INJECTING RASP (RUNTIME APPLICATION SELF PROTECTION) INTO DEMO PHP VULNERABLE APPLICATION

Summary:

Before going further please understand how RASP works or watch my previous video about RASP (Runtime Application Self Protection) Security in Python [Here]. This blog is to give overview how the RASP Model work with php application and how it block SQL Injection by understading the aplication context.

Note: This is just a prototype design developed to explore the RASP concept and this code will not be available in my github repository. For more information, please do more research on RASP.

Requirement:

  • PHP 5.6.x to 7.x
  • Demo Vulnerable PHP Application
  • Database: Mysql for Vuln App
  • RASP Rule (Redis for better preformance)

Note: We have developed a small vulnerable PHP application to demonstrate SQL Injection Vulnerability Check [Here]

How it works?

Instrumenting or Monkey Patching: A Simple Dynamic Instrumentation Agent which monkey patch the SQL module before it get imported as a module in the application. Whenever user enter input to the application which have interaction with database layer to fetch user data. Instrumentation agent will act as proxy to extract the query statement.

Lexer Analysis and Token Generation: Once the Query is extracted and processed into lexer analysis, it will generate a token structure for the query.

Redis: Generated token structure are insert into redis as SQL Rule in RASP Database.

Protection Mode Once RASP understand the application context and enough rules to make logically decision to run it in protection mode. Then it will start understanding the user input context with RASP rule to block SQL injectiton attacks.

Test Scenario

  1. Running demo vulnerable application without RASP Protection:

    Result: SQL Injection is possible and able to fetch user data from database.

  2. Running demo vulnerable application with RASP:

    • Threshold: Set the threshold limit for sql rule depend up on the application
    • Learning mode: Run RASP in learning mode to make it understand the appication context (user input structure) for the application.
    • Protection Mode: Once RASP have enough rule and application context data from user. RASP will automatically run in protection mode to block SQL injection attack based on the rules.

Demo Video


Reference:

  1. [FOS] RASP (Runtime Application Self Protection) Security
  2. Demo Vulnerable App
  3. Kali