Tornado Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)
Switch branches/tags
Nothing to show
Clone or download
Latest commit 3da3f08 Nov 15, 2017
Permalink
Failed to load latest commit information.
static Updated Demo Vuln App Jul 25, 2017
templates Updated Demo Vuln App Jul 25, 2017
README.md Update README.md Nov 15, 2017
demo.db Updated Demo Vuln App Jul 25, 2017
server.py Updated Demo Vuln App Jul 25, 2017

README.md

Injecting RASP (Runtime Application Self Protection) Security into Tornado Demo Vuln App

Tornado Demo Vulnerable Application to test SQL injection vulnerability and patch it using RASP (Runtime Application Self-Protection)

Tornado Demo Vulnerable Application: Support Python 2.x & 3.x
RASP:  Support Python 3.x only

How RASP works with the Demo Vuln App?

1.Hooking DbApi2 Call for execute() instruction.

2.Extract the Query from the execute (query)

For example
Query= SELECT * from users where userid=1

3.Lexical Analysis and token generation for the Query extracted from the execute() instruction

Using Lexer convert the query into token
Token = ['KEYWORD', 'WHITESPACE', 'OPERATOR', 'WHITESPACE', 'KEYWORD', 'WHITESPACE', 'STRING', 'WHITESPACE',
'KEYWORD', 'WHITESPACE', 'STRING', 'OPERATOR', 'NUMBER']

4.Run RASP in Learning mode to make it understand what is the Correct user input structure that need for application to work.

5.RASP will automatically insert the rules into separate database i.e rules.db while in Learning mode

6.Once application is reach the learning mode limitation i.e threshold limit, it will block no more rules to insert into
rules database while in leaning mode.

In my RASP Model, threshold limit for rules to insert into rules.db is 2 for demo purpose. so only two rules are allowed in     rules database. 

7.So now, we have have the rules ready to block SQL injection attack :)

8.Check the below video to see how it works... :)

Demo Video

Alt text

Credits:

Support !

Email address: umarfarookmech712@gmail.com | foolsofsecur1ty@gmail.com for more details.
Youtube: FOS
Blog: FOS

Useful links:

  1. Ajin Abraham
  2. Kali
  3. Debuggex
  4. Vulnerable Tornado App
  5. Sqreen