[WEB SECURITY] Allow only certain urls to site
chris at jwall.org
Thu Jan 10 14:28:55 EST 2008
Hi Gleb, hi list!
Gleb Paharenko schrieb:
> Please could some one share own experience or thoughts about allowing
> on site only limited set of
> urls. I mean that access denied to any url which is not in list.
> Number of regexps are minimal.
> The list of allowed URLs can be found by logging user requests during
> functionality testing.
> Even more, we can try to determine only allowed set of GET and POST
> parameters for each URL and prohibit other variants.
> The question is - does it really makes sence for someone?
> How much work overhead falls on system administrators and developers .
> In which cases it is better to use separate server for filtering (with
> mod_security perhaps), or implement some ACLS on the working instance.
> Have somebody research performance penalties of such filtering with a
> huge set of ACLS on different servers?
I wrote a tool for extracting such a ruleset automaticall, that is a
static description of URLs, valid
Methods and Parameters. Parameters are checked against regular
expressions. The whole thing
is Java-based and relies on a simple XML-style description of the
application. Such rulesets can
either be extracted from simple access-log files (which lack parameters
in the request-body) or
the more detailed audit-log as provided by the ModSecurity module. (I
call those XML-
descriptions the application's profile.) I also wrote a small
Java-Editor for creating such profile
manually. The XML is later transformed into a ModSecurity ruleset using
I evaluated this on a few applications in comparison with the core-rules
provided by Breach
Security and the gotroot-rulesets. My conclusion is that
parameter-validation with regular
expressions works well for simple parameters (integers, session-ids,
etc.) but is clearly outperformed
by pattern-matching approaches like the core-rules. This is obviously
not surprising. However
having ModSecurity evaluating a big set of patterns against only these
kinds of simple examples
results in wasted performance (you will just not find any SQL-injection
in an ID-parameter).
There are two things which I experienced from this: Adjusting you
pattern-matching to the relevant
parts of your application will surely improve your WAF performance as
simple parameters can
validated by ONE simple regex (white-listing).
The other thing to note is the presentation of such a profile makes it
easy for a developer to identify
malicious requests that are results of invalid requests during the
generation-phase of the profile.
I presented a profile generated for a web-shopping application to the
app-developer who then
quickly spotted two malicious parameter-types that were caused by an
error in the application.
Thus, in my view there is a strong need for building a ACL-style (or
positive security model) of
an application, though this will not solve all issues (injection-attacks
are hard to be detected by
a whitelisting approach).
Another tool for manually creating ModSecurity rulesets is REMO
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity