[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Allow only certain urls to site

From: "Colin Watson" <colin@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Allow only certain urls to site
Date: Thu, 10 Jan 2008 09:47:51 +0000

Gleb

My thoughts on this below.

> Please could some one share own experience or thoughts about allowing
> on site only limited set of
> urls. I mean that access denied to any url which is not in list.
> Number of regexps are minimal.

This is a very valid control.  There was an informal discussion at an OWASP London chapter meeting last year about 'greedy web servers' concerning this issue.


> The list of allowed URLs can be found by logging user requests during
> functionality testing.

Yes, or using a web application scanning tool, or preferably through the development processes to define all the allowable entry points to an application.


> Even more, we can try to determine only allowed set of GET and POST
> parameters for each URL and prohibit other variants.
> 
> The question is - does it really makes sence for someone?
> How much work overhead falls on system administrators and developers .
> In which cases it is better to use separate server for filtering (with
> mod_security perhaps), or implement some ACLS on the working instance.

It does make sense if preventing invalid (non-existent, unacceptable or mal-formed URLs) from reaching the web/application servers reduces the need for resources to deal with these requests.  Some parts of a web application may require intensive activities, such as extensive database queries, or tie threads up for a long time, such as accessing external resources or perhaps building charts or converting video formats.  If these are requested inappropriately or without the correct parameters, they will reduce the performance of the application.

Generally, developers 'should' know all the entry points, and this must be maintained in the system's documentation.  Then, there is the task of configuring this on the server/firewalls/other network devices.  Where practical, it would be better to have this filtering undertaken on a separate device upstream, so that the web/application servers are left to deal with valid requests.  However, the application code or something like ModSecurity, mod_Rewrite or ISAPI_Rewrite could be used on a server itself, but I think your question about overhead would be even more pertinent.

In terms of checking the request method, that would seem reasonable.  Also perhaps defining mandatory and optional parameters.  But this can become tricky if you actually want to give users friendly messages about say missing parameters ("you haven't agreed to the terms - please tick the box").  You would need to allow this, and then trap it in the application logic.  Similarly, regex could define acceptable types or values for parameters, but again it would be more usable if this is handled by the application so that better user feedback can be provided ("sorry, that doesn't appear to be a valid email address format").

And it would be important to log and monitor exceptions to make sure you are not preventing access to valid resources, nor presenting invalid links, and to look out for potential security incidents.  A user who requested a number of invalid URLs and then also had several failed login attempts may be more risky that someone who had several failed logins alone.  How are these data merged and monitored?


> Have somebody research performance penalties of such filtering with a
> huge set of ACLS on different servers?

If you built these rules into upstream devices such as firewalls or traffic monitors, the overall effect would be minimal.  It depends on how loaded the application is already, how long requests take to process and the types of invalid URLs that are being requested.  If removing invalid URLs takes some resource, but allows the web/applications server to release other resources or perform faster, it is could be justified - the costs and values would need to be determined.

In terms of security testing, you would still want to check the application with and without these upstream controls since they could mask other problems such as business logic flaws.


Regards

Colin Watson
Technical Director
Watson Hall Ltd
http://www.watsonhall.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: [WEB SECURITY] rIP BETA - reverse IP tool
Next by Date: Re: [WEB SECURITY] Allow only certain urls to site
Previous by thread: Re: [WEB SECURITY] Allow only certain urls to site
Next by thread: [WEB SECURITY] OWASP Asia Pacific & Australia Conference FEB 2008
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site