Tornado Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)
Note: This is just a prototype design developed to explore the RASP concept and this code will not be available in my github repository. For more information, please do more research on RASP.
Requirement:
- Python 2.x & 3.x
- Demo Tornado Vulnerable Application:
- RASP: Support Python 3.x only
- Database: SQLite for Vulnerable App & RASP rules
Note: We have developed a small demo Tornado vulnerable application to demonstrate SQL Injection Vulnerability Check Here
How RASP works with Demo Vulnerable App?
Instrumenting or Monkey Patching: A Simple Dynamic Instrumentation Agent which monkey patch the DbApi2 library before it get imported as a module in the application. Whenever user enter input to the application which have interaction with database layer to fetch user data. Instrumentation agent will act as proxy for execute() method to extract the query statement. RASP agent will extract the Query from the execute method call
Example: Query = SELECT * from users where userid=1
Lexer Analysis and Token Generation: Using Lexical analysis concept, we are generating token for the Query extracted from the execute() method.
Example: Using Lexer we convert the query from above example into token Token = [‘KEYWORD’, ‘WHITESPACE’, ‘OPERATOR’, ‘WHITESPACE’, ‘KEYWORD’, ‘WHITESPACE’, ‘STRING’, ‘WHITESPACE’, ‘KEYWORD’, ‘WHITESPACE’, ‘STRING’, ‘OPERATOR’, ‘NUMBER’]
Learning Mode: We will run RASP in Learning mode to make it understand the application context by provided enough data from user UI.
RASP Rule: While RASP running in learning mode, it will automatically create a new SQL rule based on the applicatiton context and store the rules into separate database i.e rules.db
Threshold: Once RASP is reach the threshold limit to create new rules or no application context. Then it will not create no more rules to insert into rules database in learning mode.
Note: In my RASP Model, threshold limit for rules to insert into rules.db is 2 for demo purpose. so only two rules are allowed in rules database.
Now, RASP agent have have the enough rules to make logically decision to block SQL injection attack. Check the below video to see how it works.