Skip to content
/ FOS_Demo_Vulnerable_App Public

[FOS:RASP-PHP] PHP Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)

8 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

umarfarook882/FOS_Demo_Vulnerable_App

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
css
css
 
 
images
images
 
 
js
js
 
 
README.md
README.md
 
 
config.php
config.php
 
 
index.php
index.php
 
 
login.php
login.php
 
 

Repository files navigation

[FOS:RASP-PHP] Injecting RASP (Runtime Application Self Protection) Security into Demo PHP Vuln App

PHP Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)

Before going further please know few thing about RASP or watch my previous video about RASP (Runtime Application Self Protection) Security in python. refer the link mentioned below. This is about RASP Model for php application.

Requirement:

#Vulnerable application: 
I have developed a Vulnerable PHP Application to demonstrate SQL Injection Vulnerability.(Available in my Github repository)

#RASP Model supported on PHP 5.6.x to 7.x 

#RASP(Written for PHP Application): 
It just begining model to show how RASP works to  prevent SQL injection in PHP Application.
In upcoming future video, i will demonstrate RASP With other OWASP Top 10 Vulnerabilities.

#Database:
Vulnerable php Application (Mysql):vuln-app (database name)
RASP Rule(Redis): Key:Value Concept (for better preformance)

How it works?

#Monkey patching:
Whenever user enter input to the application which is actually interacting with database to fetch data, RASP Will get hooked and 
monkey patch the Class Mysqli  to extract the query statement.

#Lexer Analysis and Token Generation:
Once the Query is extracted and processed into lexer analysis, it generate a token structure for the query.

#Redis:
Generated token structure are insert into redis as SQL Rule. 

whenever user enter some input into application which is actually interacting with database to fetch data, at that 
it will be check the user input structure with the SQL rule in redis to decide whether to block the user or 
allow the query to execute:)

#Running demo vuln app with out RASP:
 SQL injection is possible.

#Running demo vuln app with RASP :

#Learning mode
First, Run RASP in learning mode to make it understand the user input structure for the application to works.

In my RASP model i have threshold limit for SQL rule as 2 for demo. so only 2 rule are allowed into redis.
Threshold limit for sql rule depend up on the application.

Once RASP  learned all possible input structure from user and when it reached its limit. 
RASP will automatically run in Defending mode Now When have rules ready to block SQL injection attack :)

Demo Video

Alt text

Credits:

Support !

Email address: umarfarookmech712@gmail.com | foolsofsecur1ty@gmail.com for more details.
Youtube: Fool of Security
Blog: Fools of security

Useful links:

  1. [FOS] RASP (Runtime Application Self Protection) Security
  2. Demo Vulnerable App
  3. Kali

About

[FOS:RASP-PHP] PHP Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)

Resources

Readme
Activity

Stars

8 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages