From: ykhabins@bellsouth.net <ykhabins@bellsouth.net>
Sent: Monday, April 3, 2023 12:13 PM
To: 'Johan Mörén' <johan.moren@gmail.com>
Cc: 'BaseX' <basex-talk@mailman.uni-konstanz.de>; 'Christian Grün' <christian.gruen@gmail.com>
Subject: RE: [basex-talk] BaseX HTTP service goes down due to Qualys Agent

https://docs.basex.org/wiki/Options#STOPPORT

>> "You mentioned that the Jetty server “goes down”. What does that mean? Does it simply block any further requests? Do you have a 100% CPU workload?"
It doesn't accept any further requests. Just launching the basexhttp.bat revives it.

>> "Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV?"
We never tried to disable anything.
The Qualys Agent runs once every two weeks on a schedule. So, it is not easy to run on demand for testing.

>> " Which BaseX services are enabled in your web.xml?"
We never modified anything in the web.xml. Please see it below.

<?xml version="1.0" encoding="UTF-8"?>
<web-app
  xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0">

  <display-name>BaseX: The XML Database and XQuery Processor</display-name>
  <description>HTTP Services</description>

  <!-- A BaseX option can be overwritten by prefixing the key with "org.basex."
     and specifying it in <context-param/> elements, as shown below.
     Check out https://docs.basex.org/wiki/Options for a list of all options.

  <context-param>
    <param-name>org.basex.restxqpath</param-name>
    <param-value>.</param-value>
  </context-param>
  <context-param>
    <param-name>org.basex.dbpath</param-name>
    <param-value>WEB-INF/data</param-value>
  </context-param>
  <context-param>
    <param-name>org.basex.repopath</param-name>
    <param-value>WEB-INF/repo</param-value>
  </context-param>

  <context-param>
    <param-name>org.basex.user</param-name>
    <param-value>admin</param-value>
  </context-param>
  <context-param>
    <param-name>org.basex.authmethod</param-name>
    <param-value>Digest</param-value>
  </context-param>

  <context-param>
    <param-name>org.basex.httplocal</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <param-name>org.basex.timeout</param-name>
    <param-value>5</param-value>
  </context-param>
  <context-param>
    <param-name>org.basex.log</param-name>
    <param-value>false</param-value>
  </context-param>
  -->

  <!-- Global session and servlet listener -->
  <listener>
    <listener-class>org.basex.http.SessionListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.basex.http.ServletListener</listener-class>
  </listener>

  <!-- CORS in Jetty: Access-Control-Allow-Origin: *
  <filter>
    <filter-name>cross-origin</filter-name>
    <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
    <init-param>
      <param-name>allowedOrigins</param-name>
      <param-value>*</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>cross-origin</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  -->

  <!-- RESTXQ Service (can be disabled by removing this entry) -->
  <servlet>
    <servlet-name>RESTXQ</servlet-name>
    <servlet-class>org.basex.http.restxq.RestXqServlet</servlet-class>
    <init-param>
      <param-name>org.basex.user</param-name>
      <param-value>admin</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>RESTXQ</servlet-name>
    <url-pattern>/*</url-pattern>
  </servlet-mapping>

  <!-- WebSocket Service (can be disabled by removing this entry) -->
  <servlet>
    <servlet-name>WebSocket</servlet-name>
    <servlet-class>org.basex.http.ws.WsServlet</servlet-class>
    <!-- Limits of the WebSocket connection
    <init-param>
      <param-name>maxIdleTime</param-name>
      <param-value>100000</param-value>
    </init-param>
    <init-param>
      <param-name>maxTextMessageSize</param-name>
      <param-value>3000</param-value>
    </init-param>
    <init-param>
      <param-name>maxBinaryMessageSize </param-name>
      <param-value>3000</param-value>
    </init-param>
    -->
  </servlet>
  <servlet-mapping>
    <servlet-name>WebSocket</servlet-name>
    <url-pattern>/ws/*</url-pattern>
  </servlet-mapping>

  <!-- REST Service (can be disabled by removing this entry) -->
  <servlet>
    <servlet-name>REST</servlet-name>
    <servlet-class>org.basex.http.rest.RESTServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>REST</servlet-name>
    <url-pattern>/rest/*</url-pattern>
  </servlet-mapping>

  <!-- WebDAV Service (can be disabled by removing this entry) -->
  <servlet>
    <servlet-name>WebDAV</servlet-name>
    <servlet-class>org.basex.http.webdav.WebDAVServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>WebDAV</servlet-name>
    <url-pattern>/webdav/*</url-pattern>
  </servlet-mapping>

  <!-- Mapping for static resources (may be restricted to a sub path) -->
  <servlet>
    <servlet-name>default</servlet-name>
    <init-param>
      <param-name>useFileMappedBuffer</param-name>
      <param-value>false</param-value>
    </init-param>
  </servlet>
  <servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>/static/*</url-pattern>
  </servlet-mapping>

</web-app>


-----Original Message-----
From: Christian Grün <christian.gruen@gmail.com>
Sent: Monday, April 3, 2023 11:27 AM
To: ykhabins@bellsouth.net
Cc: BaseX <basex-talk@mailman.uni-konstanz.de>
Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys Agent

The logs look inconspicuous indeed. Some more questions:

• You mentioned that the Jetty server “goes down”. What does that mean? Does it simply block any further requests? Do you have a 100% CPU workload?
• Which BaseX services are enabled in your web.xml? Does Jetty stall if you disable all REST, RESTXQ, and/or WebDAV?

Best,
Christian



On Mon, Apr 3, 2023 at 4:44 PM <ykhabins@bellsouth.net> wrote:
>
> Hi Christian,
>
> IMO, it is just the number of requests.
> I attached the .log file.
>
> -----Original Message-----
> From: Christian Grün <christian.gruen@gmail.com>
> Sent: Monday, April 3, 2023 10:32 AM
> To: ykhabins@bellsouth.net
> Cc: BaseX <basex-talk@mailman.uni-konstanz.de>
> Subject: Re: [basex-talk] BaseX HTTP service goes down due to Qualys
> Agent
>
> Hi Yitzhak,
>
> have you checked the resulting log files in the data/.logs directory?
> Are there specific requests that take too much time, or is it the plain number of incoming requests that eventually slows down the system?
>
> Best,
> Christian
>
>
> On Mon, Apr 3, 2023 at 4:29 PM <ykhabins@bellsouth.net> wrote:
> >
> > Hello,
> >
> >
> >
> > We are using BaseX 10.5 via its HTTP service in a corporate environment.
> >
> >
> >
> > We have an automated Qualys Agent that does a vulnerability scan of that server with the BaseX.
> >
> > Qualys Agent scan process includes web sites related tests such as Cross-Site Scripting, SQL Injection, etc.
> >
> > The rapid nature of the Qualys Agent requests effectively gives us a DoS attack on the eclipse.jetty.server.
> >
> > It cannot process so many requests and goes down.
> >
> >
> >
> > In the meantime, our solution is to restart BaseX HTTP service manually via basexhttp.bat.
> >
> >
> >
> > Question: is it possible to somehow configure the eclipse.jetty.server so it will be able to sustain the Qualys Agent vulnerability scan?
> >
> >
> >
> >
> >
> > Regards,
> > Yitzhak Khabinsky
> >
> >