Release Notes - Dynamic Reviewer
- 1 4.0.9 version-2021.12.23
- 2 4.0.8 version-2021.12.09
- 3 4.0.7 version-2021.12.05
- 4 4.0.6 version-2021.11.29
- 5 4.0.5 version-2021.11.27
- 6 4.0.4 version-2021.10.22
- 7 4.0.3 version-2021.09.12
- 8 4.0.2 version-2021.04.11
- 9 4.0.2 version-2021.03.09
- 10 4.0.1 version-2021.02.07
- 11 4.0.0 version-2021.01.08
- 12 3.1.0 version-2020.11.05
- 13 3.0.0 version-2020.10.01
- 14 2.1.0 version-2020.08.10
- 15 2.0.0 version-2020.07.13
- 16 1.5.1 version-2020.06.20
- 17 1.5 version-2020.05.22
- 18 1.4 version-2020.04.24
- 19 1.3.2 version-2020.03.25
- 20 1.3.1 version-2020.03.12
- 21 1.3.0 version-2020.02.11
- 22 1.2.3 version-2019.12.17
- 23 1.2.2 version-2019.11.28
- 24 1.2.1 Version-2019.10.29
- 25 1.2.0 version-2019.9.5
- 26 1.1.2 version-2019.7.11
- 27 Version 1.1.1-2018.6.17
- 28 Version 1.1-2018.6.6
- 29 1.0 official version-2018.4.12
- 30 1.0.0 RC1 version-2018.1.3
- 31 Version 0.50-2017.10.29
- 32 Version 0.42-2017.9.26
- 33 Version 0.41-2016.9.17
- 34 Version 0.40-2016.7.24
- 35 Version 0.32-2016.6.8
- 36 Version 0.31-2016.5.22
- 37 Version 0.30-2015.4.27
- 38 Version 0.24-2015.2.2
- 39 Version 0.23-2015.1.23
- 40 Version 0.22-2015.1.17
- 41 Version 0.21-2014.12.6
- 42 Version 0.20-2014.10.26
- 43 Version 0.13-2014.09.22
- 44 Version 0.12-2014.09.14
- 45 Version 0.11-2014.09.13
- 46 Version 0.10-2014.08.18
- 47 Version 0.09-2014.07.14
4.0.9 version-2021.12.23
Kali Linux 2021.4a support was added.
4.0.8 version-2021.12.09
Rocky Linux 8 support was added.
4.0.7 version-2021.12.05
RedHat 9 support was added.
4.0.6 version-2021.11.29
Windows Server 2022 support was added.
4.0.5 version-2021.11.27
Windows 11 support was added.
4.0.4 version-2021.10.22
SUSE Linux Enterprise Server 15 support was added.
4.0.3 version-2021.09.12
Oracle Linux 8 support was added.
4.0.2 version-2021.04.11
RedHat 8 support was added.
4.0.2 version-2021.03.09
Oracle RAC support was added.
4.0.1 version-2021.02.07
JavaScript memory-leaks detection was added.
New DOM checks, from 40 to 54
4.0.0 version-2021.01.08
Major Version. JavaScript fuzzy engine was added
New DOM checks, from 27 to 39
CWE updated to 4.4
OWASP fully updated to Top Ten 2017
3.1.0 version-2020.11.05
New DOM checks, from 21 to 27
3.0.0 version-2020.10.01
Major Version. New Python-based engine was added
New DOM checks, from 13 to 20
2.1.0 version-2020.08.10
Generates report even the scan was aborted
By default, terminates the scan after 1 hour
New DOM checks, from 1 to 12
2.0.0 version-2020.07.13
Major Version. This is the first version with indipendent fixes.
Centos 8 support was added
Updated to ruby 3.0.0
1.5.1 version-2020.06.20
This is the last version following original Arachni Web UI fixes.
Plugins
metrics
-- Fixed type error due to race condition.
1.5 version-2020.05.22
proxy
--bind_address
default switched to127.0.0.1
,0.0.0.0
breaks SSL interception on MS Windows.metrics
Fixed division by 0 error when no requests have been performed.
Added:
HTTP
Request time-outs
Responses per second
Browser cluster
Timed-out jobs
Seconds per job
Total job time
Job count
email_notify
Retry on error.
Default to
afr
as a report format.
1.4 version-2020.04.24
Native MS Windows compatibility.
RedHat 7 and Centos 7 full support
1.3.2 version-2020.03.25
BUG fix
Management background
Fix the error of default value of request.param_encoding reported by a Customer
Java/Scala/Kotlin/Clojure version
Fix the issue that the attack reported cannot be intercepted
1.3.1 version-2020.03.12
Optimization and improvement
Management background
Fix regular default configuration of sensitive files in Web root directory, remove extra double quotes
Add host interface, optimize manual installation tips
Java/Scala/Kotlin/Clojure version
Fix the problem that SpringBoot may cause all Hook points to be invalid after enabling the whitelist
PHP version
Added fastcgi SAPI support (previous versions only supported php-fpm / apache)
.NET Detection plugin
Sensitive information leak detection algorithm to correct the problem that mobile phone number identification will be falsely reported in some cases
When the request JSON parsing error, truncate the exception log to avoid the hard disk full
Intercept command execution based on CVE-2020-9547, CVE-2020-8840
1.3.0 version-2020.02.11
Major changes
IAST scanning tool
The IAST console is integrated into the existing management background to reduce operation and maintenance costs (iast no longer monitors port 18664)
IAST scanner changed to connect to panel server (previously connected to agent server)
The IAST scanner uses websocket to connect to the management background, which is not compatible with the background before v1.3.0
Old version background users can use the pip3 command to install the old version
PHP version
For file-related detection points, if the read file starts with a streaming protocol, SSRF detection will be triggered, and file read-write detection will not be triggered
The affected protocol is: https / http / ftp
The affected functions are: file / readfile / file_get_content / fopen / copy / include
When
plugin.filter
closed, the files related to the detection point will be ignored open_basedir configuration, continue to the plug-in detection
new features
General improvements
Add file deletion test point
Added detection point after SSRF jump to detect rebinding attacks
Add HTML response detection point, default sampling 5 times per minute
Add dependent library information collection, the default collection once every 6 hours
Java POM information
PHP composer.json
Completion of SQL anomaly detection points
PHP adds PostgreSQL, SQLite exception monitoring
Java adds PostgreSQL, SQLite, Oracle, SQLServer, HSQLDB, DB2 monitoring
Weak password list supports remote delivery
Strengthen the stand-alone version configuration verification
When the outermost key value of yaml cannot be recognized, print the log
Java/Scala/Kotlin/Clojure version
Increase Hibernate SQL checkpoint
Increase nio detection point
Added SpringBoot partial annotation parameter support
PHP version
SSRF supports IPv6 address resolution
Baseline check: detect whether there are compressed files, SQL and other sensitive files in the web root directory
Increase mysql_db_query, mysql_unbuffered_db_query detection points
Increase print checkpoint
Management background
New
-s restart / -s stop / -s status
instructions, you can restart the spooler, turn off background and access to stateSupport host to set notes and search by notes
Whitelist support notes
Support log write kafka
Change alarm sending interval to front-end configuration
Increase alarm log deduplication, calculated according to request number, stack MD5, attack type
Background log increase in size, file number limit, configurable
.NET /Java/Scala/Kotlin/Clojure Detection plugin
Add any file deletion vulnerability detection
Add header injection detection (such as SQL injection, command injection)
Added command execution syntax error monitoring and suspicious injection detection
Increase DNS Rebind SSRF attack
Add leak detection of HTTP response sensitive information, such as bank card, ID card, mobile phone number
BUG fix
Java/Scala/Kotlin/Clojure version
When RaspInstall installs rasp.jar, rename it before writing to a new file
Avoid modifying the loaded jar, mmap problems may occur
Old files are randomly named after uuid, support multiple installations, and will be deleted uniformly at startup
PHP version
When the configuration delivered in the background does not meet expectations, actively report the exception log
Fix the problem that only one entry will be uploaded in the following log of Kali
Repair some cases, there will be multiple
rasp-log
processes of problem
Management background
Client version aggregation interface, without filtering host online status
Add duplicate whitelist check
1.2.3 version-2019.12.17
new features
General improvements
Java/Scala/Kotlin/Clojure, .NET, PHP add crash monitoring (only supports Linux / Mac system)
Monitoring signals such as segfault / abort, etc.
The monitoring scope is Java main process, PHP worker / heartbeat / logging process / daemon
After the crash, an alarm is automatically sent to the management background, and the stack log is uploaded; the background will send an email alarm synchronously
To test monitoring results, the executable
kill -11 PID
command triggers a segmentation fault
Management background
Support client version enumeration
Support one key to close all alarms
When the agent cannot obtain the version number of the application such as dubbo, allow the agent to register
BUG fix
Java/Scala/Kotlin/Clojure version
Fix the problem that the syslog address will still send logs to the old address after modification
1.2.2 version-2019.11.28
Upgrade Instructions
Management background
After the upgrade is complete backstage, still need to be performed manually
./rasp-cloud -upgrade 121to122
update the MongoDBIncreased
X-Protected-By: OpenRASP
configurationRequest body size limit changed to 12KB
Support online upgrade, but please do not modify the configuration in the background during execution
new features
General improvements
Completely solve the
v8::Abort()
crash problemUpgrade v8 to the latest version: 7.8.279.19
Support hide
X-Protected-By: OpenRASP
response header
Automatic installer
Support custom heartbeat interval through -heartbeat /-heartbeat parameter
Java/Scala/Kotlin/Clojure version
Added WebSphere 7.X support. Due to IBM JDK restrictions, file-related detection points cannot take effect
When the plug-in does not register the request / requestEnd detection point, relevant parameters are no longer constructed to improve performance
.NET/PHP/Java/Scala/Kotlin/Clojure Detection plugin
Intercept command execution based on bsh.servlet.BshServlet, eg CNVD-2019-32204
Intercept command execution based on jdk.scripting.nashorn
BUG fix
Java/Scala/Kotlin/Clojure version
Fix the problem that Java cannot get the character stream request body in some cases
PHP version
When the repair is closed
plugin.filter
, the included.php/.inc
file will not plug into the issueFor multipart requests, extract the parameters separately to solve the problem of not requesting the body when generating an alarm
Detection plugin
Fix user reported that the memory usage of replaceAll function is too high
Fix the xss_userinput bypass issue reported by @Looke
1.2.1 Version-2019.10.29
Upgrade Instructions
Management background
Solved migration issues to ElasticSearch 6.8.8
Due to early ElasticSearch mapping problems, for existing applications, alarm messages, baseline messages, and exception messages do not support case search
After the background upgrade is complete, the user needs to manually perform
./rasp-cloud -upgrade 120to121
to update the mappingThe program will first modify the alias, point the index to the new alias, and delete the previous index after completing the data copy
New alarm data can be written during the copy process and will not be lost
new features
General improvements
First Scala version
Support custom RASP ID
When using the installation
--rasp-id (PHP)
or-raspid (Java)
settingIf not specified, according to the previous logic, based on the network card, RASP path and other information to calculate a
Management background
Increase the deduplication of the alarm log, according to request_id + stack_md5
In the System Settings -> Background settings interface, add a key clean-up alarm data support
Host management interface, automatically remember
Host status
check caseAlarm view interface, support searching by alarm message and stack MD5; Referer and URL support click
Java/Scala/Kotlin/Clojure version
Added partial support for TongWeb 6.X server, from @superbaimo
Simplify the installation process of JBoss 7 and higher, from @Lorisy
Added HSQL database hook point to detect WebGoat SQL injection vulnerabilities
Increased fuse support
Collect the single-core CPU occupancy rate every once in a while, if it exceeds the threshold and 3 consecutive times, start the fuse mechanism
When the occupancy rate collected next time is lower than the threshold, the protection is automatically restored
This function is off by default, and the collection interval and CPU usage can be configured
Fix the problem that plugin.filter does not take effect at include hook point
Plug-in system
First .NET and Kotlin/Clojure version
Command execution checkpoint, add environment variable information
SQL anomaly detection is changed to plug-in detection, and the error code to be monitored can be customized in the management background
Fix the command_reflect algorithm, which may cause false alarms in some cases
Bug fix
Universal fix
Added support for re-registration, which can be automatically restored when the host is accidentally deleted after offline
Java version
Fix the problem of false alarm when middleware supports multipart protocol, but users do not use files
Fix the problem that when the server is connected to the management background after a period of startup, the Java Agent will not obtain the registered IP again
Fixed an issue where WebSphere. Deserialization command execution would not be blocked due to empty context.language
Fix the problem that when the heartbeat fails, sleep is invalid and the log will be printed infinitely
Fix the problem that the log4j cache will not be cleared after the log is pushed
Fix the problem that when there are multiple files uploaded, only the first file will be processed
Fix the problem of missing details when configuration update fails
Fix the problem that the request hook cannot be intercepted (thanks @Looke for feedback)
Fix the issue that cloud.X and other configurations can be delivered remotely
Fix the problem that the SQL prepared statements will not enter the detection plug-in and will not record SQL exceptions when an exception occurs
PHP version
Fixed an issue where PDO exception monitoring did not filter error codes and recorded redundant exception logs
1.2.0 version-2019.9.5
Major changes
General changes
Remove enforce_policy configuration, baseline detection no longer supports interception
Remove MySQL duplicated key error monitoring
Delete the stack_trace string field in the alarm log and uniformly use attack_params.stack to get the stack
If the Java / PHP agent is upgraded to v1.2.0, the management background must also be upgraded, otherwise the front-end stack will be displayed as an empty value and the vulnerability aggregation list will be empty
new features
General improvements
When the host name changes, sync to the management background
Add host_type field to identify whether it is a docker container
Management background
Fix the problem that the original URL cannot be jumped back after login
Plug-in system
Added requestEnd hook point, called once at the end of the request
Add RASP.request () interface, can send HTTP request in plugin
Add RASP.get_version () interface to get agent version information
Add multiple fields such as context.requestId
Add two parameters dest_path / dest_realpath to file upload (PHP version only)
Added loadLibrary_unc algorithm to intercept when the library to be loaded comes from the UNC path
PHP version
Add eval / assert hook points
Increase debuglevel configuration to avoid printing redundant logs
Java version
Added cluster support to JBoss and WebLogic
Fix the problem that fetching Thread Local data will crash when v8 is running in multi-thread environment
Added key hook check: requestEnd, request.parameterMap refuses to start when it does not exist
Heartbeat interval lower limit changed to 10s
Optimized memory usage, reduced by about 50%
Print RASP ID at startup for easy troubleshooting
Solve the problem that XSS will not detect when Tomcat actively flush ()
At the same time optimize the XSS detection efficiency
XSS interception no longer throws an exception (other attack types will still throw)
Automatic installer
Add SpringBoot semi-automatic installation, that is, only release the file and modify the configuration, the parameter name is -nodetect
Added support for tomcat installed by yum, that is, the separation of bin directory and tomcat_home
Increase
-prepend
parameter, if it will open-javaagent
parameters on the frontAppended by default
Solve jacoco compatibility issues
Gray box scanning tool
Released the first version of the gray box scanner , combined with the RASP vulnerabilities scanner
Bug fix
Java version
Solve JRockit compatibility problem, change to jni to get network card information
Solve org.elasticsearch.client.RestClient compatibility issues
Solve the problem of incompatibility between XXE code safety switch and taglib
Disable V8 execstack warning
PHP version
Fix the problem of incorrect PHP version number in the alarm log
Plug-in system
Repair
001-dir-1.jsp
even if you close the pluginall_log
will not intercept problem
1.1.2 version-2019.7.11
General improvements
Management background
Support to decide whether to alarm according to attack type
Host management page, support export agent list
Add host page, fix SpringBoot + Docker installation command
Optimize multiple table experience
Java version
syslog tcp increase connection, send timeout
Support agent version information through rasp.jar
Detection plugin
readFile hook point ignores war package related operations
Bug fix
Java version
When the host name is not bound in the / etc / hosts, the floodgate
hostname
command called BUGPassed to the stack of the plugin to fix the problem of incorrect filtering
Fixed the problem of null pointer exception when Undertow parses parameters
Fix an XSS hook point null pointer exception
Version 1.1.1-2018.6.17
General improvements
Management background
Turn on gzip compression support to reduce network traffic
Alarm and baseline log retention time support custom, default 365 days
Optimize multiple front-end experiences
Agent exception log adds stack details display
Enhanced alarm search function
Support advanced configuration options for detection algorithms
Java version
Fix incomplete stack filtering
Solve possible encoding problems caused by emoji packages
openrasp-v8 all exceptions are synchronized to rasp.log
Detection algorithm
Fix the false alarm of command_reflect
Algorithm for deleting xss tag when there are more than 10 alarms
Version 1.1-2018.6.6
Major changes
General changes
Upgrade Google v8 to version 7.2
The syntax interpreter was replaced by antlr4 to flex to reduce memory usage
PHP version
Replace libstdc ++ with libc ++
Remove pcre dependency
Binary package adds Thread Safety version
Java version
Replace rhino with openrasp-v8
SQL, SSRF detection logic changed to JS implementation
Temporarily removing
JRockit JDK
support, WebLogic 10.3.6 needs to be setJAVA_VENDOR=Sun
to switch to Oracle JDK
Plug-in system
Streamline the console.log function and delete color-related codes
Pass to the stack of the detection plug-in to filter out com.baidu.openrasp related content
new features
General changes
new DAST lightweight penTest tool coming from IronWASP project
SQL exception increases password error monitoring
Implement weak password detection for database connection
Java version
Add XXE code safety switch, which can directly prohibit loading of external entities
Bug fix
Universal fix
After the plug-in is updated successfully, a heartbeat is sent immediately to solve the problem of lagging behind the version information of the management background
The alarm stack filters out openrasp related content
Java version
Fix the problem of false alarms in file upload detection points, instead check after the user has used the file
Fix the problem of incorrect encoding of openrasp.yml file under Windows
Fix the problem that JBoss 12 and above cannot be installed automatically
Solve the problem that JSP can not get the stack
Fix the problem that Tomcat will not jump after xss interception
Fix the bug that the heartbeat will never be beat again after a failed heartbeat
Solve the problem of abnormal HTML injection function under Tomcat 5
Fix the problem of heartbeat thread remaining after uninstalling without restarting the installation
Unified log.maxbackup logic with PHP version, when configured as 1, keep today and yesterday's logs
Management Backgroung
Porting to ElasticSearch v5.6.8
Fix the problem of detecting duplicate uploads of plugins
Added cache invalidation setting on front page
Fix the problem that the debug_level field is not a number
When there is an online host under the application, it is forbidden to delete the application
Fix the problem of nosniff misspelling in the application reinforcement, the user can save the configuration once to repair
1.0 official version-2018.4.12
Major changes
General changes
APM features from Apache SkyWalking and Elastic APM
The header field is added to the alarm log, and the outermost user_agent and referer duplicate fields are removed
Standalone version configuration file changed to yaml
Only when the response code set to intercept
302
jump if power Location header, allows the user to print custom block content
Management background
Delete the two items AgentServerURL and PanelServerURL in the configuration file, and modify it on the management background interface instead
The first two options will be set automatically when accessing the background for the first time. To enable the load balancing mode, please correct the Agent server list manually
PHP version
The stand-alone version disables fswatch by default. If need, please use
--enable-fswatch
the compiler parameters to openReplace
rapidjson
the interface more flexiblenlohmann/json
cli mode turns off baseline checking to avoid redundant logs. If need, please use
--enable-cli-support
the compiler parameters to openRasp-install adds SELinux and open_basedir checks to avoid unusable problems after installation
Java version
Remove
rasp-log4j.xml
related startup parameters. Change to dynamically generate log4j configuration, users no longer need to configure
new features
General functions
Added JSON parameter parsing, namely
context.json
Added application hardening function, which can prevent click hijacking, MIME sniffing, automatic operation of downloaded files, and reflection XSS
Support decompilation function, user code can be obtained at the same time when an alarm is generated (only JDK 6-8, PHP support)
PHP version
New
PHP 7.3
Support
Java version
New
SpringBoot + Undertow
SupportNew
WebLogic
SupportNew
JBoss 6-8
support (does not support automatic installation)New
JDK 11
SupportIncrease application environment variable collection
Add experimental non-restart installation and non-restart uninstall functions, temporarily do not support non-restart upgrade
Management background
Improve multiple user experiences and provide a more complete alarm search experience
Added vulnerability aggregation display to avoid the problem of attacking the screen during the vulnerability exploitation phase
Improve audit log display, add type field and display
Added client exception log display
Algorithm improvements
General improvements
Increase the development mode switch, after loading it will load some performance-consuming detection algorithms
The observation mode is turned on by default
Security baseline
Tomcat background weak password increase empty password check
Path traversal
Fixed an issue where the is_path_endswith_userinput function was incorrectly reported when downloading files using absolute paths
The following use Windows interception
..\..\
list directories attack
File Inclusion
Fix the false alarm caused by the phar: // file when using Baidu Cloud BOS service
Added common penetration command detection support, only print logs by default
SQLi
Added SQL anomaly detection, such as syntax error and error injection
Fix char / chr () false alarm problem, only give an alarm when there are 5 occurrences
SSRF
Add port information when calling the detection plugin
Intercept access to Alibaba Cloud metadata
File Upload
The alarm log adds a multipart parameter name field to facilitate the construction of requests
XSS
Added xss_userinput detection algorithm to intercept reflection XSS
The xss_echo algorithm adds content filtering to avoid alarms caused by non-attack events (this algorithm has no false alarms)
WebShell
Intercept backdoor based on LD_PRELOAD
Deserialization
Intercept attacks based on JNDI reflection execution commands
Bug fix
Management background
Fix the problem that ElasticSearch pulled by docker cannot connect
PHP version
Fix the problem that the SSRF detection point cannot get the hostname when the URL has no protocol
1.0.0 RC1 version-2018.1.3
new features
Java version
Add okhttp / okhttp3 hook point for SSRF detection
Other general functions
The first version of the release management background
Add remote management functions, including log upload, plugin delivery, remote configuration management, etc.
syslog log adds tag field support, can be customized
LRU is changed from plug-in to agent, covering several detection points of sql, ssrf, readFile, writeFile
Major changes
Management Background
Porting to ElasticSearch v6.1.0
Rewrite of entire Dashboard in GO language
PHP version
Officially remove Windows support
Algorithm improvements
Command execution
Increase the detection of JBoss EL reflection command execution
Added bash command interpreter to detect command injection attacks
Bug fix
Fix dubboRPC below, when log4j prints logs, there is no requestMethod resulting in a null pointer bug
Fix a crash in PHP session + mysql handler
Fix the issue that SpringBoot 1.5.9 + Embedded Tomcat Server cannot obtain the server version number
Version 0.50-2017.10.29
new features
Java version
Officially supports WebSphere, and currently only tested 8.5, 9.0 two versions
other
Alarm log increase
algorithm
field identifies a specific algorithm name
Algorithm improvements
Any file download
Fix an absolute path false positive caused by ThinkPHP rewrite
Version 0.42-2017.9.26
Major changes
General
Remove SQL slow query hooks, but temporarily keep the code
Java version
Plug-in to get the
Dubbo RPC
parameter name from theopenrasp-dubbo-XXX
changedubbo-XXX
new features
Alarm log increase in
request_method
field, i.e., request method
Bug fix
Fixed an issue where No modifications are allowed to a locked ParameterMap error when obtaining parameters under certain tomcat versions
Algorithm improvements
Rename
Fix a potential false positive issue of rename_webshell
Deserialization
Stack algorithm adds commons.collections4 check
Version 0.41-2016.9.17
Major changes
Management Backgroung
Porting to ElasticSearch v5.0.0
Java version
block.url
The configuration option is renamedblock.redirect_url
and supports templated configurationAutomatically replace the template of
%request_id%
keywords for the current request ID
PHP version
openrasp.block_url
Configuration option renamedopenrasp.block_redirect_url
And support templated configuration, same as Java version
All log times are changed to system time, and the time in PHP time zone is no longer used
Solve the problem that the IAST-RASP alarm log and the nginx / apache access log cannot correspond one to one
Remove the webshell_include detection point and use JS plug-in detection
JS API interface
For the Java server, appBasePath no longer points to the webapps directory, but the application deployment path, such as
/tomcat/webapps/vulns
RASP.sql_tokenize array elements are changed to a dictionary, and two parameters of the token start coordinate and token end coordinate are added
After improvement, the
sqli_userinput
algorithm only needs to execute tokenize againIn the event of an attack, greatly improve performance
new features
Java version
Add baseline check for JBoss
When the request is intercepted and the expected response type is xml / json, the user can customize the response content
Through configuration
block.content_xml
andblock.content_json
template
Add plugin.filter configuration
Applicable to hooks such as include / rename / readFile
If enabled, when the file does not exist, it will not enter the detection logic (default open)
Increase the ability to obtain the client's real IP
Users can
openrasp.clientip_header
get real client IP from which the header in the specifiedThe default is to
clientip
request headerThe fields in the alarm log are
client_ip
Added Dubbo RPC basic data type support
JS plugin can get RPC parameters, the name is
openrasp-dubbo-X
PHP version
Supported by
openrasp.hooks_ignore=all
disabling all hook pointIncrease the ability to obtain the client's real IP, same as Java version
When the request is intercepted and the expected response type is xml / json, the user can customize the response content, the same as the Java version
Add openrasp.plugin_filter configuration, same as Java version
Algorithm improvements
SSRF
Fix XXE, SSRF bypass problem reported by @piggy ", default interception
netloc://
,jar://
and more unsafe protocols
OGNL
Changed the hook point to
Ognl.topLevelExpression
fix the problem of incorrect detection of OGNL report by @Shi Wei
SQLi
Add lazy loading and pre-filtering mechanism, only execute when tokenize is needed to improve performance
Use linked lists to replace arrays, optimize JS LRU implementation, and improve performance
Twentieth
Fix @Ling Xiao Feedback's xxe_file algorithm, resulting in a large number of alarm log issues
Solved by ignoring entities with extension dtd / xml
File directory traversal, arbitrary file inclusion
Add a new detection algorithm, when the user input contains traversal features, and the user input is located at the end of the directory, it is determined that the file directory traversal
Fix the confluence 5.8 AFD alarm message reported by @ Tavern Ranger is incorrect
When the user passes in file: /// etc / passwd, but the actual read is / etc / passwd, it will cause a bypass, which has been fixed
File writing
writeFile_script is changed to ignore by default to avoid a lot of useless logs
Rename monitor
Add filtering, only enter the detection logic when the source file contains the extension, to fix the false alarm problem under the larvael framework of @ 蠓 Report
Add filtering, only enter the detection logic when the source and target are files
Slow query
Since the corresponding SQL statement cannot be obtained, slow query detection is disabled by default; disabling this hook point can also improve the performance of the Java version.
Bug fix
PHP version
Fix incorrect processing of array_filter parameters
Fix the problem of missing domain name in URL field in alarm log
Version 0.40-2016.7.24
Major changes
Java version
Command execution hook point, command parameters are uniformly changed to string form
All alarm messages are changed to English, and translation support is added in the next version
PHP version
All alarm messages are changed to English, and translation support is added in the next version
new features
PHP version
Officially support PHP 7.0-7.2
Added support for SQL prepared statement
Use v8 default platform to replace custom platform to provide more general background task capability and error tracing
Java version
Increase rename hook points
Algorithm changes
Command execution
Increase the recognition of commands executed by FreeMarker templates
Fix cacti false positives reported by @Garfield
By default, all command execution is no longer blocked
If there is no demand manually modify the command execution
command_other
algorithm for the switchblock
This switch does not affect the interception of deserialization command execution or the detection of other algorithms
SSRF
Increase the detection of special protocols, and the corresponding detection switch. Including
php://
,file://
etc.A user input matching algorithm, increased
127.X.X.X
recognitionAdd a dnslog address feedback from @dos_man
*.tu4.org
File directory traversal
Repair a @Leesec report
/../../
detected problems to bypass
PHP stack detection algorithm
Repair @Ezreal report of a
call\_user\_func
false alarm problem
Backdoor upload detection
Increase the monitoring of rename to prevent writing to webshell through renaming
SQL injection
Increase the global LRU cache, when the detection result is ignore, do not repeat the detection, to improve performance
User input matching algorithm, the shortest parameter length can be configured
Increase
into outfile
detection and increase the detection switch corresponding
Bug fix
PHP version
Added more than 60 unit tests and fixed 2 parameter parsing errors
Optimize the processing logic of different protocols. If the protocol does not support write operations, it will no longer enter the detection plug-in
Fix a problem that the path reduction fails due to the mixed use of left and right slashes
Other changes
Add new block page
Version 0.32-2016.6.8
Algorithm improvements
Add switches for all detection algorithms
Users can control whether an algorithm is enabled by editing the configuration of the JS plug-in header
ssrf_common algorithm, increase
ceye.io
,transfer.sh
detection and interception
Bug fix
Solve a classloader compatibility problem in Resin 3.1.8
Fix a parsing error in SQLParser
Solve the loading conflict problem of mozilla rhino by modifying the package name
Other changes
Use the snapshot feature of the v8 engine to speed up the v8 instance startup speed
Version 0.31-2016.5.22
Major changes
Java version
Java package name changed to
com.baidu.rasp
Before the upgrade, users need to manually delete
rasp/conf/rasp-log4j.xml
filesAfter the application starts, OpenRASP will automatically generate a new log configuration file
Solve the compatibility issue of high version JDK, ISSUE: rhino jdk8u162 compatibility issue # 98
In order to reduce Hook point development costs, the Hook framework was changed to JavaAssist
RaspInstall-OpenRASP automatic installer
To support automatic uninstallation, we adjusted the command line parameters of RaspInstall.jar
java -jar RaspInstall.jar -install /home/tomcat
java -jar RaspInstall.jar -uninstall /home/tomcat
Algorithm changes
SQLi detection algorithm # 2, the constant comparison algorithm is turned off by default
In real business, there are often situations where coding is not standardized, which can cause false positives, eg
AND ((0='' OR 0='0')
Command execution detection logic adjustment
In order to detect unconventional deserialization and command execution vulnerabilities, when command execution comes from non-HTTP requests, it will also enter the detection point
Suitable for detecting CVE-2016-8735 , CVE-2018-1270 and other vulnerabilities
new features
Java version adds ascii banner, print at startup
Add JDBC Prepared SQL Hook point
Support Resin 3.X, 4.X server
Add custom coding configuration, allows users to set
context.parameter
encodingIncrease jnotify exception acquisition
Bug fix
Feedback from @ KindergardenMM
ProcessBuilder is bypassed, we changed the Hook point to the lower level UNIXProcess, ProcessImpl class
PHP version
When the file does not exist, file_put_contents will not call the detection plugin, which has been fixed
Solve a memory leak in the log module
Version 0.30-2015.4.27
Major changes
Java version
Debugging configuration options, the
debug_level
changeddebug.level
new features
Added support for PHP 5.X
Linux 5.3 ~ 5.6
Windows 5.6 (thread-safe version only)
Mac homebrew PHP 5.6
PHP security baseline check
INI configuration audit
allow_url_include
expose_php
display_errors
yaml.decode
Database connection account audit
Features supported by other PHP versions
SQL slow query audit
Test case enhancement
Add PHP test cases
Add a simple navigation page
Uniform increase of clickable links, reduce dependence on command line
Add PHP version performance test report
discuz / wordpress performance loss, all around 2%
Open docker-based automated vulnerability testing environment- app-env-docker
API changes
directory hook point, add stack parameter
ssrf hook point, add ip parameter
Algorithm improvements
SQLi detection algorithm enhancement
Increase the detection of UNION NULL statement
Statement specification checking algorithm, intercepting common blind injection functions, eg
ord
,chr
Add control switch separately for database manager detection algorithm
SSRF detection algorithm enhancement
When the requested URL comes from the user and the address is an intranet address, it will be intercepted
Java-deserialization detection
Intercept attack codes that execute commands through ysoserial
PHP-Increased detection of Chinese kitchen knives
Identify exceptions based on stacks, intercept file managers, and execute commands
Based on user input recognition, some samples can be intercepted directly, eg
<?php eval($_POST[0]); ?>
PHP-Interception callback operation, eg
array_map("system", $whatever)
What specific callback interception, please refer to
openrasp.callable_blacklists
the default configuration
BUG fix
Feedback by @Count Ji
SQLi Algorithm # 1-When the user input is a pure number, and appears in the SQL statement multiple times, it will generate a false alarm and has been resolved
Version 0.24-2015.2.2
BUG fix
Automatic installer
Solve the problem that JBoss 4.0.3 cannot be recognized
Other changes
Grab the RASP.sql_tokenize error message and print to
plugin.log
Version 0.23-2015.1.23
Major changes
Delete
reflection
hookSome frameworks will call reflection a lot, affecting performance
We tested a number of financial services, the new performance by the loss
10%
down to5%
Reflex-based inspection, move to
command
hook point, the detection ability remains unchanged
Algorithm improvements
SSRF detection algorithm is enhanced to add more common domain name detection
Version 0.22-2015.1.17
Major changes
For the Java version, the
SQLi/SSRF
detection algorithm is changed to Java native implementation to further improve performanceBy modifying the widget
algorithm.config
to detect the control logic is configured
Open source license by the
BSD-3
switch toApache License 2.0
facilitate commercialModify
context.parameter
acquisition logicWhen the JSP script reads the parameters, the JS plugin can read them. This can reduce false positives and also improve the performance of SQLi algorithm # 1
Supports the automatic deletion of expired logs
By patching log4j 1.X
Before the upgrade, the user needs to manually delete
rasp/conf/rasp-log4j.xml
, the program will automatically generate a new
new features
Support JBoss 7.X
Support to insert HTML code in the response, which can be used for detection
CSRF/Backstage
, this feature is turned off by defaultrasp.properties in configuration options, in addition to
hooks.ignore
outside, began to support dynamic updates take effect immediately after that is modifiedSupports custom response status codes when intercepting attacks
default
400
Security baseline
Support Tomcat
Directory Index
inspection
JS precompiled code from the original start time
8s
dropped to3s
aroundIncrease the debugging switch, used to collect the number of hook entry times, time consumption, etc.
Algorithm improvements
Officially support SSRF vulnerability detection, including the following three scenarios
URL.openConnection
commons-httpclient
httpclient
API changes
RASP.config()
Renamed the interfaceRASP.config_set()
and added relevant debug logsIncrease
RASP.get_jsengine()
interface for acquiring JS engine name
Bug fix
# 84: request.setCharacterEncoding encoding problem
Solve because there is no write permission, resulting in
rasp-log4j.xml
the issue of release failureIn the new version, RaspInstall will take the initiative to modify
rasp
directory permissions
Baseline check log, add call stack information
When the application uses a high authority database account, it is convenient to locate the specific code
Rewrite the
catalina.sh
script modification logic to support repeat the installationAround the modified configuration, similar increases
### BEGIN OPENRASP ###
indicia
Version 0.21-2014.12.6
Major changes
The security baseline log is split into separate files
Convenient to collect different types of logs
Before you upgrade, users need to manually delete
rasp/conf/rasp-log4j.xml
files
new features
Detection of JSTL file contains vulnerabilities, or SSRF exploit
Support
DB2
database, we only tested the free version,9.7
and10.5
Server security baseline
New database connection account audit function , eg using a
root
connection mysql, using thesa
connection mssql etc.
Add slow query audit function
Use
SELECT
statement reads data of more than 500 lines, can be arranged
Support
Syslog TCP
way transmission of alarm log
Algorithm improvements
Public SQL injection detection algorithm # 2-Based on statement specification, plug-in configuration can be modified
Prohibit multi-statement execution, eg
select 123; select 456
Forbid hexadecimal string, eg
load_file(0x41424344)
Disable MySQL version number comments, eg
/*!12345
Forbid numeric constant comparison operation, eg
SELECT 1 FROM dual WHERE 8778 <> 8778
Prohibit the use of blacklist function, EG
load_file
,benchmark
,pg_sleep
, ...
API changes
Added context.appBasePath interface to get the root directory of the web application
New session operation interface , context.session.setSession, context.session.getSession
Other changes
Plug-in splitting, some unused detection logic, such as scanner recognition function, moved to addons directory
RaspInstall source code is open
CVE Vulnerability Coverage List Open
Version 0.20-2014.10.26
Major changes
Performance optimization
Due to poor jni performance, we decided to replace j2v8 with the latest version of Mozilla Rhino
In the worst case, the impact on the server in
2%
the left and right, you can view specific performance test report
Drop support for WebLogic
API changes
Add SQL tokenize interface:
RASP.sql_tokenize
Add SESSION to modify the interface:
context.session.getSession / context.session.setSession
readFile
Interface, when the file does not exist, the plugin will no longer be called
Hook point change
Add webdav hook point, can check
MOVE
andCOPY
operate
Block log changes
Add HTTP Referer field
Increase
request_id
parameter is used to identify an attackerIncrease the
event_type
field for signs log typesattack_time
Field renamedevent_time
attack_params
Change the field to JSON format (previously it was a string, you need to reconfigure ES mapping)
new features
Support custom interception page
By
block.url
ConfigurationThe default is the little dinosaur page
Add server security baseline check function, currently only supports tomcat, can detect the following non-security configuration
Manager / html has a weak password
JSESSION does not open httpOnly
tomcat starts as root
The default webapps are not deleted
In the event of attack, the output plug extra
confidence
field for identifying the reliability of the detection resultAll in response to increased
X-Protected-By: OpenRASP
response headersSupport HTTP alarm push
Added support for Jetty and JBoss 5 ~ 6 servers
Added log.maxstack configuration option to configure the maximum stack in the alarm log
Algorithm improvements
Increase scanner identification, according to UA, Header (default closed, please manually modify the plug-in)
SQL injection detection algorithm # 1 open
Sensitive file download vulnerability detection
Other changes
JBoss XXE Hook points are optimized to improve performance
Version 0.13-2014.09.22
Bug fix
When a runtime error occurs in the JS plugin, the alarm log should not be printed
When the JS plugin fails, print detailed stack and error information in plugin.log
Version 0.12-2014.09.14
new features
Add an exception flow identification, when certain classes are called through reflection, it will trigger the plug-in detection logic
Version 0.11-2014.09.13
Bug fix
Added doFilter hook point to fix the problem that the vulnerability cannot be detected under the struts series framework
Version 0.10-2014.08.18
new features
Support multiple Java servers and database servers
Support multiple SIEM applications
Complete the first version of the official detection plugin
Support multiple hook points
Version 0.09-2014.07.14
First version for JAVA/ElasticSearch 1.2.0, result of OASES (Open AI System Security Alliance) Project.
PHP Versio, Credits to PIOF Project
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.