v1.19.0 (unstable)

New features

This new version of libddwaf introduces a multitude of new features in order to support new use cases and expand existing ones.

Exploit prevention: Shell injection detection

A new operator shi_detector has been introduced for detecting and blocking shell injections, based on input parameters and the final shell code being evaluated. This new operator is part of the exploit prevention feature, so it is meant to be used in combination with targeted instrumentation.

The following example rule takes advantage of the new operator to identify injections originating from request parameters:

  - id: rsp-930-004
    name: SHi Exploit detection
    tags:
      type: shi
      category: exploit_detection
      module: rasp
    conditions:
      - parameters:
          resource:
            - address: server.sys.shell.cmd
          params:
            - address: server.request.query
            - address: server.request.body
            - address: server.request.path_params
            - address: grpc.server.request.message
            - address: graphql.server.all_resolvers
            - address: graphql.server.resolver
        operator: shi_detector

Attacker & Request Fingerprinting

This release includes a new family of processors which can be used to generate different fingerprints for a request and / or user, depending on available information:

• http_endpoint_fingerprint: this processor generates a fingerprint which uniquely identifies the HTTP endpoint accessed by the request as well as how this endpoint was accessed (i.e. which parameters were used).
• http_headers_fingerprint: generates a fingerprint which provides information about the headers used when accessing said HTTP endpoint.
• http_network_fingerprint: provides a fingerprint containing some information about the network-related HTTP headers used within the request.
• session_fingerprint: this processor generates a specific fingeprint with sufficient information to track a unique session and / or attacker.

Suspicious attacker blocking

Suspicious attackers can now be blocked conditionally when they perform a restricted action or an attack. With the combination of custom exclusion filter actions and exclusion data, it is now possible to change the action of a rule dynamically depending on a condition, e.g. all rules could be set to blocking mode if a given IP performs a known attack.

The following exclusion filter, in combination with the provided exclusion data, changes the action of all rules based on the client IP:

exclusions:
  - id: suspicious_attacker
    conditions:
      - operator: ip_match
        parameters:
          inputs:
            - address: http.client_ip
          data: ip_data
exclusion_data:
  - id: ip_data
    type: ip_with_expiration
    data:
      - value: 1.2.3.4
        expiration: 0

Other new features

• New operator exists: this new operator can be used to assert the presence of at least one address from a given set of addresses, regardless of their underlying value.
• Rule tagging overrides: rule overrides now allow adding tags to an existing rule, e.g. to provide information about the policy used.
• New function ddwaf_known_actions: this new function can be used to obtain a list of the action types which can be triggered given the set of rules and exclusion filters available.

Release changelog

Changes

• Multivariate processors and remove generators (#298)
• Custom rule filter actions (#303)
• SHA256 hash based on OpenSSL (#304)
• Shell injection detection operator (#308)
• Limit the number of transformers per rule or input (#309)
• Validate redirection location and restrict status codes (#310)
• Rule override for adding tags (#313)
• Add support for dynamic exclusion filter data (#316)
• HTTP Endpoint Fingerprint Processor (#318)
• HTTP Header, HTTP Network and Session Fingerprints (#320)
• Exists operator and waf.context.event virtual address (#321)
• Add function to obtain available actions (#324)

Fixes

• Transformer fixes and improvements (#299)

Miscellaneous

• Fix object generator stray container (#294)
• Regex tools & benchmark rename (#290)
• Order benchmark scenarios (#300)
• Upgrade to macos-12 (#312)
• Skip disabled rules when generating ruleset (#314)
• Update default obfuscator regex (#317)

v1.18.0 (unstable)

This version introduces a new operator sqli_detector for the detection of SQL injections. In addition, the ruleset parser has been updated to allow non-string parameter values on action definitions.

Changes

• SQL Injection (SQLi) Detection Operator (#284)

Fixes

• Fix mishandling invalid actions key type (#286)
• Convert non-string object types into string during ruleset parsing (#285)

Miscellaneous

• Use SSE4.1 ceilf when available and add badges to readme (#288)
• SQLi Detector Fuzzer and improvements (#291)

v1.17.0 (unstable)

This new version introduces RASP rules and supporting features, including:

• Multivariate operators for the development of complex rules.
• A new operator lfi_detector for the detection of local file inclusion (LFI) / path traversal attacks.
• A new operator ssrf_detector for the detection of server-side request forgery (SSRF) attacks.
• Better support for rule actions, as well as internal default actions: block, stack_trace and extract_schema.

The upgrading guide has also been updated to cover the new breaking changes.

Changes

• Multivariate operator support (#241)
• Local file inclusion (LFI) operator (#258)
• Server-side request forgery (SSRF) detection operator (#268)
• Action semantics and related improvements (#277)

Fixes

• Reduce benchmark noise (#257, #259, #260)
• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)
• Fix parsing of variadic arguments (#267)

Miscellaneous

• Update node-16 actions to node-20 ones (#266)
• Attempt to build libddwaf on arm64 runner (#270)
• Run tests on arm64 (#271)
• LFI detector fuzzer (#274)
• Remove rpath from linux-musl binary (#282)

v1.17.0-alpha3 (unstable)

Since this release contains breaking changes, the upgrading guide has been updated.

Changes

• Action semantics and related improvements (#277)

Miscellaneous

• LFI detector fuzzer (#274)

v1.16.1 (unstable)

Fixes

• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)

v1.17.0-alpha2 (unstable)

Changes

• Server-side request forgery (SSRF) detection operator (#268)

Miscellaneous

• Attempt to build libddwaf on arm64 runner (#270)
• Run tests on arm64 (#271)

v1.17.0-alpha1 (unstable)

Fixes

• Fix parsing of variadic arguments (#267)

Miscellaneous

• Update node-16 actions to node-20 ones (#266)

v1.17.0-alpha0 (unstable)

Fixes

• Add support for old glibc (e.g. RHEL 6) (#262)
• Add weak ceilf symbol and definition (#263)

Changes

• Multivariate operator support (#241)
• Local file inclusion (LFI) operator (#258)

Miscellaneous

• Reduce benchmark noise (#257, #259, #260)

v1.16.0 (unstable)

Note: while there are no breaking changes in this release, legacy linux builds are no longer being produced.

Fixes

• Address a libinjection false positive (#251)
• Remove a few fingerprints causing false positives (#252)
• Fix SSE2 lowercase transformer (#253)

Changes

• Support ephemeral addresses on processors (#240)
• Phrase match: enforce word boundary option (#256)

Miscellaneous

• Build tools on CI to avoid breaking tool users (#229)
• Remove legacy linux builds (#230)
• Vendorize re2 and utf8proc (#231)
• Refactor cmake scripts and support LTO (#232)
• Microbenchmarks (#242, #243, #244, #245, #246, #247, #248, #250)

v1.15.1 (unstable)

Fixes

• Fix duplicate processor check (#234)