[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WAS Protect update
>> I'll send stuff I produce to the mailing list. My plan is to: >> >> 1. Produce another version of the "spec" >> 2. Use it for the reference implementation >> 3. Update the spec if necessary >> 4. Document everything >> >> As far as mod_security/Apache is concerned, Protect will probably >> be implemented as a wrapper around the existing functionality. I've started to work on WAS Protect. I have attached my best attempt at the protection language. Before I go and make this into a formal specification I would like to hear your opinions. Now is the time to make changes! :) To summarize the changes: my previous effort was ambitious, maybe too ambitious. For most of my language constructs I was unable to find use cases so I decided to simplify. I did that and I like the result. The examples are at the bottom of the file, I think they demonstrate how easy it can be to protect an application. At the same time, I think the format allows for extensions, should we decide to make them in the future. There is no meta-data here. Each protection recipe relates to a WAS vulnerability. The role of a recipe is to inspect the variables at one of four (practically three) processing stages, and invoke an error/warning/notice where appropriate. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
RULE SYNTAX ----------- <recipe id="..." applyOn="<processing stage>" preprocess="<list of normalization functions>" resource="<resource>" > <rule type="<rule type>" what="<variable list>" pattern="..." action="..." /> <ruleSet applyOn="..." action="<action>" condition="<condition>" preprocess="..." > <rule ... /> <rule ... /> </ruleSet> </recipe> resource = path the the file on disk, relative to the home folder of the application, eg "/admin/change_password.php" possibly apply to all resources in a folder with "/admin/*"? action = error, warning, notice, break, allow rule type = regex, nregex, strstr, eq, neq, gt, lt, gte, lte, <, >, <=, >=, ipeq, nipeq, exists, nexists condition = and, or normalization functions = none, default, or a list of names (as below) NORMALIZATION FUNCTIONS ----------------------- decode_url_encoded decode_url_encoded_twice decode_escaped decode_unicode decode_iis_unicode compress_whitespace compress_slash convert_backslash remove_self_references PROCESSING STAGES ----------------- 1. After request headers are read 2. After request body is read (default) 3. After response is ready 4. After response is sent OBJECTS ------- request server_software server_name server_port remote_addr remote_host request_line path_info path_translated script_name auth_type remote_user remote_ident sessionid body method uri version query_string content_length content_type headers[] name value params[] name value cookies[] name value files[] name size tmp_name response status_line status headers[] name value body content_length content_type EXAMPLES -------- <recipe id="was#12345"> <!-- Allow admin login from the local network only --> <ruleset condition="and"> <rule what="request.params.username" type="eq" pattern = "admin" /> <rule what="request.remote_addr" type="ipeq" pattern="192.168.0.9/24" /> </ruleset> </recipe> <recipe id="was#12345"> <!-- Warn for potential XSS attacks --> <rule <!-- check all fields in the request except those whose names begin with "html_" --> what="request.params.*, !request.params.html_*" type="reqex" pattern="<[[:space:]]*>" action="warning" /> </recipe> <recipe id="was#12345"> <!-- Allow no more than ten parameters --> <rule <!-- accesses the property size of the collection --> what="request.params#size" type="gt" pattern="10" /> </recipe> <recipe id="was#12345"> <!-- Do not accept files longer than one MB --> <rule <!-- accesses the property size of the collection --> what="request.params.files.*.size" type="gt" pattern="1048576" /> </recipe>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]