Sasanka
OSS sasanka repository
Install / Use
/learn @cybersecuritycloud/SasankaREADME
Overview
Kong plugins to add API Security functionality to the Gateway to further improve the security of Kong Gateway.
Some plugins are provided as OSS, and users can choose to add the necessary functions.
Features
| Plugin Name | Function | Description | | --- | --- | --- | | ssk-pm | Pattern Match | Detection is performed by matching against the pattern rules that have been read. | | ssk-safehost | Host Check | Detection is performed by matching the set Host with the actual upstream Host. | | ssk-cors | CORS Check | Detection is performed by matching the header related CORS set config. | | ssk-detecthandling | Detect Handling | Set the response status, header, and body when detection is performed. | | ssk-std-logger | Output Detect Log | Logs to standard output or standard error output when detection is performed. | | ssk-ua-filter | Filter by Any User-Agent | You can set any user-agent to block. And can block no-user-agent request. | | ssk-libinjection | Detect Using Libinjection | Using libinjection, it can detect attack by SQL syntax not regex. | | ssk-clickjacking | Prevent Clickjacking | Prevent clicjacking attack. | | ssk-saferedirect | Strict Redirection | Strict host to redirect by whitelist. | | ssk-strictparameter | Strict and Validate Parameters | Validating params like JSON Schema and it can also restrict value to prevent MassAssignment for example. | | ssk-telemetry | Output Telemetry | Output telemetry to stdout or stderr. Telemetry means metrics of latency, count | | ssk-allowkey | Restrict parameter containing any key | Restrict each parameter containing any key to prevent MassAssignment, one of OWASP Top 10. | | ssk-magika | MIME type validation with Magika | This feature ensures that files uploaded utilizing magika conform to the expected format, rather than relying solely on the file extension. |
These plugins are not compatible with DB-less mode.
You can select these of above you need and set as plugin of Kong.
Install and Get Start
Requirements
If you need help with KONG installation, see the documentation on Install and Run KONG.
Related KONG
If you already have KONG installed, please skip this.
- KONG(=2.8.2, 3.0.0, 3.3.0)
- postgreSQL
- Lua ≥ 5.1, 5.3
- luarocks
Mention
This is Kong Custom plugin so you must use Kong from source. You may not use it from docker Kong image.
Additional
-
pcre2
- This pcre2 is not necessary. Plugins can execute without pcre2 but we recommend install pcre2 for performance.
To install, please refer to the following.
# install dependency
sudo apt-get install -y libpcre2-dev
sudo luarocks install lrexlib-pcre2
- libinjection
Install Plugins in Kong Gateway
Execute following.
git clone https://github.com/cybersecuritycloud/sasanka.git
cd sasanka
luarocks install rocks/${PLUGIN_NAME}.${VERSIONS}.all.rock
And add your kong.conf ’s plugins item you want like following example. And then you must restart Kong.
plugins = bundled,ssk-detecthandling,ssk-safehost,ssk-pm,ssk-cors,ssk-std-logger,ssk-ua-filter,ssk-optimizer,ssk-libinjection,ssk-saferedirect,ssk-clickjacking,ssk-strictparameter,ssk-response-transform,ssk-telemetry,ssk-allowkey
If you can’t install plugins well by above, you can copy source code to kong’s directory.
Usage
Following example of enable plugin is assumed to enable on Service.
So if you want to set plugins of the route, replace SERVICE_NAME|SERVICE_IDwith the ROUTE_NAME|ROUTE_ID of the route that this plugin configuration will target.
And you should replace SERVICE_NAME|SERVICE_IDwith the id or name of the service that this plugin configuration will target.
Replace localhost and 8081 to your Kong AdminHost and Port each other.
Almost plugins have config.tags on config field. This tags can use to handle response when detected. You can handle detected response to any custom response or you can select that request won’t be blocked and output only logs.
If you want more information, see each plugin’s schema.lua.
ssk-pm
Pattern matching is performed for patterns read in the settings.
Enable on Service
curl -i -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
-H "Content-Type: application/json" \
-d '{"name": "ssk-pm",
"config": { "patterns" : [ {"name": "example-pattern-key", "patterns" ["aa", "bb"] } ],
"params": [ { "in": "param_req_query", "key": "*", "patterns": ["example-pattern-key"] } ] }
}'
Config Parameters
| key | type | description | required | default value | | --- | --- | --- | --- | --- | | config.patterns | array of table elements | Define the pattern to be set and its name. | - | table | | config.patterns[i].name | string | Defines the name of the pattern to be set. | - | nil | | config.patterns[i].patterns | array of string elements | Set pattern rules as an array. | - | nil | | config.params | array of table elements | Defines where the configured pattern will be applied. | - | table | | config.params[i].in | string | <b>Deprecated.</b> Defines the item to apply detection to. ["param_req_query", "param_req_path", “param_req_header”, “param_req_cookie”, "param_req_body", “param_req_”, “param_res_header”, “param_res_”].Select one of them or use "" or null to apply all params. | - | nil | | config.params[i].key | string | <b>Deprecated.</b> Define the parameter key to apply detection.If "" or null, all parameter keys are applied. | - | nil | | config.params[i].patterns | array of string elements | Define the pattern to be applied among the patterns defined in config.patterns. | - | nil | | config.params[i].customize | table elements | Define the pattern to be applied among the patterns defined in config.patterns. | - | nil | | config.params[i].customize.in | array of string | Defines the item to apply detection to. ["param_req_query", "param_req_path", “param_req_header”, “param_req_cookie”, "param_req_body", “param_req_”, “param_res_header”, “param_res_”].Select one of them or use [""] or null to apply all params.| - | nil | | config.params[i].customize.key | array of string | Define the parameter key to apply detection.If [""] or null, all parameter keys are applied. | - | nil | | config.params[i].customize.tags | array of string | You can set any tags. This tag can be used for ssk-detecthandling and so on. | - | nil |
The customize field is used to fine-tune the target sections and tags for each specified pattern in the patterns field.
ssk-safehost
Check the configured host against the actual upstream host.
The host in this plugin means the value of host header. So it’s same as FQDN correctly.
Enable on Service Example
curl -i -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
-H "Content-Type: application/json" \
-d '{
"name": "ssk-safehost",
"config": {
"tags": ["status409"],
"host_check": "HostName.com"
}'
| key | type | description | required | default value | | --- | --- | --- | --- | --- | | config.tags | array of string | You can set any tags. This tag can be used for ssk-detecthandling and so on. | - | [] | | config.host_check | string | Set the hostname of the upstream.By default, port:80 is set, but if the port is other than 80, the port must also be included. | true | |
ssk-cors
Detects related CORS.
When modify_response_header=true, the response header is modified when detected.
Enable on Service Example
curl -i -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
-H "Content-Type: application/json" \
-d '{
"name": "ssk-cors",
"config": {
"tags": ["log"],
"block": true,
"modify_response_header": true,
"allow_origins": ["*"],
"allow_methods": ["OPTIONS", "GET", "PUT"],
"allow_headers": ["*"],
"expose_headers": ["*"],
"allow_credentials": false,
"max_age": 3600
}
}'
Config Parameters
| key | type | description | required | default value | | --- | --- | --- | --- | --- | | config.tags | array of string | You can set any tags. This tag can be used for ssk-detecthandling and so on. | - | [] | | config.block | boolean | enable cors block | true | | | config.modify_response_header | boolean | Sets whether to modify the response header when a detection or block is made. | - | nil | | config.allow_origins | array of string elements | Defines which origins are allowed."*"is ALL ARE ALLOWED. null is ALL ARE NOT ALLOWED.If modify_response_header is true, add Access-Control-Allow-Origin: configuration value to the Header. | - | nil | | config.allow_methods | array of string elements | Defines which methods are allowed." *" allows all.If modify_response_header is true, add the Access-Control-Allow-Headers: setting to the Header. | - | nil | | config.allow_headers | array of string elements | Defines which headers are allowed." *" allows all.If modify_response_header is true, add Access-Control-Allow-Headers: configuration value to the Header. | - | nil | | config.expose_headers | array of string elements | If modify_response_header is true, add Access-Control-Expose-Headers: configuration value to Header. | - | nil | | config.allow_credentials | boolean | If modify_response_header is true, add Access-Control-Allow-Credentials: configuration value to the Header. | - | nil | | config.max_age | integer | If modify_response_header is true, add the Access-Control-Max-Age: setting value to the Header. | - | nil |
ssk-detecthandling
Handle response when detected by ssk-* Plugin. For example, you can set configure custom response, delay response or only output logs.
Enable on Service Example
curl -i -X POST http://localhost:8001/services
Related Skills
node-connect
344.4kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
99.2kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
344.4kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
qqbot-media
344.4kQQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。
