Openrasp Versions Save

🔥Open source RASP solution

v0.40

5 years ago

中文说明

Breaking changes

Java Agent

  • The command parameter in the ProcessBuilder hook changed to string type
  • Replaced all alarm message with English ones

PHP agent

  • Replaced all alarm message with English ones

New features

PHP agent

  • Add support of PHP 7.0~7.2
  • Add support of prepared SQL statement
  • Fallbacked to v8 default platform
  • Add monitoring of rename operations

Java agent

  • Add monitoring of rename operations

Algorithm improvements

Command execution

  • Add support of FreeMarker template command execution

SSRF

  • Add detection of potentially dangerous protocol, e.g php://
  • Add detection of 127.X.X.X in ssrf_userinput algorithm

Path traversal

  • Fixed a /../../ detection bypass reported by @Leesec

PHP stack validation

  • Fixed a call_user_func false positive reported by @Ezreal

SQL injection

  • Add a global LRU cache to improve generic performance
  • Add detection of INTO OUTFILE phrase

Bug fixes

PHP agent

  • Add ~60 PHP test cases, multiple bugs fixed
  • Fixed a expand_path issue on Windows

v0.32

5 years ago

中文说明

Algorithm improvements

  • Make the official javascript plugin more configurable by adding a global algorithmConfig variable
  • Add detection for more domains commonly used in SSRF attacks

Bug fixes

  • Resolve a class loader compatibility issue on Rhino 3.1.8 (Windows)
  • Repackaged mozilla rhino library to resolve another class loading issue

v0.31

6 years ago

中文说明

Breaking changes

Java agent

Rasp Installer

  • Add support of software uninstallation
  • Command line arguments changed to the following
    • java -jar RaspInstall.jar -install /home/tomcat
    • java -jar RaspInstall.jar -uninstall /home/tomcat

Algorithm changes

SQLi algorithm

  • Detection of constant comparsion is now off by default

Command execution detection algorithm

  • Detect unusual command execution on Non-HTTP requests
  • e.g CVE-2018-1270

New features

  • On startup, Java agent will print an ASCII art
  • Add SQLi hook for JDBC prepared statement, resolves ISSUE #8
  • Add support of Resin 3.X & 4.X servers
  • Optimized jnotify to support exception handling

Bug fixes

  • PHP
    • Fixed a potential memory leak on log module

v0.30

6 years ago

中文说明

Breaking changes

  • Java agent
    • Debug level option debug_level now renamed to debug.level

New features

API changes

  • Add stack parameter for both directory and ssrf hook points

Algorithm improvements

  • SQLi detections
    • Block UNION NULL queries
    • Block blind injection releated functions, e.g ordchr
  • Java - Anti deserialize exploits
    • Block command execution via YsoSerial payloads
  • PHP - china chopper detection
    • Block suspicious file manager, command execution via stack validation algorithm
    • Block simple webshells that directly evaluate user inputs
  • PHP - block unusual callbacks
    • Please refer to openrasp.callable_blacklists for more details

v0.24

6 years ago

中文说明

Bug fixes

  • OpenRASP Installer for Java
    • Add support of JBoss 4.0.X

Other changes

  • Add logging of ANTLR errors

v0.23

6 years ago

中文说明

Breaking changes

  • Remove reflection hook point
    • Improves performance greatly
    • Detection logic moved to command hook point

Algorithm enhancements

  • Add more domains commonly used in SSRF exploit

v0.22

6 years ago

中文说明

Breaking changes

  • Re-implemented SQLi/SSRF detection algorithm in pure Java code
    • Configurable via RASP.config(algorithm.config, ...) interface in javascript plugins
    • Performance improved by nearly 20%
  • LICENSE upgrade
    • Replaced BSD-3 with Apache License 2.0
  • Log rotation
    • Automatically remove old log files, keep up-to 30 files by default
    • User must manually remove rasp/conf/rasp-log4j.xml prior to version upgrade

New features

  • Add support of JBoss 7.X
  • Conditional HTML injection support
    • Mostly designed for CSRF / Blind XSS detection
    • Disabled by default
  • When an attack is blocked, allow user to customize HTTP response code
  • Security baseline improvements
    • Detect global Directory Index configuration in Tomcat
    • JDBC account auditing: only report on successful connections
  • Add a debug option to collect performance data

Algorithm improvements

  • Detect basic SSRF and URL obfuscation technique
    • List of supported HTTP request libraries:
      • URL.openConnection
      • commons-httpclient
      • httpclient

API Changes

  • RASP.config() now renamed to RASP.config_set()
  • Add RASP.get_jsengine() interface

Bug fixes

RASP agent

OpenRASP Installer for Java

  • Will add write permission to rasp directory automatically
  • Refine all error messages

v0.21

6 years ago

中文说明

Breaking Changes

  • Separation of security baseline vialotion logs
    • Make it easier to manage different types of alarm logs
    • User must manually remove rasp/conf/rasp-log4j.xml prior to agent upgrade

New Features

  • Detect LFI/SSRF exploit via jstl-import method
  • Add support of DB2 database server
    • Only tested on version 9.7 and 10.5
  • Security baseline feature enhancements
    • Audit database accounts, e.g connect to MySQL with root user
  • Add slow query detection, e.g read 500+ rows with SELECT statement
  • Support TCP syslog transmission

Algorithm improvemnts

  • Release SQLi detection algorithm No.2 (configurable)
    • Detect stacked queries, e.g SELECT 123; SELECT 456;
    • Detect hex string representations, e.g load_file(0x41424344)
    • Detect OS version number, e.g /*!12345
    • Detect numeric constant comparsion, e.g SELECT 1 FROM dual WHERE 8778 <> 8778
    • Detect usage of blacklisted functions, e.g load_file, pg_sleep, ...

v0.20

6 years ago

中文说明

Breaking changes

  • JS engine optimization
    • Replace Google V8 with Mozilla Rhino
    • Performance impact now reduced to 2% (worst case scenario)
  • No longer support the WebLogic application server

JS API changes

  • Add a SQL tokenize method: RASP.sql_tokenize
  • Add a SESSION modification method: context.session.getSession / context.session.setSession
  • Only execute the readFile callback when the file exists

Hook point changes

  • Add a WebDAV hook point that monitors HTTP MOVE and COPY operations

Logging changes (alarm logs)

  • Added HTTP referer field
  • Added a request_id field that uniquely identifies a request
  • Added an event_type field to distinguish between alarm logs and security policy logs
  • attack_time field now renamed to event_time
  • The content of attack_params field now changed to JSON format
    • An update to the ElasticSearch index mapping is required

New features

  • Support HTTP alarm push notification
  • Added X-Protected-By: OpenRASP to all responses
  • Added support of Jetty, JBoss 5~6 platforms
  • No longer throws exception when an attack happens
  • Maximum stacktrace level now configurable via the log.maxstack option
  • Application server hardening support (See here for details)

Algorithm improvements

  • Add ability to detect common/commerical web vulnerability scanners
    • Disabled by default
  • Release the SQLi detection algorithm #1
  • Forceful browsing detection
  • Added a confidence field in detection results

Other improvements

  • XXE detection on JBoss: remove redundant JS callbacks

v0.13

6 years ago

Bug fixes:

  • Remove unexpected alarm logs when javascript engine encounters a runtime error
  • Provide full javascript stack trace and runtime error message in plugin.log