mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
100 lines
2.6 KiB
Markdown
100 lines
2.6 KiB
Markdown
# API Reference: Implementing Runtime Application Self-Protection
|
|
|
|
## OpenRASP Deployment
|
|
|
|
```bash
|
|
# Java agent attachment (Tomcat)
|
|
export CATALINA_OPTS="-javaagent:/opt/rasp/rasp.jar"
|
|
|
|
# Spring Boot
|
|
java -javaagent:/opt/rasp/rasp.jar -jar app.jar
|
|
|
|
# Verify agent loaded
|
|
curl -s http://localhost:8080/rasp/status
|
|
```
|
|
|
|
## OpenRASP Configuration (rasp.yaml)
|
|
|
|
```yaml
|
|
# Detection plugin settings
|
|
plugin:
|
|
timeout: 100 # Plugin execution timeout (ms)
|
|
maxstack: 100 # Max stack frames to capture
|
|
|
|
# Block vs monitor mode
|
|
block:
|
|
status_code: 302 # HTTP status on block
|
|
redirect_url: /blocked.html
|
|
|
|
# Log settings
|
|
log:
|
|
maxstack: 50
|
|
syslog:
|
|
enable: true
|
|
url: "udp://siem.example.com:514"
|
|
tag: openrasp
|
|
```
|
|
|
|
## Detection Hooks
|
|
|
|
| Hook Point | Attack Type | OWASP |
|
|
|------------|-------------|-------|
|
|
| sql_query | SQL Injection | A03:2021 |
|
|
| command_exec | OS Command Injection | A03:2021 |
|
|
| file_open / file_read | Path Traversal | A01:2021 |
|
|
| http_request | SSRF | A10:2021 |
|
|
| xml_parse | XXE | A05:2021 |
|
|
| deserialize | Insecure Deserialization | A08:2021 |
|
|
| response_write | XSS (reflected) | A03:2021 |
|
|
| ldap_query | LDAP Injection | A03:2021 |
|
|
| code_eval | Remote Code Execution | A03:2021 |
|
|
|
|
## Attack Log Format (JSON)
|
|
|
|
```json
|
|
{
|
|
"attack_type": "sqli",
|
|
"action": "block",
|
|
"client_ip": "192.168.1.50",
|
|
"request_url": "/api/users?id=1 OR 1=1",
|
|
"attack_params": {"id": "1 OR 1=1"},
|
|
"stack_trace": "com.app.UserDAO.findById(UserDAO.java:42)",
|
|
"plugin_name": "sql_injection",
|
|
"timestamp": "2025-06-15T10:30:00Z"
|
|
}
|
|
```
|
|
|
|
## RASP vs WAF Comparison
|
|
|
|
| Feature | WAF | RASP |
|
|
|---------|-----|------|
|
|
| Inspection point | Network perimeter | Inside application |
|
|
| Context | HTTP request only | Request + execution context |
|
|
| False positive rate | Higher | Near-zero |
|
|
| Encrypted traffic | Requires TLS termination | Sees plaintext |
|
|
| Deployment | Network device/proxy | Application library |
|
|
|
|
## Python RASP (Flask Middleware Example)
|
|
|
|
```python
|
|
from flask import request, abort
|
|
import re
|
|
|
|
SQL_INJECTION_PATTERN = re.compile(
|
|
r"(\b(union|select|insert|update|delete|drop|alter)\b.*\b(from|into|table|set)\b)",
|
|
re.IGNORECASE
|
|
)
|
|
|
|
@app.before_request
|
|
def rasp_check():
|
|
for value in request.values.values():
|
|
if SQL_INJECTION_PATTERN.search(str(value)):
|
|
abort(403, description="RASP: SQL injection blocked")
|
|
```
|
|
|
|
### References
|
|
|
|
- OpenRASP: https://github.com/baidu/openrasp
|
|
- OWASP RASP: https://owasp.org/www-community/Runtime_Application_Self-Protection
|
|
- NIST AppSec: https://csrc.nist.gov/publications/detail/sp/800-95/final
|