XSS model doesn't load with security check enabled in config file

Question

XSS model doesn't load with security check enabled in config file

Closed this issue 5 months ago · 5 comments

This is my config:

"SECURITY_CHECKS" : {
"path": 3,
"headers": 0,
"flood": 2,
"spoofing": 2,
"decoy": 2,
"sqli": 0,
"xss": 2,
"hpp": 2,
"command": 2,
"dlp": 2,
"brute": 2
}

Even with xss value set as 2, I'm getting the following during startup:

[+] Starting PyRASP
[+] Loading default configuration
[+] Loading configuration from app/rasp.json
[!] XSS model not loaded
[+] PyRASP succesfully started
############################

Please guide me here @rbidou @RKeertishKumar

Answer 1 · 2024-06-18T16:34:56.000Z

Did you install pyrasp via pip (this is the only way) ?
If yes, ML models should be in <python_dir>/Lib/site-packages/pyrasp/data:

sqli_model-2.0.0
xss_model-2.0.0

Can you provide the line of code that calls the PyRASP class ?

Answer 2 · 2024-06-18T16:46:49.000Z

@rbidou
Yes I installed it using pip via requirements.txt file.
I also checked the data folder and found the model there but it still fails to load it.

from pyrasp.pyrasp import FlaskRASP

def init_pyrasp(app):
    pyrasp = FlaskRASP(app, conf='app/rasp.json')
    # print(pyrasp.get_status())

EDIT:

I added a breakpoint here:

## XSS & SQLI models loaded only if enabled in configuration
        if self.SECURITY_CHECKS.get('xss'):
            # Load XSS ML model
            if not dev:
                xss_model_file = 'xss_model-'+XSS_MODEL_VERSION
            else:
                xss_model_file = 'xss_model-dev'

            ## From source
            try:
                self.xss_model = pickle.load(open('ml-engines/'+xss_model_file,'rb'))
            except:
                pass
            else:
                xss_model_loaded = True

            ## From package
            if not xss_model_loaded:
                try:
                    xss_model_file = pkg_resources.resource_filename('pyrasp', 'data/'+xss_model_file)
                    self.xss_model = pickle.load(open(xss_model_file,'rb'))
                except:
                    pass
                else:
                    xss_model_loaded = True

and while running self.xss_model = pickle.load(open('ml-engines/'+xss_model_file,'rb')) line I got

AttributeError: 'FlaskRASP' object has no attribute 'xss_model'

Answer 3 · 2024-06-18T16:56:21.000Z

Update:

ImportError: cannot import name 'ComplexWarning' from 'numpy.core.numeric'

my numpy version is 2.0.0

Answer 4 · 2024-06-18T18:34:27.000Z

I reproduced the error.
numpy version 2.0.0 breaks things with scikit-learn 1.3.0.

2 possible options:

If you don't rely on numpy for other parts of your program downgrade numpy to 1.26.3 (pip install numpy==1. 26.3)
Otherwise upgrade scikit-learn to the current version (pip install -U scikit-learn). You will get warnings but it will run.

Let me know if it works.

Fix for version 0.7.2:

Upgrade to scikit-learn 1.5.0 (was expected earlier but size issue for the AWS Lambda layer)
Specify packages versions in requirements.txt

Answer 5 · 2024-06-18T20:39:49.000Z

Thanks for the insight @rbidou !

It worked as mentioned in those two options. I'll go ahead with the first option for now. Once new version is released, I'll upgrade the dependencies as well.

Thanks again!