[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Allow only certain urls to site

From: Christian Bockermann <chris@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Allow only certain urls to site
Date: Thu, 10 Jan 2008 20:28:55 +0100

Hi Gleb, hi list!

Gleb Paharenko schrieb:

Please could some one share own experience or thoughts about allowing
on site only limited set of
urls. I mean that access denied to any url which is not in list.
Number of regexps are minimal.
The list of allowed URLs can be found by logging user requests during
functionality testing.
Even more, we can try to determine only allowed set of GET and POST
parameters for each URL and prohibit other variants.
The question is - does it really makes sence for someone? How much work overhead falls on system administrators and developers . In which cases it is better to use separate server for filtering (with mod_security perhaps), or implement some ACLS on the working instance. Have somebody research performance penalties of such filtering with a huge set of ACLS on different servers?

I wrote a tool for extracting such a ruleset automaticall, that is a static description of URLs, valid Methods and Parameters. Parameters are checked against regular expressions. The whole thing is Java-based and relies on a simple XML-style description of the application. Such rulesets can either be extracted from simple access-log files (which lack parameters in the request-body) or the more detailed audit-log as provided by the ModSecurity module. (I call those XML- descriptions the application's profile.) I also wrote a small Java-Editor for creating such profile manually. The XML is later transformed into a ModSecurity ruleset using XSLT.

I evaluated this on a few applications in comparison with the core-rules provided by Breach Security and the gotroot-rulesets. My conclusion is that parameter-validation with regular expressions works well for simple parameters (integers, session-ids, etc.) but is clearly outperformed by pattern-matching approaches like the core-rules. This is obviously not surprising. However having ModSecurity evaluating a big set of patterns against only these kinds of simple examples results in wasted performance (you will just not find any SQL-injection in an ID-parameter).

There are two things which I experienced from this: Adjusting you pattern-matching to the relevant parts of your application will surely improve your WAF performance as simple parameters can validated by ONE simple regex (white-listing). The other thing to note is the presentation of such a profile makes it easy for a developer to identify malicious requests that are results of invalid requests during the generation-phase of the profile. I presented a profile generated for a web-shopping application to the app-developer who then quickly spotted two malicious parameter-types that were caused by an error in the application.

Thus, in my view there is a strong need for building a ACL-style (or positive security model) of an application, though this will not solve all issues (injection-attacks are hard to be detected by a whitelisting approach). Another tool for manually creating ModSecurity rulesets is REMO (http://remo.netnea.com).

Regards,
   Chris

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Allow only certain urls to site
  - From: Gleb Paharenko

Prev by Date: Re: [WEB SECURITY] Allow only certain urls to site
Next by Date: [WEB SECURITY] Log requests and reply it again automaticall
Previous by thread: [WEB SECURITY] Allow only certain urls to site
Next by thread: Re: [WEB SECURITY] Allow only certain urls to site
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site