TLDR:
0-day attacks, exploiting vulnerabilities unknown to software vendors pose a significant cyber threat. Traditional web application firewalls (WAFs) often fall short of preventing these attacks, requiring frequent patching. Runtime Application Self Protection (RASP) takes a different approach which doesn’t rely on written rules but actively monitors application behaviour through native integrations, leading to an increased protection for 0-Days.
The objective when building Aikido Zen for NodeJS was to allow developers to retro-fit their apps and protect them by default against common classes of injection attacks such as SQL injections, shell injections, path traversal and SSRF. Not only should the developer be protected against mistakes in their own code, but also against unknown flaws in libraries they are using.
To assess its effectiveness, we evaluated Zen against a number of CVEs. This whitepaper explains the approach, grades the effectiveness and lays out tradeoffs and limitations. For this paper, the team has identified 17 vulnerabilities of which 11 were blocked by Zen without any previous knowledge about the specific exploit.
Introduction
WAFs have always been a last hope against 0-days as they relied on a combination of luck and recurring patterns to catch 0-days during their “Zero-day attack” window (as shown below). Only after vulnerabilities have been disclosed publicly (t0) can WAF rules be updated to stop the new attack.
A WAF will look at inbound connection data (headers, body, ..) before it hits your application. It scans the data for suspicious patterns (SQL injections, path traversals) and blocks or removes the suspicious data. Although effective, it has the tendency to create a lot of false positives as seen in research by System Weakness.
If you have 10,000 customers, the best solution could still block 56 of them.
Aikido Zen takes a fundamentally different approach to web application security. Instead of relying solely on signatures and known patterns, it focuses on understanding and mitigating attack behaviors on a deeper application level.
The Aikido Zen Approach
By focusing on monitoring and intercepting malicious activity at the point where it attempts to access or manipulate critical resources, Aikido Zen is able to provide a significant reduction in false positives by adopting a strategy that only blocks attacks when they interact with the underlying systems.
This is accomplished by implementing a system that scrutinizes various types of interactions with the underlying environment. These include:
- Database Interactions: Monitoring calls made to database libraries, both SQL and NoSQL, allows for the detection of unauthorized queries, data exfiltration attempts, or injection attacks. By analyzing the content and structure of these database calls, malicious activity can be identified and blocked before it causes damage.
- External Calls: Monitoring external calls made through HTTP, HTTPS, or other protocols can reveal attempts to communicate with command-and-control servers, download malware, or exfiltrate data. By inspecting the content and destination of these calls, malicious traffic can be identified and blocked.
- File System Access and Shell execution: Monitoring file system access can detect attempts to read, write, or modify sensitive files, or to execute malicious code. By analyzing the file paths, permissions, and operations involved in these accesses, unauthorized activity can be identified and blocked.
- Server-Side Request Forgery (SSRF) Attempts: SSRF attacks can be devastating, allowing attackers to leverage your server's trust to access internal resources or even interact with external services on their behalf. By closely monitoring the destination and nature of internal requests originating from your servers Zen is able to block SSRF attacks.
By focusing on these critical points of interaction with the underlying systems, the Zen approach allows for more precise and effective detection and blocking of attacks, while minimizing the number of false positives that can disrupt legitimate activity. This strategy also provides valuable insights into the nature and targets of attacks, which can be used to improve overall security posture.
Research
As a continuous effort, the Aikido Zen team runs tests against recently discovered vulnerabilities to measure the effectiveness of Aikido Zen. The team identifies new 0 days, creates a reproducible testing environment, validates the vulnerability with a successful payload injection, and then installs Aikido Zen to verify the attack is blocked.
For this paper the team has identified 17 vulnerabilities of which 11 were blocked by Zen and 6 were not for a myriad of reasons.
The results of our research can be found below and all testing environments, exploits and resources needed for reproduction have been open sourced.
Blocked
Not Blocked
Aikido is continuously researching and expanding the Aikido Zen's zero-day protection with new framework support and enhanced algorithms.
A core principle is maintaining minimal performance impact (≤ 5%) for continuous protection. While this prevents us from immediately implementing certain resource-intensive protection algorithms (which could increase request times by 2x-10x), we're actively developing alternative, efficient approaches.
Consider Aikido Zen an *additional* layer of protection, complementing Aikido's comprehensive reactive components like code scanning, API testing, and other robust security capabilities.
Conclusion
Aikido Zen is a major breakthrough in web application security. It offers strong protection against zero-day attacks without requiring constant patching by concentrating on attack behaviors and utilizing cutting-edge technologies. Aikido Zen offers a potential solution for ensuring the ongoing security of web applications as the threat landscape changes.
.jpg)
.svg)
.png)
%20(1).png)
.png)
.png)
.jpg)
.jpg)
.jpg)
.avif)
