Release Notes - Dynamic Reviewer

4.0.9 version-2021.12.23

Kali Linux 2021.4a support was added.

4.0.8 version-2021.12.09

Rocky Linux 8 support was added.

4.0.7 version-2021.12.05

RedHat 9 support was added.

4.0.6 version-2021.11.29

Windows Server 2022 support was added.

4.0.5 version-2021.11.27

Windows 11 support was added.

4.0.4 version-2021.10.22

SUSE Linux Enterprise Server 15 support was added.

4.0.3 version-2021.09.12

Oracle Linux 8 support was added.

4.0.2 version-2021.04.11

RedHat 8 support was added.

4.0.2 version-2021.03.09

Oracle RAC support was added.

4.0.1 version-2021.02.07

JavaScript memory-leaks detection was added.

  • New DOM checks, from 40 to 54

4.0.0 version-2021.01.08

Major Version. JavaScript fuzzy engine was added

  • New DOM checks, from 27 to 39

  • CWE updated to 4.4

  • OWASP fully updated to Top Ten 2017

3.1.0 version-2020.11.05

  • New DOM checks, from 21 to 27

3.0.0 version-2020.10.01

Major Version. New Python-based engine was added

  • New DOM checks, from 13 to 20

2.1.0 version-2020.08.10

  • Generates report even the scan was aborted

  • By default, terminates the scan after 1 hour

  • New DOM checks, from 1 to 12

2.0.0 version-2020.07.13

Major Version. This is the first version with indipendent fixes.

  • Centos 8 support was added

  • Updated to ruby 3.0.0

1.5.1 version-2020.06.20

This is the last version following original Arachni Web UI fixes.

  • Plugins

    • metrics -- Fixed type error due to race condition.

1.5 version-2020.05.22

  • proxy -- bind_address default switched to 127.0.0.10.0.0.0 breaks SSL interception on MS Windows.

    • metrics

      • Fixed division by 0 error when no requests have been performed.

      • Added:

        • HTTP

          • Request time-outs

          • Responses per second

        • Browser cluster

          • Timed-out jobs

          • Seconds per job

          • Total job time

          • Job count

    • email_notify

      • Retry on error.

      • Default to afr as a report format.

1.4 version-2020.04.24

  • Native MS Windows compatibility.

  • RedHat 7 and Centos 7 full support

1.3.2 version-2020.03.25

BUG fix

Management background

  • Fix the error of default value of request.param_encoding reported by a Customer

Java/Scala/Kotlin/Clojure version

  • Fix the issue that the attack reported cannot be intercepted

1.3.1 version-2020.03.12

Optimization and improvement

Management background

  • Fix regular default configuration of sensitive files in Web root directory, remove extra double quotes

  • Add host interface, optimize manual installation tips

Java/Scala/Kotlin/Clojure version

  • Fix the problem that SpringBoot may cause all Hook points to be invalid after enabling the whitelist

PHP version

  • Added fastcgi SAPI support (previous versions only supported php-fpm / apache)

.NET Detection plugin

  • Sensitive information leak detection algorithm to correct the problem that mobile phone number identification will be falsely reported in some cases

  • When the request JSON parsing error, truncate the exception log to avoid the hard disk full

  • Intercept command execution based on CVE-2020-9547, CVE-2020-8840

1.3.0 version-2020.02.11

Major changes

IAST scanning tool

  • The IAST console is integrated into the existing management background to reduce operation and maintenance costs (iast no longer monitors port 18664)

  • IAST scanner changed to connect to panel server (previously connected to agent server)

  • The IAST scanner uses websocket to connect to the management background, which is not compatible with the background before v1.3.0

    • Old version background users can use the pip3 command to install the old version

PHP version

  • For file-related detection points, if the read file starts with a streaming protocol, SSRF detection will be triggered, and file read-write detection will not be triggered

    • The affected protocol is: https / http / ftp

    • The affected functions are: file / readfile / file_get_content / fopen / copy / include

  • When plugin.filterclosed, the files related to the detection point will be ignored open_basedir configuration, continue to the plug-in detection

new features

General improvements

  • Add file deletion test point

  • Added detection point after SSRF jump to detect rebinding attacks

  • Add HTML response detection point, default sampling 5 times per minute

  • Add dependent library information collection, the default collection once every 6 hours

    • Java POM information

    • PHP composer.json

  • Completion of SQL anomaly detection points

    • PHP adds PostgreSQL, SQLite exception monitoring

    • Java adds PostgreSQL, SQLite, Oracle, SQLServer, HSQLDB, DB2 monitoring

  • Weak password list supports remote delivery

  • Strengthen the stand-alone version configuration verification

    • When the outermost key value of yaml cannot be recognized, print the log

Java/Scala/Kotlin/Clojure version

  • Increase Hibernate SQL checkpoint

  • Increase nio detection point

  • Added SpringBoot partial annotation parameter support

PHP version

  • SSRF supports IPv6 address resolution

  • Baseline check: detect whether there are compressed files, SQL and other sensitive files in the web root directory

  • Increase mysql_db_query, mysql_unbuffered_db_query detection points

  • Increase print checkpoint

Management background

  • New -s restart / -s stop / -s statusinstructions, you can restart the spooler, turn off background and access to state

  • Support host to set notes and search by notes

  • Whitelist support notes

  • Support log write kafka

  • Change alarm sending interval to front-end configuration

  • Increase alarm log deduplication, calculated according to request number, stack MD5, attack type

  • Background log increase in size, file number limit, configurable

.NET /Java/Scala/Kotlin/Clojure Detection plugin

  • Add any file deletion vulnerability detection

  • Add header injection detection (such as SQL injection, command injection)

  • Added command execution syntax error monitoring and suspicious injection detection

  • Increase DNS Rebind SSRF attack

  • Add leak detection of HTTP response sensitive information, such as bank card, ID card, mobile phone number

BUG fix

Java/Scala/Kotlin/Clojure version

  • When RaspInstall installs rasp.jar, rename it before writing to a new file

    • Avoid modifying the loaded jar, mmap problems may occur

    • Old files are randomly named after uuid, support multiple installations, and will be deleted uniformly at startup

PHP version

  • When the configuration delivered in the background does not meet expectations, actively report the exception log

  • Fix the problem that only one entry will be uploaded in the following log of Kali

  • Repair some cases, there will be multiple rasp-logprocesses of problem

Management background

  • Client version aggregation interface, without filtering host online status

  • Add duplicate whitelist check

1.2.3 version-2019.12.17

new features

General improvements

  • Java/Scala/Kotlin/Clojure, .NET, PHP add crash monitoring (only supports Linux / Mac system)

    • Monitoring signals such as segfault / abort, etc.

    • The monitoring scope is Java main process, PHP worker / heartbeat / logging process / daemon

    • After the crash, an alarm is automatically sent to the management background, and the stack log is uploaded; the background will send an email alarm synchronously

    • To test monitoring results, the executable kill -11 PIDcommand triggers a segmentation fault

Management background

  • Support client version enumeration

  • Support one key to close all alarms

  • When the agent cannot obtain the version number of the application such as dubbo, allow the agent to register

BUG fix

Java/Scala/Kotlin/Clojure version

  • Fix the problem that the syslog address will still send logs to the old address after modification

1.2.2 version-2019.11.28

Upgrade Instructions

Management background

  • After the upgrade is complete backstage, still need to be performed manually ./rasp-cloud -upgrade 121to122update the MongoDB

    • Increased X-Protected-By: OpenRASPconfiguration

    • Request body size limit changed to 12KB

    • Support online upgrade, but please do not modify the configuration in the background during execution

new features

General improvements

  • Completely solve the v8::Abort()crash problem

  • Upgrade v8 to the latest version: 7.8.279.19

  • Support hide X-Protected-By: OpenRASPresponse header

Automatic installer

  • Support custom heartbeat interval through -heartbeat /-heartbeat parameter

Java/Scala/Kotlin/Clojure version

  • Added WebSphere 7.X support. Due to IBM JDK restrictions, file-related detection points cannot take effect

  • When the plug-in does not register the request / requestEnd detection point, relevant parameters are no longer constructed to improve performance

.NET/PHP/Java/Scala/Kotlin/Clojure Detection plugin

  • Intercept command execution based on bsh.servlet.BshServlet, eg CNVD-2019-32204

  • Intercept command execution based on jdk.scripting.nashorn

BUG fix

Java/Scala/Kotlin/Clojure version

  • Fix the problem that Java cannot get the character stream request body in some cases

PHP version

  • When the repair is closed plugin.filter, the included .php/.incfile will not plug into the issue

  • For multipart requests, extract the parameters separately to solve the problem of not requesting the body when generating an alarm

Detection plugin

  • Fix user reported that the memory usage of replaceAll function is too high

  • Fix the xss_userinput bypass issue reported by @Looke


1.2.1 Version-2019.10.29

Upgrade Instructions

Management background

  • Solved migration issues to ElasticSearch 6.8.8

  • Due to early ElasticSearch mapping problems, for existing applications, alarm messages, baseline messages, and exception messages do not support case search

    • After the background upgrade is complete, the user needs to manually perform ./rasp-cloud -upgrade 120to121to update the mapping

    • The program will first modify the alias, point the index to the new alias, and delete the previous index after completing the data copy

    • New alarm data can be written during the copy process and will not be lost

new features

General improvements

  • First Scala version

  • Support custom RASP ID

    • When using the installation --rasp-id (PHP)or -raspid (Java)setting

    • If not specified, according to the previous logic, based on the network card, RASP path and other information to calculate a

Management background

  • Increase the deduplication of the alarm log, according to request_id + stack_md5

  • In the System Settings -> Background settings interface, add a key clean-up alarm data support

  • Host management interface, automatically remember Host statuscheck case

  • Alarm view interface, support searching by alarm message and stack MD5; Referer and URL support click

Java/Scala/Kotlin/Clojure version

  • Added partial support for TongWeb 6.X server, from @superbaimo

  • Simplify the installation process of JBoss 7 and higher, from @Lorisy

  • Added HSQL database hook point to detect WebGoat SQL injection vulnerabilities

  • Increased fuse support

    • Collect the single-core CPU occupancy rate every once in a while, if it exceeds the threshold and 3 consecutive times, start the fuse mechanism

    • When the occupancy rate collected next time is lower than the threshold, the protection is automatically restored

    • This function is off by default, and the collection interval and CPU usage can be configured

  • Fix the problem that plugin.filter does not take effect at include hook point

Plug-in system

  • First .NET and Kotlin/Clojure version

  • Command execution checkpoint, add environment variable information

  • SQL anomaly detection is changed to plug-in detection, and the error code to be monitored can be customized in the management background

  • Fix the command_reflect algorithm, which may cause false alarms in some cases

Bug fix

Universal fix

  • Added support for re-registration, which can be automatically restored when the host is accidentally deleted after offline

Java version

  • Fix the problem of false alarm when middleware supports multipart protocol, but users do not use files

  • Fix the problem that when the server is connected to the management background after a period of startup, the Java Agent will not obtain the registered IP again

  • Fixed an issue where WebSphere. Deserialization command execution would not be blocked due to empty context.language

  • Fix the problem that when the heartbeat fails, sleep is invalid and the log will be printed infinitely

  • Fix the problem that the log4j cache will not be cleared after the log is pushed

  • Fix the problem that when there are multiple files uploaded, only the first file will be processed

  • Fix the problem of missing details when configuration update fails

  • Fix the problem that the request hook cannot be intercepted (thanks @Looke for feedback)

  • Fix the issue that cloud.X and other configurations can be delivered remotely

  • Fix the problem that the SQL prepared statements will not enter the detection plug-in and will not record SQL exceptions when an exception occurs

PHP version

  • Fixed an issue where PDO exception monitoring did not filter error codes and recorded redundant exception logs


1.2.0 version-2019.9.5

Major changes

General changes

  • Remove enforce_policy configuration, baseline detection no longer supports interception

  • Remove MySQL duplicated key error monitoring

  • Delete the stack_trace string field in the alarm log and uniformly use attack_params.stack to get the stack

    • If the Java / PHP agent is upgraded to v1.2.0, the management background must also be upgraded, otherwise the front-end stack will be displayed as an empty value and the vulnerability aggregation list will be empty

new features

General improvements

  • When the host name changes, sync to the management background

  • Add host_type field to identify whether it is a docker container

Management background

  • Fix the problem that the original URL cannot be jumped back after login

Plug-in system

  • Added requestEnd hook point, called once at the end of the request

  • Add RASP.request () interface, can send HTTP request in plugin

  • Add RASP.get_version () interface to get agent version information

  • Add multiple fields such as context.requestId

  • Add two parameters dest_path / dest_realpath to file upload (PHP version only)

  • Added loadLibrary_unc algorithm to intercept when the library to be loaded comes from the UNC path

PHP version

  • Add eval / assert hook points

  • Increase debuglevel configuration to avoid printing redundant logs

Java version

  • Added cluster support to JBoss and WebLogic

  • Fix the problem that fetching Thread Local data will crash when v8 is running in multi-thread environment

  • Added key hook check: requestEnd, request.parameterMap refuses to start when it does not exist

  • Heartbeat interval lower limit changed to 10s

  • Optimized memory usage, reduced by about 50%

  • Print RASP ID at startup for easy troubleshooting

  • Solve the problem that XSS will not detect when Tomcat actively flush ()

    • At the same time optimize the XSS detection efficiency

    • XSS interception no longer throws an exception (other attack types will still throw)

Automatic installer

  • Add SpringBoot semi-automatic installation, that is, only release the file and modify the configuration, the parameter name is -nodetect

  • Added support for tomcat installed by yum, that is, the separation of bin directory and tomcat_home

  • Increase -prependparameter, if it will open -javaagentparameters on the front

    • Appended by default

    • Solve jacoco compatibility issues

Gray box scanning tool

  • Released the first version of the gray box scanner , combined with the RASP vulnerabilities scanner

Bug fix

Java version

  • Solve JRockit compatibility problem, change to jni to get network card information

  • Solve org.elasticsearch.client.RestClient compatibility issues

  • Solve the problem of incompatibility between XXE code safety switch and taglib

  • Disable V8 execstack warning

PHP version

  • Fix the problem of incorrect PHP version number in the alarm log

Plug-in system

  • Repair 001-dir-1.jspeven if you close the plugin all_logwill not intercept problem


1.1.2 version-2019.7.11

General improvements

Management background

  • Support to decide whether to alarm according to attack type

  • Host management page, support export agent list

  • Add host page, fix SpringBoot + Docker installation command

  • Optimize multiple table experience

Java version

  • syslog tcp increase connection, send timeout

  • Support agent version information through rasp.jar

Detection plugin

  • readFile hook point ignores war package related operations

Bug fix

Java version

  • When the host name is not bound in the / etc / hosts, the floodgate hostnamecommand called BUG

  • Passed to the stack of the plugin to fix the problem of incorrect filtering

  • Fixed the problem of null pointer exception when Undertow parses parameters

  • Fix an XSS hook point null pointer exception


Version 1.1.1-2018.6.17

General improvements

Management background

  • Turn on gzip compression support to reduce network traffic

  • Alarm and baseline log retention time support custom, default 365 days

  • Optimize multiple front-end experiences

    • Agent exception log adds stack details display

    • Enhanced alarm search function

    • Support advanced configuration options for detection algorithms

Java version

  • Fix incomplete stack filtering

  • Solve possible encoding problems caused by emoji packages

  • openrasp-v8 all exceptions are synchronized to rasp.log

Detection algorithm

  • Fix the false alarm of command_reflect

  • Algorithm for deleting xss tag when there are more than 10 alarms


Version 1.1-2018.6.6

Major changes

General changes

  • Upgrade Google v8 to version 7.2

  • The syntax interpreter was replaced by antlr4 to flex to reduce memory usage

PHP version

  • Replace libstdc ++ with libc ++

  • Remove pcre dependency

  • Binary package adds Thread Safety version

Java version

  • Replace rhino with openrasp-v8

  • SQL, SSRF detection logic changed to JS implementation

  • Temporarily removing JRockit JDKsupport, WebLogic 10.3.6 needs to be set JAVA_VENDOR=Sunto switch to Oracle JDK

Plug-in system

  • Streamline the console.log function and delete color-related codes

  • Pass to the stack of the detection plug-in to filter out com.baidu.openrasp related content

new features

General changes

  • new DAST lightweight penTest tool coming from IronWASP project

  • SQL exception increases password error monitoring

  • Implement weak password detection for database connection

Java version

  • Add XXE code safety switch, which can directly prohibit loading of external entities

Bug fix

Universal fix

  • After the plug-in is updated successfully, a heartbeat is sent immediately to solve the problem of lagging behind the version information of the management background

  • The alarm stack filters out openrasp related content

Java version

  • Fix the problem of false alarms in file upload detection points, instead check after the user has used the file

  • Fix the problem of incorrect encoding of openrasp.yml file under Windows

  • Fix the problem that JBoss 12 and above cannot be installed automatically

  • Solve the problem that JSP can not get the stack

  • Fix the problem that Tomcat will not jump after xss interception

  • Fix the bug that the heartbeat will never be beat again after a failed heartbeat

  • Solve the problem of abnormal HTML injection function under Tomcat 5

  • Fix the problem of heartbeat thread remaining after uninstalling without restarting the installation

  • Unified log.maxbackup logic with PHP version, when configured as 1, keep today and yesterday's logs

Management Backgroung

  • Porting to ElasticSearch v5.6.8

  • Fix the problem of detecting duplicate uploads of plugins

  • Added cache invalidation setting on front page

  • Fix the problem that the debug_level field is not a number

  • When there is an online host under the application, it is forbidden to delete the application

  • Fix the problem of nosniff misspelling in the application reinforcement, the user can save the configuration once to repair


1.0 official version-2018.4.12

Major changes

General changes

  • APM features from Apache SkyWalking and Elastic APM

  • The header field is added to the alarm log, and the outermost user_agent and referer duplicate fields are removed

  • Standalone version configuration file changed to yaml

  • Only when the response code set to intercept 302jump if power Location header, allows the user to print custom block content

Management background

  • Delete the two items AgentServerURL and PanelServerURL in the configuration file, and modify it on the management background interface instead

  • The first two options will be set automatically when accessing the background for the first time. To enable the load balancing mode, please correct the Agent server list manually

PHP version

  • The stand-alone version disables fswatch by default. If need, please use --enable-fswatchthe compiler parameters to open

  • Replace rapidjsonthe interface more flexiblenlohmann/json

  • cli mode turns off baseline checking to avoid redundant logs. If need, please use --enable-cli-supportthe compiler parameters to open

  • Rasp-install adds SELinux and open_basedir checks to avoid unusable problems after installation

Java version

  • Remove rasp-log4j.xmlrelated startup parameters. Change to dynamically generate log4j configuration, users no longer need to configure

new features

General functions

  • Added JSON parameter parsing, namely context.json

  • Added application hardening function, which can prevent click hijacking, MIME sniffing, automatic operation of downloaded files, and reflection XSS

  • Support decompilation function, user code can be obtained at the same time when an alarm is generated (only JDK 6-8, PHP support)

PHP version

  • New PHP 7.3Support

Java version

  • New SpringBoot + UndertowSupport

  • New WebLogicSupport

  • New JBoss 6-8support (does not support automatic installation)

  • New JDK 11Support

  • Increase application environment variable collection

  • Add experimental non-restart installation and non-restart uninstall functions, temporarily do not support non-restart upgrade

Management background

  • Improve multiple user experiences and provide a more complete alarm search experience

  • Added vulnerability aggregation display to avoid the problem of attacking the screen during the vulnerability exploitation phase

  • Improve audit log display, add type field and display

  • Added client exception log display

Algorithm improvements

General improvements

  • Increase the development mode switch, after loading it will load some performance-consuming detection algorithms

  • The observation mode is turned on by default

Security baseline

  • Tomcat background weak password increase empty password check

Path traversal

  • Fixed an issue where the is_path_endswith_userinput function was incorrectly reported when downloading files using absolute paths

  • The following use Windows interception ..\..\list directories attack

File Inclusion

  • Fix the false alarm caused by the phar: // file when using Baidu Cloud BOS service

  • Added common penetration command detection support, only print logs by default

SQLi

  • Added SQL anomaly detection, such as syntax error and error injection

  • Fix char / chr () false alarm problem, only give an alarm when there are 5 occurrences

SSRF

  • Add port information when calling the detection plugin

  • Intercept access to Alibaba Cloud metadata

File Upload

  • The alarm log adds a multipart parameter name field to facilitate the construction of requests

XSS

  • Added xss_userinput detection algorithm to intercept reflection XSS

  • The xss_echo algorithm adds content filtering to avoid alarms caused by non-attack events (this algorithm has no false alarms)

WebShell

  • Intercept backdoor based on LD_PRELOAD

Deserialization

  • Intercept attacks based on JNDI reflection execution commands

Bug fix

Management background

  • Fix the problem that ElasticSearch pulled by docker cannot connect

PHP version

  • Fix the problem that the SSRF detection point cannot get the hostname when the URL has no protocol


1.0.0 RC1 version-2018.1.3

new features

Java version

  • Add okhttp / okhttp3 hook point for SSRF detection

Other general functions

  • The first version of the release management background

  • Add remote management functions, including log upload, plugin delivery, remote configuration management, etc.

  • syslog log adds tag field support, can be customized

  • LRU is changed from plug-in to agent, covering several detection points of sql, ssrf, readFile, writeFile

Major changes

Management Background

  • Porting to ElasticSearch v6.1.0

  • Rewrite of entire Dashboard in GO language

PHP version

  • Officially remove Windows support

Algorithm improvements

Command execution

  • Increase the detection of JBoss EL reflection command execution

  • Added bash command interpreter to detect command injection attacks

Bug fix

  • Fix dubboRPC below, when log4j prints logs, there is no requestMethod resulting in a null pointer bug

  • Fix a crash in PHP session + mysql handler

  • Fix the issue that SpringBoot 1.5.9 + Embedded Tomcat Server cannot obtain the server version number


Version 0.50-2017.10.29

new features

Java version

  • Officially supports WebSphere, and currently only tested 8.5, 9.0 two versions

other

  • Alarm log increase algorithmfield identifies a specific algorithm name

Algorithm improvements

Any file download

  • Fix an absolute path false positive caused by ThinkPHP rewrite

Version 0.42-2017.9.26

Major changes

General

  • Remove SQL slow query hooks, but temporarily keep the code

Java version

  • Plug-in to get the Dubbo RPCparameter name from the openrasp-dubbo-XXXchangedubbo-XXX

new features

  • Alarm log increase in request_methodfield, i.e., request method

Bug fix

  • Fixed an issue where No modifications are allowed to a locked ParameterMap error when obtaining parameters under certain tomcat versions

Algorithm improvements

Rename

  • Fix a potential false positive issue of rename_webshell

Deserialization

  • Stack algorithm adds commons.collections4 check


Version 0.41-2016.9.17

Major changes

Management Backgroung

  • Porting to ElasticSearch v5.0.0

Java version

  • block.urlThe configuration option is renamed block.redirect_urland supports templated configuration

    • Automatically replace the template of %request_id%keywords for the current request ID

PHP version

  • openrasp.block_url Configuration option renamed openrasp.block_redirect_url

    • And support templated configuration, same as Java version

  • All log times are changed to system time, and the time in PHP time zone is no longer used

    • Solve the problem that the IAST-RASP alarm log and the nginx / apache access log cannot correspond one to one

  • Remove the webshell_include detection point and use JS plug-in detection

JS API interface

  • For the Java server, appBasePath no longer points to the webapps directory, but the application deployment path, such as /tomcat/webapps/vulns

  • RASP.sql_tokenize array elements are changed to a dictionary, and two parameters of the token start coordinate and token end coordinate are added

    • After improvement, the sqli_userinputalgorithm only needs to execute tokenize again

    • In the event of an attack, greatly improve performance

new features

Java version

  • Add baseline check for JBoss

  • When the request is intercepted and the expected response type is xml / json, the user can customize the response content

  • Add plugin.filter configuration

    • Applicable to hooks such as include / rename / readFile

    • If enabled, when the file does not exist, it will not enter the detection logic (default open)

  • Increase the ability to obtain the client's real IP

    • Users can openrasp.clientip_headerget real client IP from which the header in the specified

    • The default is to clientiprequest header

    • The fields in the alarm log are client_ip

  • Added Dubbo RPC basic data type support

    • JS plugin can get RPC parameters, the name is openrasp-dubbo-X

PHP version

  • Supported by openrasp.hooks_ignore=alldisabling all hook point

  • Increase the ability to obtain the client's real IP, same as Java version

  • When the request is intercepted and the expected response type is xml / json, the user can customize the response content, the same as the Java version

  • Add openrasp.plugin_filter configuration, same as Java version

Algorithm improvements

SSRF

  • Fix XXE, SSRF bypass problem reported by @piggy ", default interception netloc://jar://and more unsafe protocols

OGNL

  • Changed the hook point to Ognl.topLevelExpressionfix the problem of incorrect detection of OGNL report by @Shi Wei

SQLi

  • Add lazy loading and pre-filtering mechanism, only execute when tokenize is needed to improve performance

  • Use linked lists to replace arrays, optimize JS LRU implementation, and improve performance

Twentieth

  • Fix @Ling Xiao Feedback's xxe_file algorithm, resulting in a large number of alarm log issues

    • Solved by ignoring entities with extension dtd / xml

File directory traversal, arbitrary file inclusion

  • Add a new detection algorithm, when the user input contains traversal features, and the user input is located at the end of the directory, it is determined that the file directory traversal

  • Fix the confluence 5.8 AFD alarm message reported by @ Tavern Ranger is incorrect

    • When the user passes in file: /// etc / passwd, but the actual read is / etc / passwd, it will cause a bypass, which has been fixed

File writing

  • writeFile_script is changed to ignore by default to avoid a lot of useless logs

Rename monitor

  • Add filtering, only enter the detection logic when the source file contains the extension, to fix the false alarm problem under the larvael framework of @ 蠓 Report

  • Add filtering, only enter the detection logic when the source and target are files

Slow query

  • Since the corresponding SQL statement cannot be obtained, slow query detection is disabled by default; disabling this hook point can also improve the performance of the Java version.

Bug fix

PHP version

  • Fix incorrect processing of array_filter parameters

  • Fix the problem of missing domain name in URL field in alarm log


Version 0.40-2016.7.24

Major changes

Java version

  • Command execution hook point, command parameters are uniformly changed to string form

  • All alarm messages are changed to English, and translation support is added in the next version

PHP version

  • All alarm messages are changed to English, and translation support is added in the next version

new features

PHP version

  • Officially support PHP 7.0-7.2

  • Added support for SQL prepared statement

  • Use v8 default platform to replace custom platform to provide more general background task capability and error tracing

Java version

  • Increase rename hook points

Algorithm changes

  • Command execution

    • Increase the recognition of commands executed by FreeMarker templates

    • Fix cacti false positives reported by @Garfield

    • By default, all command execution is no longer blocked

      • If there is no demand manually modify the command execution command_otheralgorithm for the switchblock

      • This switch does not affect the interception of deserialization command execution or the detection of other algorithms

  • SSRF

    • Increase the detection of special protocols, and the corresponding detection switch. Including php://file://etc.

    • A user input matching algorithm, increased 127.X.X.Xrecognition

    • Add a dnslog address feedback from @dos_man *.tu4.org

  • File directory traversal

    • Repair a @Leesec report /../../detected problems to bypass

  • PHP stack detection algorithm

    • Repair @Ezreal report of a call\_user\_funcfalse alarm problem

  • Backdoor upload detection

    • Increase the monitoring of rename to prevent writing to webshell through renaming

  • SQL injection

    • Increase the global LRU cache, when the detection result is ignore, do not repeat the detection, to improve performance

    • User input matching algorithm, the shortest parameter length can be configured

    • Increase into outfiledetection and increase the detection switch corresponding

Bug fix

PHP version

  • Added more than 60 unit tests and fixed 2 parameter parsing errors

  • Optimize the processing logic of different protocols. If the protocol does not support write operations, it will no longer enter the detection plug-in

  • Fix a problem that the path reduction fails due to the mixed use of left and right slashes

Other changes

  • Add new block page


Version 0.32-2016.6.8

Algorithm improvements

  • Add switches for all detection algorithms

    • Users can control whether an algorithm is enabled by editing the configuration of the JS plug-in header

  • ssrf_common algorithm, increase ceye.iotransfer.shdetection and interception

Bug fix

  • Solve a classloader compatibility problem in Resin 3.1.8

  • Fix a parsing error in SQLParser

  • Solve the loading conflict problem of mozilla rhino by modifying the package name

Other changes

  • Use the snapshot feature of the v8 engine to speed up the v8 instance startup speed


Version 0.31-2016.5.22

Major changes

  • Java version

    • Java package name changed to com.baidu.rasp

      • Before the upgrade, users need to manually delete rasp/conf/rasp-log4j.xmlfiles

      • After the application starts, OpenRASP will automatically generate a new log configuration file

    • Solve the compatibility issue of high version JDK, ISSUE: rhino jdk8u162 compatibility issue # 98

    • In order to reduce Hook point development costs, the Hook framework was changed to JavaAssist

  • RaspInstall-OpenRASP automatic installer

    • To support automatic uninstallation, we adjusted the command line parameters of RaspInstall.jar

      • java -jar RaspInstall.jar -install /home/tomcat

      • java -jar RaspInstall.jar -uninstall /home/tomcat

Algorithm changes

  • SQLi detection algorithm # 2, the constant comparison algorithm is turned off by default

    • In real business, there are often situations where coding is not standardized, which can cause false positives, eg AND ((0='' OR 0='0')

  • Command execution detection logic adjustment

    • In order to detect unconventional deserialization and command execution vulnerabilities, when command execution comes from non-HTTP requests, it will also enter the detection point

    • Suitable for detecting CVE-2016-8735 , CVE-2018-1270 and other vulnerabilities

new features

  • Java version adds ascii banner, print at startup

  • Add JDBC Prepared SQL Hook point

  • Support Resin 3.X, 4.X server

  • Add custom coding configuration, allows users to set context.parameterencoding

  • Increase jnotify exception acquisition

Bug fix

  • Feedback from @ KindergardenMM

    • ProcessBuilder is bypassed, we changed the Hook point to the lower level UNIXProcess, ProcessImpl class

  • PHP version

    • When the file does not exist, file_put_contents will not call the detection plugin, which has been fixed

    • Solve a memory leak in the log module


Version 0.30-2015.4.27

Major changes

  • Java version

    • Debugging configuration options, the debug_levelchangeddebug.level

new features

  • Added support for PHP 5.X

    • Linux 5.3 ~ 5.6

    • Windows 5.6 (thread-safe version only)

    • Mac homebrew PHP 5.6

  • PHP security baseline check

    • INI configuration audit

      • allow_url_include

      • expose_php

      • display_errors

      • yaml.decode

    • Database connection account audit

  • Features supported by other PHP versions

    • SQL slow query audit

  • Test case enhancement

    • Add PHP test cases

    • Add a simple navigation page

    • Uniform increase of clickable links, reduce dependence on command line

  • Add PHP version performance test report

    • discuz / wordpress performance loss, all around 2%

  • Open docker-based automated vulnerability testing environment- app-env-docker

API changes

  • directory hook point, add stack parameter

  • ssrf hook point, add ip parameter

Algorithm improvements

  • SQLi detection algorithm enhancement

    • Increase the detection of UNION NULL statement

    • Statement specification checking algorithm, intercepting common blind injection functions, eg ord,chr

    • Add control switch separately for database manager detection algorithm

  • SSRF detection algorithm enhancement

    • When the requested URL comes from the user and the address is an intranet address, it will be intercepted

  • Java-deserialization detection

    • Intercept attack codes that execute commands through ysoserial

  • PHP-Increased detection of Chinese kitchen knives

    • Identify exceptions based on stacks, intercept file managers, and execute commands

    • Based on user input recognition, some samples can be intercepted directly, eg <?php eval($_POST[0]); ?>

  • PHP-Interception callback operation, eg array_map("system", $whatever)

    • What specific callback interception, please refer to openrasp.callable_blackliststhe default configuration

BUG fix

  • Feedback by @Count Ji

    • SQLi Algorithm # 1-When the user input is a pure number, and appears in the SQL statement multiple times, it will generate a false alarm and has been resolved


Version 0.24-2015.2.2

BUG fix

  • Automatic installer

    • Solve the problem that JBoss 4.0.3 cannot be recognized

Other changes

  • Grab the RASP.sql_tokenize error message and print to plugin.log


Version 0.23-2015.1.23

Major changes

  • Delete reflectionhook

    • Some frameworks will call reflection a lot, affecting performance

    • We tested a number of financial services, the new performance by the loss 10%down to5%

    • Reflex-based inspection, move to commandhook point, the detection ability remains unchanged

Algorithm improvements

  • SSRF detection algorithm is enhanced to add more common domain name detection


Version 0.22-2015.1.17

Major changes

  • For the Java version, the SQLi/SSRFdetection algorithm is changed to Java native implementation to further improve performance

    • By modifying the widget algorithm.configto detect the control logic is configured

  • Open source license by the BSD-3switch to Apache License 2.0facilitate commercial

  • Modify context.parameteracquisition logic

    • When the JSP script reads the parameters, the JS plugin can read them. This can reduce false positives and also improve the performance of SQLi algorithm # 1

  • Supports the automatic deletion of expired logs

    • By patching log4j 1.X

    • Before the upgrade, the user needs to manually delete rasp/conf/rasp-log4j.xml, the program will automatically generate a new

new features

  • Support JBoss 7.X

  • Support to insert HTML code in the response, which can be used for detection CSRF/Backstage, this feature is turned off by default

  • rasp.properties in configuration options, in addition to hooks.ignoreoutside, began to support dynamic updates take effect immediately after that is modified

  • Supports custom response status codes when intercepting attacks

    • default 400

  • Security baseline

    • Support Tomcat Directory Indexinspection

  • JS precompiled code from the original start time 8sdropped to 3saround

  • Increase the debugging switch, used to collect the number of hook entry times, time consumption, etc.

Algorithm improvements

  • Officially support SSRF vulnerability detection, including the following three scenarios

    • URL.openConnection

    • commons-httpclient

    • httpclient

API changes

  • RASP.config()Renamed the interface RASP.config_set()and added relevant debug logs

  • Increase RASP.get_jsengine()interface for acquiring JS engine name

Bug fix

  • # 84: request.setCharacterEncoding encoding problem

  • Solve because there is no write permission, resulting in rasp-log4j.xmlthe issue of release failure

    • In the new version, RaspInstall will take the initiative to modify raspdirectory permissions

  • Baseline check log, add call stack information

    • When the application uses a high authority database account, it is convenient to locate the specific code

  • Rewrite the catalina.shscript modification logic to support repeat the installation

    • Around the modified configuration, similar increases ### BEGIN OPENRASP ###indicia


Version 0.21-2014.12.6

Major changes

  • The security baseline log is split into separate files

    • Convenient to collect different types of logs

    • Before you upgrade, users need to manually delete rasp/conf/rasp-log4j.xmlfiles

new features

  • Detection of JSTL file contains vulnerabilities, or SSRF exploit

  • Support DB2database, we only tested the free version, 9.7and10.5

  • Server security baseline

    • New database connection account audit function , eg using a rootconnection mysql, using the saconnection mssql etc.

  • Add slow query audit function

  • Support Syslog TCPway transmission of alarm log

Algorithm improvements

  • Public SQL injection detection algorithm # 2-Based on statement specification, plug-in configuration can be modified

    • Prohibit multi-statement execution, eg select 123; select 456

    • Forbid hexadecimal string, eg load_file(0x41424344)

    • Disable MySQL version number comments, eg /*!12345

    • Forbid numeric constant comparison operation, eg SELECT 1 FROM dual WHERE 8778 <> 8778

    • Prohibit the use of blacklist function, EG load_filebenchmarkpg_sleep, ...

API changes

  • Added context.appBasePath interface to get the root directory of the web application

  • New session operation interface , context.session.setSession, context.session.getSession

Other changes

  • Plug-in splitting, some unused detection logic, such as scanner recognition function, moved to addons directory

  • RaspInstall source code is open

  • CVE Vulnerability Coverage List Open


Version 0.20-2014.10.26

Major changes

  • Performance optimization

    • Due to poor jni performance, we decided to replace j2v8 with the latest version of Mozilla Rhino

    • In the worst case, the impact on the server in 2%the left and right, you can view specific performance test report

  • Drop support for WebLogic

API changes

  • Add SQL tokenize interface: RASP.sql_tokenize

  • Add SESSION to modify the interface: context.session.getSession / context.session.setSession

  • readFile Interface, when the file does not exist, the plugin will no longer be called

Hook point change

  • Add webdav hook point, can check MOVEand COPYoperate

Block log changes

  • Add HTTP Referer field

  • Increase request_idparameter is used to identify an attacker

  • Increase the event_typefield for signs log types

  • attack_time Field renamed event_time

  • attack_params Change the field to JSON format (previously it was a string, you need to reconfigure ES mapping)

new features

  • Support custom interception page

    • By block.urlConfiguration

    • The default is the little dinosaur page

  • Add server security baseline check function, currently only supports tomcat, can detect the following non-security configuration

    • Manager / html has a weak password

    • JSESSION does not open httpOnly

    • tomcat starts as root

    • The default webapps are not deleted

  • In the event of attack, the output plug extra confidencefield for identifying the reliability of the detection result

  • All in response to increased X-Protected-By: OpenRASPresponse headers

  • Support HTTP alarm push

  • Added support for Jetty and JBoss 5 ~ 6 servers

  • Added log.maxstack configuration option to configure the maximum stack in the alarm log

Algorithm improvements

  • Increase scanner identification, according to UA, Header (default closed, please manually modify the plug-in)

  • SQL injection detection algorithm # 1 open

  • Sensitive file download vulnerability detection

Other changes

  • JBoss XXE Hook points are optimized to improve performance


Version 0.13-2014.09.22

Bug fix

  • When a runtime error occurs in the JS plugin, the alarm log should not be printed

  • When the JS plugin fails, print detailed stack and error information in plugin.log


Version 0.12-2014.09.14

new features

  • Add an exception flow identification, when certain classes are called through reflection, it will trigger the plug-in detection logic


Version 0.11-2014.09.13

Bug fix

  • Added doFilter hook point to fix the problem that the vulnerability cannot be detected under the struts series framework


Version 0.10-2014.08.18

new features

  • Support multiple Java servers and database servers

  • Support multiple SIEM applications

  • Complete the first version of the official detection plugin

  • Support multiple hook points

Version 0.09-2014.07.14

First version for JAVA/ElasticSearch 1.2.0, result of OASES (Open AI System Security Alliance) Project.

PHP Versio, Credits to PIOF Project

COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.