OpenRASP 0.20 released

[OpenRASP]

https://github.com/baidu/openrasp/releases/tag/v0.20

Breaking changes

• JS engine optimization
  • Replace Google V8 with Mozilla Rhino
  • Performance impact now reduced to 2% (worst case scenario)
• No longer support the WebLogic application server

JS API changes

• Add a SQL tokenize method: RASP.sql_tokenize
• Add a SESSION modification method: context.session.getSession / context.session.setSession
• Only execute the readFile callback when the file exists

Hook point changes

• Add a WebDAV hook point that monitors HTTP MOVE and COPY operations

Logging changes (alarm logs)

• Added HTTP referer field
• Added a request_id field that uniquely identifies a request
• Added an event_type field to distinguish between alarm logs and security policy logs
• attack_time field now renamed to event_time
• The content of attack_params field now changed to JSON format
  • An update to the ElasticSearch index mapping is required

New features

• Support HTTP alarm push notification
• Added X-Protected-By: OpenRASP to all responses
• Added support of Jetty, JBoss 5~6 platforms
• No longer throws exception when an attack happens
  • Will redirect to a configurable URL
  • Default to https://rasp.baidu.com/blocked?request_id=XXXX
• Maximum stacktrace level now configurable via the log.maxstack option
• Application server hardening support (See here for details)

Algorithm improvements

• Add ability to detect common/commerical web vulnerability scanners
  • Disabled by default
• Release the SQLi detection algorithm #1
• Forceful browsing detection
• Added a confidence field in detection results

Other improvements

• XXE detection on JBoss: remove redundant JS callbacks