🔥Open source RASP solution
Java Agent
PHP agent
PHP agent
Java agent
Command execution
SSRF
Path traversal
/../../
detection bypass reported by @LeesecPHP stack validation
SQL injection
PHP agent
Java agent
com.baidu.rasp
rasp/conf/rasp-log4j.xml
prior to software upgradeRasp Installer
SQLi algorithm
Command execution detection algorithm
debug_level
now renamed to debug.level
stack
parameter for both directory
and ssrf
hook pointsord
、chr
openrasp.callable_blacklists
for more details中文说明
SQLi/SSRF
detection algorithm in pure Java code
RASP.config(algorithm.config, ...)
interface in javascript pluginsBSD-3
with Apache License 2.0
rasp/conf/rasp-log4j.xml
prior to version upgradeDirectory Index
configuration in TomcatRASP.config()
now renamed to RASP.config_set()
RASP.get_jsengine()
interfaceRASP agent
OpenRASP Installer for Java
rasp
directory automatically中文说明
rasp/conf/rasp-log4j.xml
prior to agent upgraderoot
userSELECT 123; SELECT 456;
load_file(0x41424344)
/*!12345
SELECT 1 FROM dual WHERE 8778 <> 8778
load_file
, pg_sleep
, ...中文说明
Google V8
with Mozilla Rhino
2%
(worst case scenario)RASP.sql_tokenize
context.session.getSession / context.session.setSession
readFile
callback when the file existsMOVE
and COPY
operationsrequest_id
field that uniquely identifies a requestevent_type
field to distinguish between alarm logs and security policy logsattack_time
field now renamed to event_time
attack_params
field now changed to JSON format
X-Protected-By: OpenRASP
to all responseslog.maxstack
option#1
confidence
field in detection resultsBug fixes: