• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

CORE GRASP – PHP Web Application Protection Software

October 23, 2007

Views: 4,585

[ad]

CORE GRASP for PHP is a web-application protection software aimed at detecting and blocking injection vulnerabilities and privacy violations.

As mentioned during its presentation at Black Hat USA 2007, GRASP is being released as open source under the Apache 2.0 license.

The present implementation protects PHP 5.2.3 against SQL-injection attacks for the MySQL engine, it can be installed with almost the same effort as the PHP engine, both in Unix and Windows systems, and protection is immediate with any PHP web application running in the protected server.

CORE GRASP works by enhancing the PHP execution engine (VM) to permit byte-level taint tracking and analysis for all the user-controlled or otherwise untrustable variables of the web application. Tainted bytes are then tracked and their taint marks propagated throughout the web application’s runtime.

Whenever the web application tries to interact with an DB backend using SQL statements that contain tainted bytes, GRASP analyzes the statment and detects and prevents attacks or abnormal
actions.

CORE GRASP was developed by CoreLabs, the research unit of Core Security Technologies. At CoreLabs, we plan to improve the tool and include new protections shortly. However, the invitation to collaborate with the project is open. If you would like to collaborate, please go to the GRASP website and subscribe to the mailing list.

The documentation for CORE GRASP is available here and you can download it here:

CORE GRASP download page

Or you can read more here.

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Countermeasures, Security Software, Web Hacking Tagged With: mysql security, PHP, php-hacking, php-security, sql-injection, web-application-security



Reader Interactions

Comments

  1. fak3r says

    October 23, 2007 at 5:09 pm

    This is very cool, and sounds like a lighter weight solution than mod_security, which was really slowing down my PHP apps due to all of its rules. Grasp’s FAQ doesn’t compare the two, but much of the functionality sounds the same, plus they recommend running Grasp alongside Suhosin, which I already run. I’m going to give this a go then, the only thing I don’t like is that you have to manually patch the PHP source code, then build it, then install it. While I would like to spend more time with my server, I just can’t, and apt-get and Debian keep things so easy on the keeping things up to date front; something manually patching and building would break.

    Regardless, this, or at the very least Suhosin (Note: it’s on by default in OpenBSD’s PHP install, so that should tell you something) should be running on PHPs everywhere. While this seems alpha-y, I trust Suhosin with Prod work…I think this will join it soon too.

  2. Ofer Shezaf says

    October 24, 2007 at 8:35 am

    fak3r,

    mod_security provides a lot more coverage than GRASP which focuses on SQL injection and currently supports only mysql. It might be extended in the future for additional injection vulnerabilities, but does not provide full coverage for application security issues. Also keep in mind that mod_security is a swiss army knife enabling many differnt things and the actual protection stems from the rule set you use.

    As to your performance issues: what rules are you using for ModSecurity? the popular gotroot rules are way to big an inefficient, but on the other hand offer you alot the GRASP does not do provide you, such as blacklists.

    You may also want to look into the Core Rule Set (http://www.modsecurity.org/projects/rules), which is a much more optimized rule set.

    Ofer Shezaf
    ModSecurity Core Rule set project manager

  3. dre says

    October 25, 2007 at 1:08 am

    i would say that mod_security would solve most of these problems, but if you want to get even closer to the application – you might want to look at fortifysoftware defender or imperva securesphere web application firewall (or whatever happened to the determina memory firewall after vmware killed all their products).

    most of the appliance based web application firewalls are total crap. a few open-source projects are out there besides mod_security and core grasp – such as aqtronix webknight, dotnetids, which is based on php-ids and mod_anti_tamper, just to name a few

  4. dre says

    October 25, 2007 at 1:25 am

    hot off the press: someone on the webappsec mailing-list also posted a link to jwall.org which adds a few java tools to mod_security.

    the secure java framework at hdiv.org remains one of my current favorites (especially its support of struts2 and spring), especially along with the cookie revolver security framework

    a bit dated, but the web security gateway project is also very interesting

  5. Sandeep Nain says

    October 25, 2007 at 6:02 am

    @dre: no doubts web application firewall such as defender by fortify is a great product but expensive too…

    and i find mod_security, a better option as it provides more flexibility… and yes being open source.. it is much cheaper too

  6. Ofer Shezaf says

    October 25, 2007 at 7:22 am

    I might be biased but mod_security is probably a stronger and more flexible WAF than either. Just compare the rules language. And as said, for a fraction of the price (if zero can be labeled a fraction).

    It does not have the GUI and buzz of the others, but if you are a hard core technologist who loves configuration files, you will find nothing better.

    And if commercial products are already mentioned, we at Breach Security (www.breach.com) sell a commercial WAF based on mod_security with all the GUI and whistles you want. And still for far less.

  7. dre says

    October 25, 2007 at 11:27 pm

    when you’re a financial institution already paying $200k for every 100 developers to use fortifysoftware sca… and you’re still losing $30M a year or more due to internet-related fraud… i’m not sure that cost matters much when fortify will likely let you try defender for free until its optimally working. surely you understand that defender has applications hooks that mod_security can’t compete with. i would say the same is true for imperva.

    for mom and pop or everyday websites – sure – mod_security is free and fine to use

  8. dre says

    October 25, 2007 at 11:36 pm

    another nice feature of commercial web application firewalls is support for web application security scanners to create rules for the vulnerabilities it finds directly to the waf’s. i suppose that mod_security / breach count – but smaller projects like grasp might not get included…

    personally, i like the web application security scanner feature that submits findings as bugs to the development team’s issue tracking system.

  9. Sandeep Nain says

    October 26, 2007 at 12:24 am

    I must say that modSecurity is the best WAF i have come across so far and that is because of the flexibility and powerful realtime traffic monitoring and analysis it provides.

    it will also give excellent results on big commercial web applications if implemented correctly and not just everyday websites.

  10. fak3r says

    October 26, 2007 at 1:12 am

    @Ofer Shezaf
    As to your performance issues: what rules are you using for ModSecurity? the popular gotroot rules are way to big an inefficient, but on the other hand offer you alot the GRASP does not do provide you, such as blacklists.

    You must have been watching over my shoulder, this is exactly the problem. I will try again with the core rules only next.

    So, is there any way to get mod_security to work with Lighttpd?

    Thanks Ofer!

  11. dre says

    October 26, 2007 at 9:25 pm

    @fak3r: there are multiple ways of running mod_security – the only way it wouldn’t work with lighttpd is the apache loaded module that only works with a local installation of apache.

    probably the most common way deployed in your scenario (without apache) is in reverse-proxy mode

  12. fak3r says

    October 29, 2007 at 9:08 pm

    @Dre
    Thanks for the advice, I’ve moved to Lighty from Apache 2.x on Debian recently, and I run Varnish for a reverse proxy/http accelerator. Can you tell me how you’d run mod_security in this setup? Would Varnish intercept php requests and run them through mod_sec or would Lighty use it directly? If it’s easier and you want to help more my email is my username at my username dot com

    Thanks!

    fak3r.

  13. fazed says

    October 30, 2007 at 5:23 pm

    @Ofer Shezaf
    mod_security is actually very poor
    at security a system, although alot
    of sys admins rely on it there are many
    bypass’s to get around its restrictions.
    for example an attacker could base64 encode
    their GET vars and pass them to a script he
    has placed on the server which decodes it
    and mod_security does not detect it.
    it does mean that the attacker must
    first have that file on the webserver
    some how but after this the rest is
    easy to bypass (such as base path restrictions)

  14. dre says

    October 31, 2007 at 6:17 am

    @fak3r: read the last link i provided to “web security gateway” or just go to the mod_security website.

    there’s also tons of other resources such as http://www.apachesecurity.net, this PDF on APIDS with ModSecurity by Ivan Ristic. Ryan Barnett also wrote a great book that covered mod_security well, Preventing Web Attacks with Apache, which included some custom mod_security rules as well as linked to the now popular gotroot rulset.

  15. dre says

    October 31, 2007 at 6:18 am

    @fazed: hence why i was recommending fortifysoftware defender or imperva securesphere over mod_security – they go a little further by hooking into your application.

    of course, no WAF will ever stop many complex business logic flaws, session management issues – e.g. CSRF

  16. Ofer Shezaf says

    November 15, 2007 at 3:15 am

    @dre: Fortify hooks to the application. SecureSphere does not.

  17. Ofer Shezaf says

    November 15, 2007 at 3:22 am

    @fazed: while I would be the 1st to tell you that no security solution, including a WAF is perfect, I think that your example is not relevant.

    First, if this is the risk you forecast in your application, you can easily write a rule to prevent it – just detect base64 (detecting long strings without spaces would do the work). Saying that, avoiding use of HTTP as a hidden channel between two points controlled by the bad guys is very very difficult.

    The strength of ModSecurity is that it can do whatever you want it to. The Core Rule Set, which is one example of such a use, does provide a pretty good solution for the problems it tries to address within its design limitations, namely: minimum false positives and minimal configuration.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 294

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 590

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 555

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 590

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 450

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 676

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,297,500)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,103)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,637)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,691)
  • Password List Download Best Word List – Most Common Passwords (933,521)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,169)
  • Hack Tools/Exploits (673,298)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,182)

Search

Recent Posts

  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy