Photo found here: https://unsplash.com/photos/DtPMjEyB2Lg
Introduction to Imperva RASP
Runtime application self-protection (RASP) is a cybersecurity solution designed to provide personalized protection to applications. Unlike perimeter security solutions such as Web Application Firewall (WAF), RASP sits within the application to protect at runtime.
This visibility enables RASP to identify a wide range of potential attacks, including zero-day exploits, with a low false-positive rate.
RASP Protects Against Injection Attacks
Injection vulnerabilities are one of the widest potential classes of potential threats to an application. According to the 2019 Analytics Global Business Technographics® Security Survey, 2019, about 87% of breaches are caused by exploiting a software vulnerability or through injection in the web application such as SQL injection, XSS or remote file inclusion. Put simply, an injection happens when a maliciously crafted user input causes some portion of the attacker-provided data to be interpreted as executable instructions.
Imperva RASP closely monitors the inputs to an application and their impacts upon its execution through language theoretic approach - looking for empirical facts over any learning or signatures. Below are some common injection attacks and how RASP protects against them.
SQL Injection and Database Access Violations
SQL injection vulnerabilities are common because SQL queries usually involve some form of user input for querying records. A malicious input will typically try to access more records than intended and render the original SQL command meaningless, to be overridden by the malicious input. For example, a tautology may be used in the malicious input to truncate the intended query and override it with a condition that will return all records in the table. SQL injection can also be used for bypassing authentication, or modifying the contents of the database.
Command Injection
Command injection vulnerabilities can exist if an application includes user input into a command sent to an interpreter. This includes calls to the command line (via system or similar) or to language-specific interpreters like Python’s.
Exploitation of a command injection vulnerability can enable an attacker to run their own commands within the targeted interpreter with the same permissions as the vulnerable application. Depending on the interpreter in question and the permissions of the exploited application, this can have a number of different impacts.
Cross-Site Scripting
Cross-site scripting (XSS) vulnerabilities enable an attacker to inject malicious scripts into a webpage to make it look like it is from the original publisher. These scripts could collect a user’s login credentials or payment card information or attempt to exploit a browser vulnerability to install malware on the user’s computer. Such an attack could also hijack victim’s user sessions or redirect victims to malicious sites.
Cross-Site Request Forgery
Cross-site request forgery (CSRF) vulnerabilities may exist if a website makes state changes based upon the contents of its URL. For example, a website may have special pages for transferring money out of a bank account or changing a user’s password. If these pages perform the request with no user interaction, they are potentially exploitable by URL manipulation.
CSRF vulnerabilities are exploited by causing an authenticated user’s browser to make a request to one of these state-changing pages. This could be accomplished by tricking a user with a phishing link or embedding a fake image or other piece of content within a webpage.
OGNL Injection
Object-Graph Navigation Language (OGNL) is an Expression Language (EL) for Java objects used in Apache Struts. OGNL injection vulnerabilities predominate as the most common source of Apache Struts CVEs. OGNL injection involves inserting unvalidated EL expressions in Apache Struts. This enables an attacker to execute their own code within the application or expose critical variables from the application runtime.
Improving Application Security with Imperva RASP
By observing the impacts of anomalous inputs on an application’s execution state, RASP can identify and respond to novel or unusual attacks since it operates on empirical data. For an in-depth detail of how RASP mitigates these injections, we recommend the community webinar on RASP.
Related Content:
Implementing Defense in Depth with RASP and WAF