[WEB SECURITY] Allow only certain urls to site

Christian Bockermann chris at jwall.org
Thu Jan 10 14:28:55 EST 2008


Hi Gleb, hi list!

Gleb Paharenko schrieb:
> Please could some one share own experience or thoughts about allowing
> on site only limited set of
> urls. I mean that access denied to any url which is not in list.
> Number of regexps are minimal.
> The list of allowed URLs can be found by logging user requests during
> functionality testing.
> Even more, we can try to determine only allowed set of GET and POST
> parameters for each URL and prohibit other variants.
>
> The question is - does it really makes sence for someone?
> How much work overhead falls on system administrators and developers .
> In which cases it is better to use separate server for filtering (with
> mod_security perhaps), or implement some ACLS on the working instance.
> Have somebody research performance penalties of such filtering with a
> huge set of ACLS on different servers?
>   
I wrote a tool for extracting such a ruleset automaticall, that is a 
static description of URLs, valid
Methods and Parameters. Parameters are checked against regular 
expressions. The whole thing
is Java-based and relies on a simple XML-style description of the 
application. Such rulesets can
either be extracted from simple access-log files (which lack parameters 
in the request-body) or
the more detailed audit-log as provided by the ModSecurity module. (I 
call those XML-
descriptions the application's profile.) I also wrote a small 
Java-Editor for creating such profile
manually. The XML is later transformed into a ModSecurity ruleset using 
XSLT.

I evaluated this on a few applications in comparison with the core-rules 
provided by Breach
Security and the gotroot-rulesets. My conclusion is that 
parameter-validation with regular
expressions works well for simple parameters (integers, session-ids, 
etc.) but is clearly outperformed
by pattern-matching approaches like the core-rules. This is obviously 
not surprising. However
having ModSecurity evaluating a big set of patterns against only these 
kinds of simple examples
results in wasted performance (you will just not find any SQL-injection 
in an ID-parameter).

There are two things which I experienced from this: Adjusting you 
pattern-matching to the relevant
parts of your application will surely improve your WAF performance as 
simple parameters can
validated by ONE simple regex (white-listing).
The other thing to note is the presentation of such a profile makes it 
easy for a developer to identify
malicious requests that are results of invalid requests during the 
generation-phase of the profile.
I presented a profile generated for a web-shopping application to the 
app-developer who then
quickly spotted two malicious parameter-types that were caused by an 
error in the application.

Thus, in my view there is a strong need for building a ACL-style (or 
positive security model) of
an application, though this will not solve all issues (injection-attacks 
are hard to be detected by
a whitelisting approach).
Another tool for manually creating ModSecurity rulesets is REMO 
(http://remo.netnea.com).

Regards,
    Chris

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list