ($entry) = @_;
16	1				12	my ( $sec, $micro ) = gettimeofday();
17
18						my $alert = {
19						timestamp => "$sec.$micro",
20						type => 'encoded_payload',
21						ip => $entry->{ip},
22						method => $entry->{method},
23						uri => $entry->{uri},
24						status => $entry->{status},
25						user_agent => $entry->{user_agent},
26	1				11	};
27	1				3	push @ENCODED_PAYLOAD_EVENTS, $alert;
28	1	50			6	print encode_json($alert) . "\n" if $VERBOSE;
29						}
30
31						sub get_encoded_payload_events {
32	1		1	0	7	return @ENCODED_PAYLOAD_EVENTS;
33						}
34
35						1;
36
37						=head1 NAME
38
39						ThreatDetector::Handlers::EncodedPayload - Handler for encoded payload attempts
40
41						=head1 SYNOPSIS
42
43						use ThreatDetector::Handlers::EncodedPayload qw(handle_encoded);
44
45						handle_encoded($entry);
46
47						=head1 DESCRIPTION
48
49						Prints a JSON alert for requests that contain suspiciously encoded characters (e.g. %2e, %3c) which may indicate obfuscated payloads or bypass attempts. Often a precursor to more serious attacks like XSS, path traversal, or command injection.
50
51						=head1 AUTHOR
52
53						Jason Hall
54
55						=cut