Skip to content
Home RASP Tools OpenRASP
OpenRASP

OpenRASP

DEPRECATED
Category: RASP
License: Free (Open-Source)
GitHub (2900★)
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 21, 2026
1 min read
Key Takeaways
  • Most popular open-source RASP solution by Baidu with 2,900 GitHub stars and 623 forks; protects against SQL injection, command injection, XXE, SSRF, and deserialization attacks.
  • Supports Java (via Java Agent for Tomcat, JBoss, Jetty, WebLogic) and PHP applications with 1-4% performance overhead and plugin-based JavaScript detection logic.
  • Includes a cloud management console for centralized policy management, attack event visualization, and agent status monitoring.
  • Project appears inactive—last release (v1.3.7) was January 2022; consider actively maintained alternatives like Contrast Protect or Datadog ASM.

OpenRASP is the most popular open-source Runtime Application Self-Protection solution, developed and maintained by the Baidu security team with 3k GitHub stars and 623 forks.

GitHub: baidu/openrasp | Last Release: v1.3.7 (January 2022)

What is OpenRASP?

OpenRASP (Open-source Runtime Application Self-Protection) is a free, open-source security solution that protects applications from attacks at runtime.

It hooks into the application runtime to monitor and block malicious operations.

Unlike commercial RASP solutions, OpenRASP provides core protection capabilities without licensing costs, making it accessible for organizations of all sizes.

Key Features

Plugin-Based Detection

OpenRASP uses a plugin architecture for attack detection:

  • JavaScript plugins define detection logic
  • Easy to customize and extend
  • Community-contributed plugins available

Supported Attack Types

OpenRASP protects against:

  • SQL injection
  • Command injection
  • File operations attacks
  • XXE (XML External Entity)
  • SSRF (Server-Side Request Forgery)
  • Deserialization attacks

Cloud Management Console

OpenRASP includes a management console for:

  • Centralized policy management
  • Attack event visualization
  • Agent status monitoring
  • Report generation

How It Works

OpenRASP instruments the application runtime using Java Agent technology (for Java) or PHP extensions:

Application Runtime
    └── OpenRASP Agent
            ├── Hooks security-sensitive functions
            ├── Executes JavaScript detection plugins
            └── Blocks or logs malicious operations

Installation

Java Applications

Add the OpenRASP agent to your Java application:

# Download OpenRASP
wget https://github.com/baidu/openrasp/releases/latest/download/rasp-java.tar.gz
tar -xzf rasp-java.tar.gz

# Install to application
java -jar RaspInstall.jar -install /path/to/tomcat

PHP Applications

Install the PHP extension:

# Download the latest PHP release from GitHub Releases page
# https://github.com/baidu/openrasp/releases
wget https://github.com/baidu/openrasp/releases/download/v1.3.7/rasp-php-linux.tar.bz2
tar -xjf rasp-php-linux.tar.bz2

# Run the OpenRASP installer
php rasp-php-*/install.php -d /opt/rasp

Configuration

OpenRASP is configured via JSON files:

{
  "block": {
    "status_code": 302,
    "redirect_url": "/blocked.html"
  },
  "inject": {
    "urlprefix": "https://cdn.example.com/openrasp"
  }
}

Limitations

  • Currently supports Java and PHP only
  • Requires application restart for installation
  • Some performance overhead (typically 1-5%)
  • Active development primarily focused on Chinese documentation

When to Use OpenRASP

OpenRASP is ideal for organizations wanting open-source RASP protection for Java or PHP environments. Teams comfortable with self-hosted security tools and budget-conscious programs may find value, though the project’s inactivity since 2022 should be considered. For actively maintained alternatives, see Contrast Protect or Datadog ASM.

Note: Project appears inactive. Last release (v1.3.7) was January 2022.

Frequently Asked Questions

What is OpenRASP?
OpenRASP is the most popular open-source RASP solution, developed by Baidu’s security team with 3k GitHub stars. It hooks into application runtimes to monitor and block malicious operations.
Is OpenRASP free or commercial?
OpenRASP is free and open-source, providing core runtime protection capabilities without licensing costs.
Does OpenRASP block attacks automatically?
Yes. OpenRASP protects against SQL injection, command injection, XXE, SSRF, file operation attacks, and deserialization attacks using plugin-based detection logic.
Is OpenRASP still maintained?
The project appears inactive. The last release (v1.3.7) was in January 2022, and active development has slowed significantly.
What languages does OpenRASP support?
OpenRASP primarily supports Java and PHP applications, using Java Agent technology and PHP extensions respectively.
How we review tools Suggest an edit

Other RASP Tools

Imperva RASP
Imperva RASP

Combines with Imperva WAF

Contrast Protect
Contrast Protect

Application Detection and Response (ADR) Beyond RASP

Datadog Application Security
Datadog Application Security

APM-Integrated Runtime Protection

Dynatrace
Dynatrace

Full-Stack Observability with Built-in Security

Waratek
Waratek

Java Runtime Protection & Virtual Patching

MO
ModSecurity

Open-Source WAF Engine

See all RASP tools

Complement with DAST

Pair runtime protection with dynamic testing for broader coverage.

Burp Suite
Burp Suite

Web Application Pentesting Toolkit

Tenable Web App Scanning
Tenable Web App Scanning

Nessus-Powered Cloud DAST with Attack Surface Management

See all DAST tools

Learn More

What is SAST? What is DAST? What is IAST? What is RASP? SAST vs DAST vs IAST SAST vs SCA

Explore our Application Security Testing resource hub