Rasp practice analysis

Time:2021-10-26

1、 Introduction to RSAP

1. Waf

Introduction: it uses request feature detection attack. WAF and firewall are like security guards at the door of a building. If you want to enter the building, WAF and firewall will conduct security inspection when you enter the building. If you are found to be carrying knives, guns, explosives, opium and marijuana, you will be intercepted. If not, you will be allowed to enter, As for some behaviors you do after entering the building, you won’t be tested again.

In recent years, the means of attack have become more and more complex, and the scope of attack has become wider and wider. The traditional security protection methods, WAF and IDS (Intrusion Detection System), are mostly based on rules, which can not meet the basic security needs of enterprises. Matching rules for all requests slows down server performance.

Product form: hardware, software, cloud.

Rasp practice analysis

2. RASP

Introduction: for example, every person entering the building is equipped with a private bodyguard. It is not only to set up security detection at the entrance. When you enter the building, your every move will be monitored by it. When you want to wave your fist and prepare to hit people next, he will intercept you when you wave your fist.

Only key request points are detected. Not all requests match all rules,

Product form: software, which runs inside the application program, integrates the application program, monitors and blocks attacks in real time, so that the program itself has the ability of self-protection.

2、 Function list

1. Which vulnerabilities can rasp detect

Attack type rasp support WAF support 
Cross site scripting (XSS) ✔                          ✔ 
Command injection ✔                         ✔ 
ShellShock                     ✔                         ✔ 
Unhandled exception ✔                        ❌ 
Missing content type ✔                         ✔ 
The accept header is missing ✔                        ✔ 
Unsupported method ✔                         ✔ 
Vulnerability scanning ✔                        ✔ 
Method call failed ✔                        ❌ 
Sensitive data disclosure ✔                         ❌

3、 Competitive product analysis

Some domestic rasp manufacturers have been investigated, as shown in the figure below:
Rasp practice analysis

4、 Build process

Set up openrasp for a small test. First set up a shooting range for testing,

1. Build test environment

1. To simplify installation, use docker

    curl -sSL https://get.daocloud.io/docker | sh

2. Dockers installs MySQL database

    docker run --name mysqlserver -e MYSQL_ROOT_PASSWORD=123 -d -i -p 3309:3306  mysql:5.6

3. This environment has been uploaded to docker and can be run directly without downloading in advance.

    docker run --name permeate_test --link mysqlserver:db  -d -i  -p 8888:80 –p 8086:8086 daxia/websafe:latest    

4. Access via browserhttp://localhost: 8888, you can open the installation Agreement page, click I agree to this agreement, fill in the installation configuration, and set the database address to DB. When installing MySQL database, we have set the password to 123, and 123 is also filled here. The reference page is as follows:

Rasp practice analysis

Rasp practice analysis

Rasp practice analysis

2. Install openrasp

1. Install es service

    docker run --name elasticsearch -d -p 9200:9200 -p 9300:9300 elasticsearch:5.6

2. Install mongodb

    docker run -itd --name mongo -p 27017:27017 mongo 

3. Download rasp cloud

    wget https://packages.baidu.com/app/openrasp/release/latest/rasp-cloud.tar.gz

4. Modify the configuration file and replace 127.0.0.1 with local IP

    vim rasp-cloud-2021-02-07/conf/app.conf

Rasp practice analysis

5. Start the background management system

    ./rasp-cloud-2021-02-07/rasp-cloud -d

6. Access background

    http://172.26.81.233:8086/

Rasp practice analysis

7. Click Add host, and then select your corresponding language to download the installation package. Here is PHP, so choose PHP server

Download PHP installation package

curl https://packages.baidu.com/app/openrasp/release/1.3.6/rasp-php-linux.tar.bz2 -o rasp-php-linux.tar.bz2  
tar -xvf rasp-php-linux.tar.bz2  
cd rasp-\*/

Install.php

./install.php

The default installation path is/opt/rasp, can be replaced by another path

php install.php -d /opt/rasp --heartbeat 90 --app-id c0c523ce311cef92c6f3e9eee306777c99010ce7 --app-secret 0njm1mPafaCGV3cyY15BnOauu4BeqqlC62auGpU8uJk --backend-url http://172.26.81.223:8086/

Restart the PHP FPM or Apache server

service php-fpm restart

apachectl -k restart

Rasp practice analysis

5、 Practical cases

Our shooting range has been successfully added. Now simulate hackers to attack the shooting range and test the protection ability of openrasp. Here I use the tool burp suite to scan my shooting range. You can see that the following figure shows XSS cross site script, password plaintext transmission and SQL injection

Rasp practice analysis

3334 records were recorded in the openrasp attack,

Rasp practice analysis

The vulnerabilities it intercepts can be seen in the vulnerability list,

Rasp practice analysis

By default, only the protection plug-in is installed. You can also download the Iast interactive scanning plug-in,

Rasp practice analysis


Author: Chen Ting

Release time: March 21, 2021