RStudio Weak Credentials Plugin

[leonardo-doyensec]

The following PR adds the weak credential tester for RStudio Server.

Some notes on the current version of the rstudio server credential tester.

• does a custom fingerprint in the canAccept() method since rstudio is not correctly recognized from nmap
• tests the credentials using RSA encryption, which is the default in rstudio
• since RSA is used the plugin is a bit slow, due to the fact that rstudio takes some time to verify the credentials

[maoning]

Ideally we can have a dedicated web fingerpirnt for rstudio. The web fingerprinter is triggered on all the http services detected by nmap. Feel free to open a new fingerprint request for rstudio.

This is fine for now, no action needed.

[maoning]

I haven't done this in Java, did a quick google search, does the one-liner mentioned here work?

[leonardo-doyensec]

During the plugin development i was looking for some shortcut to perform the conversion. Back then this was not working, but right now it is. Maybe it was related to other issues in the code. I've fixed this

[leonardo-doyensec]

Hi @maoning,
besides the changes that you have requested i've added also the rstudio username to the common list of usernames

[maoning]

I noticed that this tester takes a long time to complete, can we make it return once it finds a valid credential?

Similar to

tsunami-security-scanner-plugins/google/detectors/credentials/generic_weak_credential_detector/src/main/java/com/google/tsunami/plugins/detectors/credentials/genericweakcredentialdetector/testers/jenkins/JenkinsCredentialTester.java

Lines 77 to 81 in 4ce380a

	return credentials.stream()
	.filter(cred -> isJenkinsAccessible(networkService, cred))
	.findFirst()
	.map(ImmutableList::of)
	.orElseGet(ImmutableList::of);

[leonardo-doyensec]

The test takes a long time since the default configuration of RStudio uses RSA, which takes time to decrypt and verify. I've implemented the required change.

[maoning]

Could you add another default credential rstudio/rstudio? Creds declared here are being tested first, hopefully short-circuit the plugin more often.

[leonardo-doyensec]

I've implemented the required change. However, since nmap doesn't recognize the service, the standard flow will be followed. This means that the credentials will be bruteforced in the regular way.

[leonardo-doyensec]

Hi @maoning ,
I've fixed what you have requested. I've also upgraded gradle to version 7, since otherwise the plugin will not build.
Let me know if i need to fix something else, i know that the plugin is slow, but that is an issue with how RStudio handles the credentials.

[maoning]

Hi @maoning , I've fixed what you have requested. I've also upgraded gradle to version 7, since otherwise the plugin will not build. Let me know if i need to fix something else, i know that the plugin is slow, but that is an issue with how RStudio handles the credentials.

@leonardo-doyensec could you do a rebase of your branch to resolve the merge conflict?

[leonardo-doyensec]

Hi @maoning, i've fixed the merge conflict. I've also fixed a non working test after the recent commits