v0.22

中文说明

• v0.22 发版纪要

Breaking changes

• Re-implemented SQLi/SSRF detection algorithm in pure Java code
  • Configurable via RASP.config(algorithm.config, ...) interface in javascript plugins
  • Performance improved by nearly 20%
• LICENSE upgrade
  • Replaced BSD-3 with Apache License 2.0
• Log rotation
  • Automatically remove old log files, keep up-to 30 files by default
  • User must manually remove rasp/conf/rasp-log4j.xml prior to version upgrade

New features

• Add support of JBoss 7.X
• Conditional HTML injection support
  • Mostly designed for CSRF / Blind XSS detection
  • Disabled by default
• When an attack is blocked, allow user to customize HTTP response code
• Security baseline improvements
  • Detect global Directory Index configuration in Tomcat
  • JDBC account auditing: only report on successful connections
• Add a debug option to collect performance data

Algorithm improvements

• Detect basic SSRF and URL obfuscation technique
  • List of supported HTTP request libraries:
    • URL.openConnection
    • commons-httpclient
    • httpclient

API Changes

• RASP.config() now renamed to RASP.config_set()
• Add RASP.get_jsengine() interface

Bug fixes

RASP agent

• request.setCharacterEncoding compatibility issue
• Add stack trace in policy-alarm logs

OpenRASP Installer for Java

• Will add write permission to rasp directory automatically
• Refine all error messages