Releases: baidu/openrasp
Releases · baidu/openrasp
Version 0.40
Breaking changes
Java Agent
- The command parameter in the ProcessBuilder hook changed to string type
- Replaced all alarm message with English ones
PHP agent
- Replaced all alarm message with English ones
New features
PHP agent
- Add support of PHP 7.0~7.2
- Add support of prepared SQL statement
- Fallbacked to v8 default platform
- Add monitoring of rename operations
Java agent
- Add monitoring of rename operations
Algorithm improvements
Command execution
- Add support of FreeMarker template command execution
SSRF
- Add detection of potentially dangerous protocol, e.g php://
- Add detection of 127.X.X.X in ssrf_userinput algorithm
Path traversal
- Fixed a
/../../detection bypass reported by @leesec
PHP stack validation
- Fixed a call_user_func false positive reported by @ezreal
SQL injection
- Add a global LRU cache to improve generic performance
- Add detection of INTO OUTFILE phrase
Bug fixes
PHP agent
- Add ~60 PHP test cases, multiple bugs fixed
- Fixed a expand_path issue on Windows
Version 0.32
Algorithm improvements
- Make the official javascript plugin more configurable by adding a global algorithmConfig variable
- Add detection for more domains commonly used in SSRF attacks
Bug fixes
- Resolve a class loader compatibility issue on Rhino 3.1.8 (Windows)
- Repackaged mozilla rhino library to resolve another class loading issue
Version 0.31
Breaking changes
Java agent
- Java package renamed to
com.baidu.rasp- User must manually remove
rasp/conf/rasp-log4j.xmlprior to software upgrade
- User must manually remove
- Resolve ISSUE #96 - Can't find bundle for base name org.mozilla.javascript.resources.Messages
- Replaced ASM with JavaAssist
Rasp Installer
- Add support of software uninstallation
- Command line arguments changed to the following
- java -jar RaspInstall.jar -install /home/tomcat
- java -jar RaspInstall.jar -uninstall /home/tomcat
Algorithm changes
SQLi algorithm
- Detection of constant comparsion is now off by default
Command execution detection algorithm
- Detect unusual command execution on Non-HTTP requests
- e.g CVE-2018-1270
New features
- On startup, Java agent will print an ASCII art
- Add SQLi hook for JDBC prepared statement, resolves ISSUE #8
- Add support of Resin 3.X & 4.X servers
- Optimized jnotify to support exception handling
Bug fixes
- PHP
- Fixed a potential memory leak on log module
Version 0.30
Breaking changes
- Java agent
- Debug level option
debug_levelnow renamed todebug.level
- Debug level option
New features
- Add support of PHP 5.X server
- Linux 5.3 ~ 5.6
- Windows 5.6
- Mac homebrew PHP 5.6
- PHP security baseline
- INI entry auditing
- Detect the use of high privileged database account, e.g root, psql
- Slow query detection
- Testcases enhancement
- Add PHP testcases
- Add a navgiation page
- Make all links clickable (testing with cURL has become optional)
- Add performance test report for PHP agents
API changes
- Add
stackparameter for bothdirectoryandssrfhook points
Algorithm improvements
- SQLi detections
- Block UNION NULL queries
- Block blind injection releated functions, e.g
ord、chr
- Java - Anti deserialize exploits
- Block command execution via YsoSerial payloads
- PHP - china chopper detection
- Block suspicious file manager, command execution via stack validation algorithm
- Block simple webshells that directly evaluate user inputs
- PHP - block unusual callbacks
- Please refer to
openrasp.callable_blacklistsfor more details
- Please refer to
Version 0.24
Bug fixes
- OpenRASP Installer for Java
- Add support of JBoss 4.0.X
Other changes
- Add logging of ANTLR errors
Version 0.23
中文说明
Breaking changes
- Remove
reflectionhook point- Improves performance greatly
- Detection logic moved to
commandhook point
Algorithm enhancements
- Add more domains commonly used in SSRF exploit
v0.22
中文说明
Breaking changes
- Re-implemented
SQLi/SSRFdetection algorithm in pure Java code- Configurable via
RASP.config(algorithm.config, ...)interface in javascript plugins - Performance improved by nearly 20%
- Configurable via
- LICENSE upgrade
- Replaced
BSD-3withApache License 2.0
- Replaced
- Log rotation
- Automatically remove old log files, keep up-to 30 files by default
- User must manually remove
rasp/conf/rasp-log4j.xmlprior to version upgrade
New features
- Add support of JBoss 7.X
- Conditional HTML injection support
- Mostly designed for CSRF / Blind XSS detection
- Disabled by default
- When an attack is blocked, allow user to customize HTTP response code
- Security baseline improvements
- Detect global
Directory Indexconfiguration in Tomcat - JDBC account auditing: only report on successful connections
- Detect global
- Add a debug option to collect performance data
Algorithm improvements
- Detect basic SSRF and URL obfuscation technique
- List of supported HTTP request libraries:
- URL.openConnection
- commons-httpclient
- httpclient
- List of supported HTTP request libraries:
API Changes
RASP.config()now renamed toRASP.config_set()- Add
RASP.get_jsengine()interface
Bug fixes
RASP agent
- request.setCharacterEncoding compatibility issue
- Add stack trace in policy-alarm logs
OpenRASP Installer for Java
- Will add write permission to
raspdirectory automatically - Refine all error messages
Version 0.21
中文说明
Breaking Changes
- Separation of security baseline vialotion logs
- Make it easier to manage different types of alarm logs
- User must manually remove
rasp/conf/rasp-log4j.xmlprior to agent upgrade
New Features
- Detect LFI/SSRF exploit via jstl-import method
- Add support of DB2 database server
- Only tested on version 9.7 and 10.5
- Security baseline feature enhancements
- Audit database accounts, e.g connect to MySQL with
rootuser
- Audit database accounts, e.g connect to MySQL with
- Add slow query detection, e.g read 500+ rows with SELECT statement
- Support TCP syslog transmission
Algorithm improvemnts
- Release SQLi detection algorithm No.2 (configurable)
- Detect stacked queries, e.g
SELECT 123; SELECT 456; - Detect hex string representations, e.g
load_file(0x41424344) - Detect OS version number, e.g
/*!12345 - Detect numeric constant comparsion, e.g
SELECT 1 FROM dual WHERE 8778 <> 8778 - Detect usage of blacklisted functions, e.g
load_file,pg_sleep, ...
- Detect stacked queries, e.g
Version 0.20
中文说明
Breaking changes
- JS engine optimization
- Replace
Google V8withMozilla Rhino - Performance impact now reduced to
2%(worst case scenario)
- Replace
- No longer support the WebLogic application server
JS API changes
- Add a SQL tokenize method:
RASP.sql_tokenize - Add a SESSION modification method:
context.session.getSession / context.session.setSession - Only execute the
readFilecallback when the file exists
Hook point changes
- Add a WebDAV hook point that monitors HTTP
MOVEandCOPYoperations
Logging changes (alarm logs)
- Added HTTP referer field
- Added a
request_idfield that uniquely identifies a request - Added an
event_typefield to distinguish between alarm logs and security policy logs attack_timefield now renamed toevent_time- The content of
attack_paramsfield now changed to JSON format- An update to the ElasticSearch index mapping is required
New features
- Support HTTP alarm push notification
- Added
X-Protected-By: OpenRASPto all responses - Added support of Jetty, JBoss 5~6 platforms
- No longer throws exception when an attack happens
- Will redirect to a configurable URL
- Default to https://rasp.baidu.com/blocked?request_id=XXXX
- Maximum stacktrace level now configurable via the
log.maxstackoption - Application server hardening support (See here for details)
Algorithm improvements
- Add ability to detect common/commerical web vulnerability scanners
- Disabled by default
- Release the SQLi detection algorithm
#1 - Forceful browsing detection
- Added a
confidencefield in detection results
Other improvements
- XXE detection on JBoss: remove redundant JS callbacks
Version 0.13
Bug fixes:
- Remove unexpected alarm logs when javascript engine encounters a runtime error
- Provide full javascript stack trace and runtime error message in plugin.log