Release 1.2.1

中文说明
国内下载

New features

General changes

• User can customize RASP ID by adding --rasp-id (PHP) / -rasp-id (JAVA) parameter during installation

Management panel

• Multiple UI enhancements

Java agent

• Add partial support of TongWeb application server
• Simplified installation procedure of JBoss 7 and above
• Add HSQL hooks
• Add CPU limit support

Plugin system

• Add environment information to command execution callbacks
• Fixed a potential false positive in command_reflect algorithm

Bug fixes

General fix

• Add agent re-registration support to prevent accidental removal of existing agent

Java Agent

• Multiple bug fixes

PHP Agent

• Multiple bug fxies

Release 1.2.0

中文说明
国内下载

Breaking changes

• Removed enforce_policy from config options
• Removed monitoring of MySQL duplicated key error

New features

General changes

• Automatically synchronize server hostnames
• Add detection of containers, stored in host_type field

Plugin system

• Add requestEnd checkpoint
• Add RASP.request method
• Add RASP.agent_version field
• Add context.requestId and many other fields
• Add dest_path/dest_realpath field to fileUpload checkpoint (PHP only)
• Add monitoring of loadLibrary events

PHP agent

• Add eval/assert hooks

Java agent

• Improved XSS detection algorithm on Tomcat servers
• Add validation of requestEnd/request.getParameterMap hooks

RASP Installer

• Add support of Tomcat installed via yum
• Add partial support of SpringBoot servers

Bug fixes

Java agent

• Added support of JRockit JDK (32/64)
• Fixed a compatibility issue with org.elasticsearch.client.RestClient
• Fixed a XXE compatibility issue with taglib
• Removed V8 library execstack warning

v1.1.2

中文说明
国内下载

General changes

Administration panel

• Add API to export agent list
• Multiple UI enhancements

Java agent

• Add connection timeout in syslog related operations
• Fixed a recursive ProcessBuilder call when hostname is not associated in /etc/hosts

Version 1.1.1

中文说明
国内下载

General changes

Administration panel

• Enable gzip compression
• Multiple user-experience enhancement

Java agent

• Synchronize all V8 exception logs to rasp.log

Version 1.1

中文说明
国内下载

Breaking changes

General changes

• Upgrade Google V8 to v7.2
• Reduced memory usage by replacing ANTLR4 with Flex

PHP agent

• Removed pcre dependency
• Replaced libstdc++ with libc++
• Add Thread-Safety edition in binary releases

Java agent

• Replace Mozilla Rhino with OpenRASP-v8 component
• Removed native implementation of SQLi/SSRF detection algorithm
• Temporarily disabled support of JRockit JDK.
  • WebLogic 10.3.6 still works with Oracle JDK, aka export JAVA_VENDOR=Sun

JavaScript plugin system

• Removed console coloring support

New features

General changes

• Add monitoring of MySQL authentication failure
• Add detection of weak password for database connections

Java agent

• Add a new algorithm xxe_disable_entity

Version 1.0

中文说明
国内下载

Breaking changes

General changes

• Add header field in alarm logs, existing duplicated fields are removed
• Configuration file format changed from toml to yaml
• Only add Location header when HTTP response code is set to 302

Management panel

• Configuration item AgentServerURL and PanelServerURL moved to management panel

PHP agent

• Disabled fswatch in binary releases. Recompile with --enable-fswatch to enable it.
• Replaced rapidjson library with nlohmann/json
• Disable security baseline in cli mode

Java agent

• Removed rasp-log4j.xml from startup command-line arguments

New features

General changes

• Add support of JSON parameter to security plugins
• Add support of application hardening, e.g Click jacking, reflected XSS
• Add support of code decompilation

PHP agent

• Add support of PHP 7.3

Java agent

• Add support of SpringBoot (Undertow) server
• Add support of WebLogic application server
• Add support of JBoss application server (6.X - 8.X)
• Add support of JDK 11
• Collect OS environment information
• Add experimental support of ATTACH method, only installation and uninstallation is supported

Management panel

• Multiple UX enhancement

Algorithm improvements

Security baseline

• Detect empty password in Tomcat management panel

SQLi

• Detect SQL exception in applications, e.g syntax error

SSRF

• Add target port information

File Upload

• Add multipart parameter name information

WebShell

• Block LD_PRELOAD based webshell

Deserialization

• Block JNDI based reflected command execution

Version 1.0.0 RC1

中文说明

New features

Java agent

• Add hooks of okhttp/okhttp3 library

General improvements

• Add remote management capability
• Add tag field in syslog output
• Added native LRU implementation
  • Effective for sql, ssrf, readFile, writeFile hooks only

Breaking changes

PHP agent

• Finally removed support of Windows server

Algorithm improvements

Command injection

• Add a simple Bash/CMD parser to detect command injection attacks
• Block JBoss EL based command execution attacks

Bug fixes

Java agent

• Fix a null pointer exception in Dubbo RPC hook

PHP agent

• Fix a segfault in PHP mysql session handler

Version 0.50

中文说明

New features

Java

• Add support of WebSphere server (8.5, 9.0)

General changes

• Add algorithm field in alarm logs, make it easier to identify the algorithm in action

Version 0.42

中文说明

Breaking changes

• No longer monitor SQL slow queries
• Dubbo RPC parameter name changed from openrasp-dubbo-X to dubbo-X

New features

• Add request_method field in alarm logs

Bug fixes

• Fixed the No modifications are allowed to a locked ParameterMap error in certain Tomcat versions

Algorithm improvements

Rename

• Resolved a potential false positive in rename_webshell algorithm

Deserialization

• Add detection of commons.collections4 payload

Version 0.41

中文说明

Breaking changes

Java Agent

• Configuration item block.url renamed to block.redirect_url and added template support

PHP agent

• Configuration item openrasp.block_url renamed to openrasp.block_redirect_url and added template support
• Ignored PHP timezone settings in all kind of logs
  • Replaced with system time
• Removed the builtin webshell_include hook

JS API

• Added token start/stop index to RASP.sql_tokenize method
• For Java agent, appBasePath now point to application deployment folder, e.g /tomcat/webapps/vulns

New features

Java agent

• Add more security baseline validation for JBoss
  • Check if authentication for /jmx-console/HTMLAdaptor is enabled
• When an attack is blocked and the client is expecting output in JSON/XML format, OpenRASP can serve a customized content
  • Template configurable via block.content_xml and block.content_json
• Added new configuration item plugin.filter
  • Effective for include/rename/readFile hooks only
  • When it's on, OpenRASP won't execute JS plugin when the target file does not exist
  • Enabled by default
• Added a new field client_ip in alarm logs
  • Represents the real IP address of the client
  • Retrieved from user specified HTTP header, e.g X-Client-IP
  • Configurable via clientip.header

PHP agent

• User can disable all hooks by adding openrasp.hooks_ignore=all in php.ini
• Added a new field client_ip in alarm logs, similar to Java agent
  • configurable via openrasp.clientip_header
• Added a new configuration item openrasp.plugin_filter, similar to Java agent
• Added two new configuration items openrasp.block_content_json and openrasp.block_content_xml, similar to Java agent

Algorithm improvements

SSRF

• Block more potentially dangerous protocol, e.g netloc://, jar://

SQLi

• Re-implemented LRU algorithm with linked list, improves performance

Path traversal

• Add a new algorithm: check if the filename ends with userinput and contains path traversal signature

XXE

• Filtered out entity files with .dtd/.xml extension

Rename

• Filtered out source files with no normal extension

File write

• writeFile_script algorithm now disabled by default

SQL slow query

• Now disabled by default

Bug fixes

PHP agent

• Fixed an ISSUE where array_filter hook does not process the parameter correctly
• Alarm logs: add hostname in the URL field