RASP.Net is a security research project. If you discover a vulnerability in the RASP itself (ironic, we know!), please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: [security.mullets599@passinbox.com] with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and provide a timeline for a fix.
| Version | Supported |
|---|---|
| 1.x | β Active development |
| < 1.0 | β PoC/Pre-release |
This is a Proof of Concept with inherent limitations:
-
Taint Tracking is v1/Windows-only: A native CLR profiler propagates a taint bit through
String.Concat(string, string)only; other string-building patterns (interpolation,StringBuilder,string.Format) are not yet tracked, and the profiler is Windows-only.- Impact: Obfuscated/indirect data flow outside the tracked pattern may bypass taint-based detection
- Mitigation: Defense-in-depth β detection also runs at the gRPC entrypoint and at each sink (SQL, XSS, SSRF, Path Traversal, Command Injection, Deserialization) independent of taint
-
Signature/Heuristic-Based Detection: Uses pattern and heuristic matching, not behavioral or ML-based analysis
- Impact: Novel/zero-day attacks may not be detected
- Mitigation: Regular pattern updates; sink-level ground-truth checks (e.g., path/executable allowlists) don't rely on pattern matching at all
-
Performance Overhead: Sink interception adds latency at each guarded call
- Impact: Measured overhead is indistinguishable from noise against the real I/O being guarded (file open, process spawn, DB round trip, outbound HTTP) under sustained load β see ADR 006 for methodology and numbers
- Mitigation: Benchmarking tools provided; audit mode (
BlockOnDetection = false) available if inspection cost is a concern for a given deployment
-
Deserialization guard is a type blocklist, wired to
System.Text.Jsononly: it checks deserialized types against a curated list of ~12 known gadget-chain types, and onlyRasp.Instrumentation.SystemTextJson'sJsonTypeInfomodifier calls it β there's no hook forBinaryFormatter, Json.NET withTypeNameHandling,DataContractSerializer, orLosFormatter- Impact: A blocklist is bypassable by any gadget type not on the list (e.g. most of
ysoserial.net's catalog); the other serializers listed above have no coverage at all if used - Mitigation: Don't use
BinaryFormatter(obsolete/removed in modern .NET) orTypeNameHandling.All-style polymorphic deserialization of untrusted input regardless of RASP; the architecturally correct fix β allowlist enforcement via a customSerializationBinderβ is listed in ADR 006 Phase A but not yet implemented
- Impact: A blocklist is bypassable by any gadget type not on the list (e.g. most of
- β NoSQL Injection (MongoDB, Cosmos DB)
- β LDAP Injection
- β XML External Entity (XXE)
- β Server-Side Template Injection (SSTI)
SQL Injection, XSS, SSRF, Path Traversal, Command Injection, and Insecure Deserialization all have dedicated sink-level guards; see ROADMAP.md for the current feature matrix and per-sink status.
If you're deploying RASP.Net in a test/production environment:
RASP is not a replacement for:
- Input validation at API boundaries
- Parameterized queries (use EF Core correctly!)
- Web Application Firewalls (WAF)
- Network segmentation
Every guard blocks by throwing Rasp.Core.Exceptions.RaspSecurityException (deliberately not
derived from DbException, so EF Core doesn't treat a block as a transient fault and retry it).
That also means the block only takes effect if the exception is allowed to propagate: a broad
catch (Exception) around a query, file operation, or process call in application code will
silently swallow the block and let the request continue. This is an inherent property of any
throw-to-block RASP, not something RASP.Net can enforce from inside the process β treat "don't
catch RaspSecurityException" as a deployment requirement, the same way you'd treat "don't catch
OperationCanceledException and continue" for cancellation.
AddRasp reads options from configuration, not a delegate. In appsettings.json:
{
"Rasp": {
"BlockOnDetection": true,
"EnableMetrics": true
}
}builder.Services.AddRasp(builder.Configuration);Set BlockOnDetection (and the per-engine BlockOnAdoNetDetection / BlockOnSsrfDetection /
BlockOnRuntimePatchingDetection) to false for audit/monitor-only mode. See
RaspOptions for the full set of options.
Warning: Metrics/logging emitted at detection points may include the offending payload snippet. Ensure logs are secured.
AllowedFileRoots and AllowedProcesses gate the Phase B runtime-patching guards
(Path Traversal / Command Injection). Note the defaults are asymmetric by design: an empty
AllowedFileRoots fails open (no path check), while an empty AllowedProcesses fails
closed (no process may start) β see the XML docs on those properties for the reasoning.
{
"Rasp": {
"AllowedFileRoots": ["/var/app/data"],
"AllowedProcesses": ["/usr/bin/git"]
}
}RASP.Net is not yet published to NuGet.org β build and reference the packages from source, or
use the local packing scripts (scripts/pack-local.ps1 / .sh) described in
CHEATSHEET.md. See ROADMAP.md for NuGet publishing status.
The examples below illustrate the report format we're looking for (issue β repro β suggested fix), not open vulnerabilities. Example 1 describes a gap that has since been closed β the XSS engine now multi-pass decodes URL encoding, HTML entities, and Unicode escapes before pattern matching (see ADR 005) β kept here as a template for what a good report looks like.
Vulnerability: URL-encoded payloads bypassed inspection because decoding happened after pattern matching instead of before.
payload = urllib.parse.quote("' OR '1'='1")Fix: Decode (URL, HTML entity, Unicode escape) before pattern matching, bounded by a decode-pass budget to avoid ReDoS-style amplification.
Vulnerability: Complex regex causes ReDoS
// Bad: Catastrophic backtracking
Regex.Match(input, @"(a+)+b");Fix: Use RegexOptions.NonBacktracking (. NET 7+)
Security researchers who responsibly disclose vulnerabilities will be recognized here (with permission).
| Researcher | Vulnerability | Severity | Date |
|---|---|---|---|
| None yet | - | - | - |
Remember: This is an educational project. Use in production at your own risk. π