OpenRASP: Protection against Vulnerabilities
OpenRASP is an open source and free adaptive security product released by Baidu Security, which has an in-depth cooperation with the internationally renowned non-profit security organization OWASP (Open Web Application Security Project). OpenRASP has now joined the OWASP global technology project, and is being promoted around the world. OpenRASP popularizes the emerging RASP (Runtime Application Self-Protection) technology, making it a critical weapon for enterprise web security protection, effectively enhancing the defense system’s depth and adaptability in vulnerability protection. Because OpenRASP directly targets the vulnerabilities in the web application servers, its protection capability is boosted drastically compared with the traditional WAF and others. OpenRASP has rapidly spread and matured through the open source community, and it solves the stability and compatibility issues that have baffled commercial RASP for a long time. It has become the most widely used RASP solution in the industry.
Lately the demand for attack defenses has increased dramatically, and OpenRASP has been deployed in the production environment of many well-known companies. We would like to share some of the interesting scenarios that happened in the real world.
№1 “It’s Not a Vulnerability, it’s a Feature.”
PM: I need to support complex query with conditions and arbitrary field sorting.
R&D: Consider writing your own SQL statement?
A big financial institution deployed OpenRASP online, and it was prompted to have a SQL injection vulnerability just 5 minutes after the launch. Coincidence? We opened the event log and saw the alerts looked like this (redacted version):
SQL Query
Request Body
Take the orderBydata parameter as an example, although there is no malicious payload at this time, the input ‘end_time desc’ can change the logic of the SQL statement, so it is detected by OpenRASP. Five similar SQL injections were also detected, and no false positives were found after testing.
Due to the limited time of the attack defense dry run and given the excellent historical performance of OpenRASP, the project lead proposed to turn off the vulnerability detection mode and turn on the attack blocking.
PM: I need a function to be able to download attachments.
R&D: OK, you can download anything.
A large-scale client deploys OpenRASP to its OA system. After going online, OpenRASP prompts that there is an arbitrary file download vulnerability. The alert detail shows:
Alert Message
Read in File
Request Body
This is a vulnerability in which files are downloaded using an absolute path. It is tested to be able to get the contents from /etc/passwd file, so the vulnerability is valid.
№2 Exploiting SQL injection with ../ payload
This is interesting, its alert message is “SQLi — SQL query structure altered by user input, request parameter name: size, value: ../../../../../../.. /proc/version”. At first glance, this feels like a false positive, no one has seen the use of ../ to do SQL injection. The alert detail is as the following:
SQL Query
Request Body
Although SQL injection with LIMIT clause is hard to exploit, there is really no integer casting here, so a vulnerability exists. Not sure who was scanning this, it is basically to find a vulnerability as gift to our client.
№3 WebLogic, fastjson 0day blocking
Lately 0days continue to break out, and the vendors’ patching could not keep up. Thanks to the enthusiastic users in the open source community, we got the WebLogic 0day PoC for testing at the end of May and verified the protection capabilities of OpenRASP.
For example, no matter how to bypass the patch through FileSystemXmlApplicationContext or UnitOfWorkChangeSet, as long as the command is executed through XMLDecoder, its stack is always similar:
By inspecting the stack, OpenRASP can block the attack, as well as subsequent similar vulnerabilities, without any patching and upgrade. The protection mechanism of fastjson 0day is similar. Through testing, the payload of the command executed by @type can be blocked.
№4 JSP defineClass back door
The most common one found during the test runs was the ‘Behinder’ dynamic webshell, where the JSP version implemented the eval feature by customizing the ClassLoader + defineClass methods.
Because the traffic is AES bi-directionally encrypted, it is effective to bypass WAF and IDS. However, OpenRASP deployed inside the application can still see the backdoor operation (you can dump the whole operation log by installing the 999-event-logger plugin):
Similarly, we can identify the ‘Behinder’ webshell by the stack of command execution:
Therefore, no matter how the server’s JSP is transformed, as long as the client codes do not change, we can detect the ‘Behinder’ dynamic webshell by checking the stack. Currently, the latest version of the detection plugin 2019–0703–1600 already supports the protection.
Compared to the traditional WAF, OpenRASP fills the gap in IDC’s inability of lateral movement detection. When the hacker breaks through the firewall and uploads the backdoor, EDR misses the corresponding file rules, OpenRASP can still detect the risk according to the application behavior. The current OpenRASP official plugin provides Algorithm 3 — Identify common pentest commands , and allows user to audit command execution and identify unknown webshell on the server.
OpenRASP is an important component of Baidu’s AIoT security solution, and is also one of the core technologies of Baidu’s next-gen AI security technology stack. From the development and open sourcing of a new generation security technologies, to providing integrated security solutions for the industry, and to promoting collaboration between academics, enterprises and institutions, Baidu Security is creating a security ecosystem in the AI era, breaking the industry barrier and preventing eco-fragmentation, and therefore drives the development of security industry with AI.
Today, with the sharp increase in the demand for offense and defense, the most troublesome thing is the outdated system without source code, or the system that can’t fix the vulnerability in time. Especially in the financial industry, a large number of systems are outsourced development or commercial proprietary systems. In this case, you can consider deploying the OpenRASP system for protection. The actual experience of many users shows that OpenRASP has an excellent protection performance.
In addition, we are releasing the DevSecOps community version based on RASP technology, and later versions will include the taint tracking support (accurate to the string index level, support PHP, Java). If you want to know our latest news/updates, please join the QQ technical discussion group 259318664.
