Priyanka Aash, profile picture
Uploaded byPriyanka Aash
1,203 views

Technical Architecture of RASP Technology

Ajin Abraham discusses the importance of integrating security into web applications through Runtime Application Self-Defense (RASP) and highlights issues with existing Web Application Firewalls (WAFs). The presentation covers the challenges faced in secure coding, vulnerabilities introduced by frameworks, and the benefits of RASP, including improved detection and prevention of attacks without significant code modifications. Abraham emphasizes that the future of web application security lies in proactive, context-aware solutions rather than traditional blacklist-based methods.

Embed presentation

SECURITY ENGINEER AJIN ABRAHAM INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
ā–ø Security Engineering @ ā–ø Research on Runtime Application Self Defence ā–ø Authored MobSF, Xenotix and NodeJSScan ā–ø Teach Security: https://opsecx.com ā–ø Blog: http://opensecurity.in #WHOAMI
AGENDA : WHAT THE TALK IS ABOUT? RASP WAF WHAT THE TALK IS NOT ABOUT?
APPSEC CHALLENGES ā–ø Writing Secure Code is not Easy ā–ø Most follows agile development strategies ā–ø Frequent releases and builds ā–ø Any release can introduce or reintroduce vulnerabilities ā–ø Problems by design. ā€Ø Ex: Session Hijacking, Credential Stufļ¬ng
STATE OF WEB FRAMEWORK SECURITY ā–ø Automatic CSRF Token - Anti CSRF ā–ø Templates escapes User Input - No XSS ā–ø Uses ORM - No SQLi You need to use secure APIs or write Code to ā€Ø enable some of these Security Bugs happens when people write bad code.
STATE OF WEB FRAMEWORK SECURITY ā–ø Anti CSRF - Can easily be turned off/miss conļ¬gurations ā–ø Templates escapes User Input - Just HTML Escape -> XSS ā–ø https://jsļ¬ddle.net/1c4f271c/ ā–ø Uses ORM - SQLi is still possible ā–ø http://rails-sqli.org/
STATE OF WEB FRAMEWORK SECURITY ā–ø Remote OS Command Execution - No ā–ø Remote Code Injection - No ā–ø Server Side Template Injection RCE - No ā–ø Session Hijacking - No ā–ø Verb Tampering - No ā–ø File Upload Restriction - No The list goes onā€¦..
WE NEED TO PREVENT EXPLOITATION LETā€™S USE WAF
ā–ø First WAF AppShield in 1999, almost 18 years of existence ā–ø Quick question : How many of you run a WAF in defence/ protection mode? ā–ø Most organisations use them, but in monitor mode dueā€Ø high rate false positives. ā–ø Most WAFs use BLACKLISTS CAN A WAF SOLVE THIS? 20% 70% 10% False Negatives False Positive Detection
APPLICATION SECURITY RULE OF THUMB Gets bypassed, today or tomorrow
WHAT WAF SEES? ATTACK != VULNERABILITY
HOW WAF WORKS ā–ø The strength of WAF is the blacklist ā–ø They detect Attacks not Vulnerability ā–ø WAF has no application context ā–ø Doesnā€™t know if a vulnerability got exploited insideā€Ø the app server or not. WAFGET http://xyz.com APP SERVER HTTP REQUEST HTTP RESPONSE
ā–ø How long they keep on building the black lists? ā–ø WAFs used to downgrade your security. ā–ø No Perfect Forward Secrecy ā–ø Canā€™t Support elliptic curves like ECDHE ā–ø Some started to support with a Reverse Proxy ā–ø Organisations are moving to PFS (Heartbleed bug) ā–ø SSL Decryption and Re-encryption Overhead WAF PROBLEMS
TLS 1.3 COMING SOON ā€¦.
SO WHATā€™S THE IDEAL PLACE FOR SECURITY? REQUEST RESPONSE APP SERVER APP SERVER CORE SECURITY LAYER
We can do much better.ā€Ø Itā€™s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection ā€Ø &ā€Ø Prevention/Neutralizationā€Ø +ā€Ø Precise ā€Ø Vulnerability Detectionā€Ø +ā€Ø Extras Attack Detection ā€Ø &ā€Ø Prevention Vulnerability Detection Precise ā€Ø Vulnerability Detection
RUNTIME APPLICATION SELF DEFENCE ā–ø Detect both Attacks and Vulnerability ā–ø Zero Code Modiļ¬cation and Easy Integration ā–ø No Hardware Requirements ā–ø Apply defence inside the application ā–ø Have Code Level insights ā–ø Fewer False positives ā–ø Inject Security at Runtime ā–ø No use of Blacklists
TYPES OF RASP ā–ø Pattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) ā–ø Dynamic Tainting - Good but Performance over head ā–ø Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Speciļ¬c (JVM) ā–ø Code Instrumentation and Dynamic Whitelist - Good, but speciļ¬c to Frameworks, Developer deployed
FOCUS OF RESEARCH ā–ø Other AppSec Challenges ā–ø Preventing Verb Tampering ā–ø Preventing Header Injection ā–ø File Upload Protection ā–ø Ongoing Research ā–ø Preventing Session Hijacking ā–ø Preventing Layer 7 DDoS ā–ø Credential Stufļ¬ng ā–ø RASP by API Instrumentationā€Ø and Dynamic Whitelist ā–ø Securing a vulnerable Python ā€Ø Tornado app with Zero Code change. ā–ø Code Injection Vulnerabilities ā–ø Preventing SQLi ā–ø Preventing RCE ā–ø Preventing Stored & Reļ¬‚ected XSS ā–ø Preventing DOM XSS
RASP BY API INSTRUMENTATION AND DYNAMIC WHITELIST ā–ø MONKEY PATCHING ā–ø LEXICAL ANALYSIS ā–ø CONTEXT DETERMINATION
MONKEY PATCHING ā–ø Also know as Runtime Hooking and Patching of functions/ methods. ā–ø https://jsļ¬ddle.net/h1gves49/2/
LEXICAL ANALYSIS AND TOKEN GENERATION ā–ø A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. ā–ø Lexical analyzer generates error if it sees an invalid token.
LEXICAL ANALYSIS AND TOKEN GENERATION SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD WHITESPACE value IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT Custom Lexer
CONTEXT DETERMINATION HTML PARSER HTML CODE DOM TREE
PREVENTING CODE INJECTION VULNERABILITIES Interpreter cannot distinguish between ā€Ø Code and Data Solve that and you solve the code injection problems
PREVENTING CODE INJECTION VULNERABILITIES ā–ø Preventing SQL Injection ā–ø Preventing Remote OS Command Execution ā–ø Preventing Stored & Reļ¬‚ected Cross Site Scripting ā–ø Preventing DOM XSS
SQL INJECTION SELECT * FROM <user_input>
SQL INJECTION : HOOK SQL Execution APIā€Ø cursor.execute(ā€˜SELECT * FROM logsā€˜)
SQL INJECTION : LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
SQL INJECTION : PROTECT SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING SELECT * FROM logs AND DROP TABLE admin
SQL INJECTION : PROTECT KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING Rule for Context: SELECT * FROM <user_input> SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING ā€Ø WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
DEMO
REMOTE OS COMMAND INJECTION ping -c 3 <user input>
REMOTE OS COMMAND INJECTION : HOOK Command Execution APIā€Ø os.system(ping -c 3 127.0.0.1)
REMOTE OS COMMAND INJECTION : LEARN ping -c 3 127.0.0.1 SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN
REMOTE OS COMMAND INJECTION : PROTECT ping -c 3 127.0.0.1 & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
REMOTE OS COMMAND INJECTION : PROTECT EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN Rule for Context: ping -c 3 <user_input> ping -c 3 127.0.0.1ā€Ø ping -c 3 google.com ping -c 3 127.0.0.1 & cat /etc/passwd ā€Ø EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAINā€Ø WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
DEMO
CROSS SITE SCRIPTING <body><h1>hello {{user_input1}} </h1></body>ā€Ø <script> var x=ā€˜{{user_input2}}ā€™;</script>
CROSS SITE SCRIPTING : HOOK Template Rendering APIā€Ø ā€Ø template.render(ā€œ<body><h1>hello {{user_input1}}ā€Ø </h1></body><script> var x=ā€˜{{user_input2}}ā€™;ā€Ø </script>ā€œ, user_input1, user_input2)
CROSS SITE SCRIPTING : CONTEXT DETERMINATION Parsing the DOM Tree <body><h1>hello {{user_input1}}ā€Ø </h1></body><script> var x=ā€˜{{user_input2}}ā€™;ā€Ø </script> HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
CROSS SITE SCRIPTING : PROTECT <body><h1>hello {{user_input1}} </h1></body>ā€Ø <script> var x=ā€˜{{user_input2}}ā€™;</script> <body><h1>hello World </h1></body>ā€Ø <script> var x=ā€˜Hello Worldā€™;</script> user_input1 = ā€œWorldā€ā€Ø user_input2 = ā€œHello Worldā€
CROSS SITE SCRIPTING : PROTECT <body><h1>hello &lt;script&gt;alert(0)&lt;/ script&gt; </h1></body>ā€Ø <script> var x=ā€˜';alert(0);//x3C/scriptx3Eā€™;</ script> user_input1 = ā€œ<script>alert(0)</script>ā€ā€Ø user_input2 = ā€œā€˜;alert(0);//</script>ā€
DEMO
PREVENTING DOM XSS https://jsļ¬ddle.net/vno23woL/3/ ā–ø Inject Security into JavaScript Frameworks ā–ø Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etcā€¦ ā–ø DOMPurify - https://github.com/cure53/DOMPurify ā–ø jPurify - https://github.com/cure53/jPurify
ON GOING RESEARCH ā–ø Preventing Session Hijacking ā–ø Preventing Layer 7 DDoS ā–ø Credential Stufļ¬ng
THE RASP ADVANTAGES ā–ø Accurate and Precise in Vulnerability Detection & Prevention ā–ø Code Level Insight (Line no, Stack trace) ā–ø Not based on Heuristics - Zero/Negligible False Positives ā–ø No SSL Decryption and Re-encryption overhead ā–ø Doesnā€™t Downgrade your Security ā–ø Preemptive security - Zero Day protection ā–ø Zero Code Change and easy integrationā€Ø ā€Ø pip install rasp_moduleā€Ø import rasp_module
BIGGEST ADVANTAGE Now you can deploy it on protection mode
CHARACTERISTICS OF AN IDEAL RASP ā–ø Ideal RASP should have minimal Performance impact ā–ø Should not introduce vulnerabilities ā–ø Must not consume PII of users ā–ø Should not learn the bad stuff ā–ø Should be a ā€œreal RASPā€ not a fancy WAF with Blacklist. ā–ø Minimal Conļ¬guration and Easy deployment
THATā€™S ALL FOLKS! ā–ø Thanks to ā–ø Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Laveryā€Ø (Team IMMUNIO inc). ā–ø Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek ā€Ø (Team Yodlee Security Ofļ¬ce - YSO) ā–ø Due Credits ā–ø Graphics/Image Owners @ajinabraham ajin25@gmail.com

More Related Content

PDF
Introduction to Serverless with AWS Lambda
byOmar Fathy
Ā 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
Ā 
PPTX
SASćØHadoopćØć®é€£ęŗ
bySAS Institute Japan
Ā 
PDF
Laravel - The PHP Framework for Web Artisans
byWindzoon Technologies
Ā 
PPTX
Web api
bySudhakar Sharma
Ā 
PDF
Laravel presentation
byToufiq Mahmud
Ā 
PDF
Spring boot introduction
byRasheed Waraich
Ā 
PPTX
Technical overview of Azure Cosmos DB
byMicrosoft Tech Community
Ā 
Introduction to Serverless with AWS Lambda
byOmar Fathy
Ā 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
byJeff Williams
Ā 
SASćØHadoopćØć®é€£ęŗ
bySAS Institute Japan
Ā 
Laravel - The PHP Framework for Web Artisans
byWindzoon Technologies
Ā 
Web api
bySudhakar Sharma
Ā 
Laravel presentation
byToufiq Mahmud
Ā 
Spring boot introduction
byRasheed Waraich
Ā 
Technical overview of Azure Cosmos DB
byMicrosoft Tech Community
Ā 

What's hot

PPTX
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
Ā 
PDF
Messaging queue - Kafka
byMayank Bansal
Ā 
PPTX
Pentesting ReST API
byNutan Kumar Panda
Ā 
PDF
ķšØģœØģ ģø ė¹…ė°ģ“ķ„° ė¶„ģ„ ė° ģ²˜ė¦¬ė„¼ ģœ„ķ•œ Glue, EMR ķ™œģš© - ź¹€ķƒœķ˜„ ģ†”ė£Øģ…˜ģ¦ˆ ģ•„ķ‚¤ķ…ķŠø, AWS :: AWS Summit Seoul 2019
byAmazon Web Services Korea
Ā 
PPT
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
Ā 
PPTX
Azure Functionsļ¼†Logic App恧ćÆć˜ć‚ć‚‹ć‚µćƒ¼ćƒćƒ¬ć‚¹ć‚¢ćƒ—ćƒŖć‚±ćƒ¼ć‚·ćƒ§ćƒ³é–‹ē™ŗ - å…„é–€ē·Ø -
byYoichi Kawasaki
Ā 
PDF
AWS Lambda 100% ķ™œģš©ķ•˜źø° :: ź¹€ģƒķ•„ ģ†”ė£Øģ…˜ģ¦ˆ ģ•„ķ‚¤ķ…ķŠø :: Gaming on AWS 2016
byAmazon Web Services Korea
Ā 
PPTX
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
Ā 
PDF
Exactly-once Semantics in Apache Kafka
byconfluent
Ā 
PPTX
Building Event Streaming Microservices with Spring Boot and Apache Kafka | Ja...
byHostedbyConfluent
Ā 
PDF
What is Apache Kafka and What is an Event Streaming Platform?
byconfluent
Ā 
PPTX
Azure key vault
byRahul Nath
Ā 
ODP
Stream processing using Kafka
byKnoldus Inc.
Ā 
PPTX
Laravel introduction
bySimon Funk
Ā 
PDF
Hyperledger Indy tutorial
byssuser3993f3
Ā 
PDF
12 Ways to Manage Cloud Costs and Optimize Cloud Spend
byRightScale
Ā 
PDF
Node.js Express Tutorial | Node.js Tutorial For Beginners | Node.js + Expres...
byEdureka!
Ā 
PDF
Docker by Example - Quiz
byGanesh Samarthyam
Ā 
PDF
AWS źø°ė°˜ģ˜ ė§ˆģ“ķ¬ė”œ ģ„œė¹„ģŠ¤ ģ•„ķ‚¤ķ…ģ³ źµ¬ķ˜„ ė°©ģ•ˆ :: ź¹€ķ•„ģ¤‘ :: AWS Summit Seoul 20
byAmazon Web Services Korea
Ā 
PDF
Dockerć‚¤ćƒ”ćƒ¼ć‚ø恮ē†č§£ćØć‚³ćƒ³ćƒ†ćƒŠć®ćƒ©ć‚¤ćƒ•ć‚µć‚¤ć‚Æ惫
byMasahito Zembutsu
Ā 
Website hacking and prevention (All Tools,Topics & Technique )
byJay Nagar
Ā 
Messaging queue - Kafka
byMayank Bansal
Ā 
Pentesting ReST API
byNutan Kumar Panda
Ā 
ķšØģœØģ ģø ė¹…ė°ģ“ķ„° ė¶„ģ„ ė° ģ²˜ė¦¬ė„¼ ģœ„ķ•œ Glue, EMR ķ™œģš© - ź¹€ķƒœķ˜„ ģ†”ė£Øģ…˜ģ¦ˆ ģ•„ķ‚¤ķ…ķŠø, AWS :: AWS Summit Seoul 2019
byAmazon Web Services Korea
Ā 
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
Ā 
Azure Functionsļ¼†Logic App恧ćÆć˜ć‚ć‚‹ć‚µćƒ¼ćƒćƒ¬ć‚¹ć‚¢ćƒ—ćƒŖć‚±ćƒ¼ć‚·ćƒ§ćƒ³é–‹ē™ŗ - å…„é–€ē·Ø -
byYoichi Kawasaki
Ā 
AWS Lambda 100% ķ™œģš©ķ•˜źø° :: ź¹€ģƒķ•„ ģ†”ė£Øģ…˜ģ¦ˆ ģ•„ķ‚¤ķ…ķŠø :: Gaming on AWS 2016
byAmazon Web Services Korea
Ā 
Govern your Azure environment through Azure Policy
byMicrosoft Tech Community
Ā 
Exactly-once Semantics in Apache Kafka
byconfluent
Ā 
Building Event Streaming Microservices with Spring Boot and Apache Kafka | Ja...
byHostedbyConfluent
Ā 
What is Apache Kafka and What is an Event Streaming Platform?
byconfluent
Ā 
Azure key vault
byRahul Nath
Ā 
Stream processing using Kafka
byKnoldus Inc.
Ā 
Laravel introduction
bySimon Funk
Ā 
Hyperledger Indy tutorial
byssuser3993f3
Ā 
12 Ways to Manage Cloud Costs and Optimize Cloud Spend
byRightScale
Ā 
Node.js Express Tutorial | Node.js Tutorial For Beginners | Node.js + Expres...
byEdureka!
Ā 
Docker by Example - Quiz
byGanesh Samarthyam
Ā 
AWS źø°ė°˜ģ˜ ė§ˆģ“ķ¬ė”œ ģ„œė¹„ģŠ¤ ģ•„ķ‚¤ķ…ģ³ źµ¬ķ˜„ ė°©ģ•ˆ :: ź¹€ķ•„ģ¤‘ :: AWS Summit Seoul 20
byAmazon Web Services Korea
Ā 
Dockerć‚¤ćƒ”ćƒ¼ć‚ø恮ē†č§£ćØć‚³ćƒ³ćƒ†ćƒŠć®ćƒ©ć‚¤ćƒ•ć‚µć‚¤ć‚Æ惫
byMasahito Zembutsu
Ā 

Similar to Technical Architecture of RASP Technology

PDF
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
Ā 
PDF
Š’Š½ŠµŠ“рŠµŠ½ŠøŠµ Š±ŠµŠ·Š¾ŠæŠ°ŃŠ½Š¾ŃŃ‚Šø Š² Š²ŠµŠ±-ŠæрŠøŠ»Š¾Š¶ŠµŠ½Šøях Š² срŠµŠ“Šµ Š²Ń‹ŠæŠ¾Š»Š½ŠµŠ½Šøя
byPositive Hack Days
Ā 
PPTX
20160211 OWASP Charlotte RASP
bychadtindel
Ā 
PPTX
20160225 OWASP Atlanta Prevoty RASP
bychadtindel
Ā 
PDF
Making Web Development "Secure By Default"
byDuo Security
Ā 
PDF
Owasp top 10 2013
byEdouard de Lansalut
Ā 
PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
Ā 
PPT
Intro to Web Application Security
byRob Ragan
Ā 
PPT
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
Ā 
PDF
Top 10 Security Vulnerabilities (2006)
bySusam Pal
Ā 
PDF
Owasp top 10_openwest_2019
bySean Jackson
Ā 
PPT
Web Apps Security
byVictor Bucutea
Ā 
PPTX
Recent Trends in Cyber Security
byAyoma Wijethunga
Ā 
PDF
Neoito ā€” Secure coding practices
byNeoito
Ā 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
Ā 
ODP
Secure coding in C#
bySiddharth Bezalwar
Ā 
PPTX
PyCon Canada 2015 - Is your python application secure
byIMMUNIO
Ā 
PPTX
Prevoty NYC Java SIG 20150730
bychadtindel
Ā 
PDF
Is your python application secure? - PyCon Canada - 2015-11-07
byFrƩdƩric Harper
Ā 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
Ā 
Injecting Security into vulnerable web apps at Runtime
byAjin Abraham
Ā 
Š’Š½ŠµŠ“рŠµŠ½ŠøŠµ Š±ŠµŠ·Š¾ŠæŠ°ŃŠ½Š¾ŃŃ‚Šø Š² Š²ŠµŠ±-ŠæрŠøŠ»Š¾Š¶ŠµŠ½Šøях Š² срŠµŠ“Šµ Š²Ń‹ŠæŠ¾Š»Š½ŠµŠ½Šøя
byPositive Hack Days
Ā 
20160211 OWASP Charlotte RASP
bychadtindel
Ā 
20160225 OWASP Atlanta Prevoty RASP
bychadtindel
Ā 
Making Web Development "Secure By Default"
byDuo Security
Ā 
Owasp top 10 2013
byEdouard de Lansalut
Ā 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
Ā 
Intro to Web Application Security
byRob Ragan
Ā 
XSS Primer - Noob to Pro in 1 hour
bysnoopythesecuritydog
Ā 
Top 10 Security Vulnerabilities (2006)
bySusam Pal
Ā 
Owasp top 10_openwest_2019
bySean Jackson
Ā 
Web Apps Security
byVictor Bucutea
Ā 
Recent Trends in Cyber Security
byAyoma Wijethunga
Ā 
Neoito ā€” Secure coding practices
byNeoito
Ā 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
Ā 
Secure coding in C#
bySiddharth Bezalwar
Ā 
PyCon Canada 2015 - Is your python application secure
byIMMUNIO
Ā 
Prevoty NYC Java SIG 20150730
bychadtindel
Ā 
Is your python application secure? - PyCon Canada - 2015-11-07
byFrƩdƩric Harper
Ā 
Hacking Vulnerable Websites to Bypass Firewalls
byNetsparker
Ā 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
Ā 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
Ā 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
Ā 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
Ā 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
Ā 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
Ā 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
Ā 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
Ā 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
Ā 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
Ā 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
Ā 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
Ā 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
Ā 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
Ā 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
Ā 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
Ā 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
Ā 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
Ā 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
Ā 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
Ā 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
Ā 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
Ā 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
Ā 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
Ā 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
Ā 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
Ā 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
Ā 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
Ā 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
Ā 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
Ā 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
Ā 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
Ā 
Keynote : Presentation on SASE Technology
byPriyanka Aash
Ā 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
Ā 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
Ā 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
Ā 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
Ā 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
Ā 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
Ā 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
Ā 

Recently uploaded

PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
Ā 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
Ā 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
Ā 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
Ā 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
Ā 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
Ā 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
Ā 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
Ā 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
PPTX
TechSprint WinterHack ā€” Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
Ā 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
Ā 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
Ā 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
PDF
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
Ā 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
Ā 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
Ā 
NTG - Data Center Management System Software
byMustafa Kuğu
Ā 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
Ā 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
Ā 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
Ā 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
Ā 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
Ā 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
Ā 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
Ā 
Designing a Blog Using Wordpress
bymarkzubi50
Ā 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
TechSprint WinterHack ā€” Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
Ā 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
Ā 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
Rustici Software: eLearning standards in the age of AI
byRustici Software
Ā 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
Ā 
Track Phone Location via Number (2026)_ What Actually Works, Whatā€™s a Scam, a...
byEmily Woods
Ā 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
Ā 

Technical Architecture of RASP Technology

  • 1.
    SECURITY ENGINEER AJIN ABRAHAM INJECTINGSECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
  • 2.
    ā–ø Security Engineering@ ā–ø Research on Runtime Application Self Defence ā–ø Authored MobSF, Xenotix and NodeJSScan ā–ø Teach Security: https://opsecx.com ā–ø Blog: http://opensecurity.in #WHOAMI
  • 3.
    AGENDA : WHATTHE TALK IS ABOUT? RASP WAF WHAT THE TALK IS NOT ABOUT?
  • 4.
    APPSEC CHALLENGES ā–ø WritingSecure Code is not Easy ā–ø Most follows agile development strategies ā–ø Frequent releases and builds ā–ø Any release can introduce or reintroduce vulnerabilities ā–ø Problems by design. ā€Ø Ex: Session Hijacking, Credential Stufļ¬ng
  • 5.
    STATE OF WEBFRAMEWORK SECURITY ā–ø Automatic CSRF Token - Anti CSRF ā–ø Templates escapes User Input - No XSS ā–ø Uses ORM - No SQLi You need to use secure APIs or write Code to ā€Ø enable some of these Security Bugs happens when people write bad code.
  • 6.
    STATE OF WEBFRAMEWORK SECURITY ā–ø Anti CSRF - Can easily be turned off/miss conļ¬gurations ā–ø Templates escapes User Input - Just HTML Escape -> XSS ā–ø https://jsļ¬ddle.net/1c4f271c/ ā–ø Uses ORM - SQLi is still possible ā–ø http://rails-sqli.org/
  • 7.
    STATE OF WEBFRAMEWORK SECURITY ā–ø Remote OS Command Execution - No ā–ø Remote Code Injection - No ā–ø Server Side Template Injection RCE - No ā–ø Session Hijacking - No ā–ø Verb Tampering - No ā–ø File Upload Restriction - No The list goes onā€¦..
  • 8.
    WE NEED TOPREVENT EXPLOITATION LETā€™S USE WAF
  • 9.
    ā–ø First WAFAppShield in 1999, almost 18 years of existence ā–ø Quick question : How many of you run a WAF in defence/ protection mode? ā–ø Most organisations use them, but in monitor mode dueā€Ø high rate false positives. ā–ø Most WAFs use BLACKLISTS CAN A WAF SOLVE THIS? 20% 70% 10% False Negatives False Positive Detection
  • 10.
    APPLICATION SECURITY RULEOF THUMB Gets bypassed, today or tomorrow
  • 11.
    WHAT WAF SEES? ATTACK!= VULNERABILITY
  • 12.
    HOW WAF WORKS ā–øThe strength of WAF is the blacklist ā–ø They detect Attacks not Vulnerability ā–ø WAF has no application context ā–ø Doesnā€™t know if a vulnerability got exploited insideā€Ø the app server or not. WAFGET http://xyz.com APP SERVER HTTP REQUEST HTTP RESPONSE
  • 13.
    ā–ø How longthey keep on building the black lists? ā–ø WAFs used to downgrade your security. ā–ø No Perfect Forward Secrecy ā–ø Canā€™t Support elliptic curves like ECDHE ā–ø Some started to support with a Reverse Proxy ā–ø Organisations are moving to PFS (Heartbleed bug) ā–ø SSL Decryption and Re-encryption Overhead WAF PROBLEMS
  • 14.
    TLS 1.3 COMINGSOON ā€¦.
  • 15.
    SO WHATā€™S THEIDEAL PLACE FOR SECURITY? REQUEST RESPONSE APP SERVER APP SERVER CORE SECURITY LAYER
  • 16.
    We can domuch better.ā€Ø Itā€™s time to evolve WAF - > SAST -> DAST -> IAST -> RASP Attack Detection ā€Ø &ā€Ø Prevention/Neutralizationā€Ø +ā€Ø Precise ā€Ø Vulnerability Detectionā€Ø +ā€Ø Extras Attack Detection ā€Ø &ā€Ø Prevention Vulnerability Detection Precise ā€Ø Vulnerability Detection
  • 17.
    RUNTIME APPLICATION SELFDEFENCE ā–ø Detect both Attacks and Vulnerability ā–ø Zero Code Modiļ¬cation and Easy Integration ā–ø No Hardware Requirements ā–ø Apply defence inside the application ā–ø Have Code Level insights ā–ø Fewer False positives ā–ø Inject Security at Runtime ā–ø No use of Blacklists
  • 18.
    TYPES OF RASP ā–øPattern Matching with Blacklist - Old wine in new bottle (Fancy WAF) ā–ø Dynamic Tainting - Good but Performance over head ā–ø Virtualisation and Compartmentalisation - Good, but Less Precise, Container oriented and not application oriented, Platform Speciļ¬c (JVM) ā–ø Code Instrumentation and Dynamic Whitelist - Good, but speciļ¬c to Frameworks, Developer deployed
  • 19.
    FOCUS OF RESEARCH ā–øOther AppSec Challenges ā–ø Preventing Verb Tampering ā–ø Preventing Header Injection ā–ø File Upload Protection ā–ø Ongoing Research ā–ø Preventing Session Hijacking ā–ø Preventing Layer 7 DDoS ā–ø Credential Stufļ¬ng ā–ø RASP by API Instrumentationā€Ø and Dynamic Whitelist ā–ø Securing a vulnerable Python ā€Ø Tornado app with Zero Code change. ā–ø Code Injection Vulnerabilities ā–ø Preventing SQLi ā–ø Preventing RCE ā–ø Preventing Stored & Reļ¬‚ected XSS ā–ø Preventing DOM XSS
  • 20.
    RASP BY APIINSTRUMENTATION AND DYNAMIC WHITELIST ā–ø MONKEY PATCHING ā–ø LEXICAL ANALYSIS ā–ø CONTEXT DETERMINATION
  • 21.
    MONKEY PATCHING ā–ø Alsoknow as Runtime Hooking and Patching of functions/ methods. ā–ø https://jsļ¬ddle.net/h1gves49/2/
  • 22.
    LEXICAL ANALYSIS ANDTOKEN GENERATION ā–ø A lexical analyzer breaks these syntaxes into a series of tokens, by removing any whitespace or comments in the source code. ā–ø Lexical analyzer generates error if it sees an invalid token.
  • 23.
    LEXICAL ANALYSIS ANDTOKEN GENERATION SYNTAX TOKEN int KEYWORD value IDENTIFIER = OPERATOR 100 CONSTANT ; SYMBOL INPUT: int value = 100;//value is 100 Normal Lexer SYNTAX TOKEN int KEYWORD WHITESPACE value IDENTIFIER WHITESPACE = OPERATOR WHITESPACE 100 CONSTANT ; SYMBOL //value is 100 COMMENT Custom Lexer
  • 24.
  • 25.
    PREVENTING CODE INJECTIONVULNERABILITIES Interpreter cannot distinguish between ā€Ø Code and Data Solve that and you solve the code injection problems
  • 26.
    PREVENTING CODE INJECTIONVULNERABILITIES ā–ø Preventing SQL Injection ā–ø Preventing Remote OS Command Execution ā–ø Preventing Stored & Reļ¬‚ected Cross Site Scripting ā–ø Preventing DOM XSS
  • 27.
    SQL INJECTION SELECT *FROM <user_input>
  • 28.
    SQL INJECTION :HOOK SQL Execution APIā€Ø cursor.execute(ā€˜SELECT * FROM logsā€˜)
  • 29.
    SQL INJECTION :LEARN SELECT * FROM logs SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING
  • 30.
    SQL INJECTION :PROTECT SYNTAX TOKEN SELECT KEYWORD WHITESPACE * OPERATOR WHITESPACE FROM KEYWORD WHITESPACE logs STRING WHITESPACE AND KEYWORD WHITESPACE DROP KEYWORD WHITESPACE TABLE KEYWORD WHITESPACE admin STRING SELECT * FROM logs AND DROP TABLE admin
  • 31.
    SQL INJECTION :PROTECT KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING Rule for Context: SELECT * FROM <user_input> SELECT * FROM logs SELECT * FROM history SELECT * FROM logs AND DROP TABLE admin KEYWORD WHITESPACE OPERATOR WHITESPACE KEYWORD WHITESPACE STRING ā€Ø WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE KEYWORD WHITESPACE STRING
  • 32.
  • 33.
    REMOTE OS COMMANDINJECTION ping -c 3 <user input>
  • 34.
    REMOTE OS COMMANDINJECTION : HOOK Command Execution APIā€Ø os.system(ping -c 3 127.0.0.1)
  • 35.
    REMOTE OS COMMANDINJECTION : LEARN ping -c 3 127.0.0.1 SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN
  • 36.
    REMOTE OS COMMANDINJECTION : PROTECT ping -c 3 127.0.0.1 & cat /etc/passwd SYNTAX TOKEN ping EXECUTABLE WHITESPACE -c ARGUMENT_DASH WHITESPACE 3 NUMBER WHITESPACE 127.0.0.1 IP_OR_DOMAIN WHITESPACE & SPLITTER WHITESPACE cat EXECUTABLE WHITESPACE /etc/passwd UNIX_PATH
  • 37.
    REMOTE OS COMMANDINJECTION : PROTECT EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAIN Rule for Context: ping -c 3 <user_input> ping -c 3 127.0.0.1ā€Ø ping -c 3 google.com ping -c 3 127.0.0.1 & cat /etc/passwd ā€Ø EXECUTABLE WHITESPACE ARGUMENT_DASH WHITESPACE NUMBER WHITESPACE IP_OR_DOMAINā€Ø WHITESPACE SPLITTER WHITESPACE EXECUTABLE WHITESPACE UNIX_PATH
  • 38.
  • 39.
    CROSS SITE SCRIPTING <body><h1>hello{{user_input1}} </h1></body>ā€Ø <script> var x=ā€˜{{user_input2}}ā€™;</script>
  • 40.
    CROSS SITE SCRIPTING: HOOK Template Rendering APIā€Ø ā€Ø template.render(ā€œ<body><h1>hello {{user_input1}}ā€Ø </h1></body><script> var x=ā€˜{{user_input2}}ā€™;ā€Ø </script>ā€œ, user_input1, user_input2)
  • 41.
    CROSS SITE SCRIPTING: CONTEXT DETERMINATION Parsing the DOM Tree <body><h1>hello {{user_input1}}ā€Ø </h1></body><script> var x=ā€˜{{user_input2}}ā€™;ā€Ø </script> HTML_CONTEXT JAVASCRIPT_VALUE_CONTEXT
  • 42.
    CROSS SITE SCRIPTING: PROTECT <body><h1>hello {{user_input1}} </h1></body>ā€Ø <script> var x=ā€˜{{user_input2}}ā€™;</script> <body><h1>hello World </h1></body>ā€Ø <script> var x=ā€˜Hello Worldā€™;</script> user_input1 = ā€œWorldā€ā€Ø user_input2 = ā€œHello Worldā€
  • 43.
    CROSS SITE SCRIPTING: PROTECT <body><h1>hello &lt;script&gt;alert(0)&lt;/ script&gt; </h1></body>ā€Ø <script> var x=ā€˜';alert(0);//x3C/scriptx3Eā€™;</ script> user_input1 = ā€œ<script>alert(0)</script>ā€ā€Ø user_input2 = ā€œā€˜;alert(0);//</script>ā€
  • 44.
  • 45.
    PREVENTING DOM XSS https://jsļ¬ddle.net/vno23woL/3/ ā–øInject Security into JavaScript Frameworks ā–ø Common JavaScript Frameworks - jQuery, AngularJS, MustacheJS etcā€¦ ā–ø DOMPurify - https://github.com/cure53/DOMPurify ā–ø jPurify - https://github.com/cure53/jPurify
  • 46.
    ON GOING RESEARCH ā–øPreventing Session Hijacking ā–ø Preventing Layer 7 DDoS ā–ø Credential Stufļ¬ng
  • 47.
    THE RASP ADVANTAGES ā–øAccurate and Precise in Vulnerability Detection & Prevention ā–ø Code Level Insight (Line no, Stack trace) ā–ø Not based on Heuristics - Zero/Negligible False Positives ā–ø No SSL Decryption and Re-encryption overhead ā–ø Doesnā€™t Downgrade your Security ā–ø Preemptive security - Zero Day protection ā–ø Zero Code Change and easy integrationā€Ø ā€Ø pip install rasp_moduleā€Ø import rasp_module
  • 48.
    BIGGEST ADVANTAGE Now youcan deploy it on protection mode
  • 49.
    CHARACTERISTICS OF ANIDEAL RASP ā–ø Ideal RASP should have minimal Performance impact ā–ø Should not introduce vulnerabilities ā–ø Must not consume PII of users ā–ø Should not learn the bad stuff ā–ø Should be a ā€œreal RASPā€ not a fancy WAF with Blacklist. ā–ø Minimal Conļ¬guration and Easy deployment
  • 50.
    THATā€™S ALL FOLKS! ā–øThanks to ā–ø Zaid Al Hamami, Mike Milner, Steve Williams, Oliver Laveryā€Ø (Team IMMUNIO inc). ā–ø Kamaiah, Francis, Bharadwaj, Surendar, Sinu, Vivek ā€Ø (Team Yodlee Security Ofļ¬ce - YSO) ā–ø Due Credits ā–ø Graphics/Image Owners @ajinabraham ajin25@gmail.com