[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WAS Protect update
>> I'll send stuff I produce to the mailing list. My plan is to: >> >> 1. Produce another version of the "spec" >> 2. Use it for the reference implementation >> 3. Update the spec if necessary >> 4. Document everything >> >> As far as mod_security/Apache is concerned, Protect will probably >> be implemented as a wrapper around the existing functionality. I've started to work on WAS Protect. I have attached my best attempt at the protection language. Before I go and make this into a formal specification I would like to hear your opinions. Now is the time to make changes! :) To summarize the changes: my previous effort was ambitious, maybe too ambitious. For most of my language constructs I was unable to find use cases so I decided to simplify. I did that and I like the result. The examples are at the bottom of the file, I think they demonstrate how easy it can be to protect an application. At the same time, I think the format allows for extensions, should we decide to make them in the future. There is no meta-data here. Each protection recipe relates to a WAS vulnerability. The role of a recipe is to inspect the variables at one of four (practically three) processing stages, and invoke an error/warning/notice where appropriate. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]
RULE SYNTAX
-----------
<recipe
id="..."
applyOn="<processing stage>"
preprocess="<list of normalization functions>"
resource="<resource>"
>
<rule
type="<rule type>"
what="<variable list>"
pattern="..."
action="..."
/>
<ruleSet
applyOn="..."
action="<action>"
condition="<condition>"
preprocess="..."
>
<rule ... />
<rule ... />
</ruleSet>
</recipe>
resource = path the the file on disk, relative to the
home folder of the application, eg
"/admin/change_password.php" possibly
apply to all resources in a folder with
"/admin/*"?
action = error, warning, notice, break, allow
rule type = regex, nregex, strstr, eq, neq, gt, lt,
gte, lte, <, >, <=, >=,
ipeq, nipeq, exists, nexists
condition = and, or
normalization functions = none, default, or a list
of names (as below)
NORMALIZATION FUNCTIONS
-----------------------
decode_url_encoded
decode_url_encoded_twice
decode_escaped
decode_unicode
decode_iis_unicode
compress_whitespace
compress_slash
convert_backslash
remove_self_references
PROCESSING STAGES
-----------------
1. After request headers are read
2. After request body is read (default)
3. After response is ready
4. After response is sent
OBJECTS
-------
request
server_software
server_name
server_port
remote_addr
remote_host
request_line
path_info
path_translated
script_name
auth_type
remote_user
remote_ident
sessionid
body
method
uri
version
query_string
content_length
content_type
headers[]
name
value
params[]
name
value
cookies[]
name
value
files[]
name
size
tmp_name
response
status_line
status
headers[]
name
value
body
content_length
content_type
EXAMPLES
--------
<recipe id="was#12345">
<!-- Allow admin login from the local network only -->
<ruleset condition="and">
<rule
what="request.params.username"
type="eq"
pattern = "admin"
/>
<rule
what="request.remote_addr"
type="ipeq"
pattern="192.168.0.9/24"
/>
</ruleset>
</recipe>
<recipe id="was#12345">
<!-- Warn for potential XSS attacks -->
<rule
<!-- check all fields in the request except
those whose names begin with "html_" -->
what="request.params.*, !request.params.html_*"
type="reqex"
pattern="<[[:space:]]*>"
action="warning"
/>
</recipe>
<recipe id="was#12345">
<!-- Allow no more than ten parameters -->
<rule
<!-- accesses the property size of the collection -->
what="request.params#size"
type="gt"
pattern="10"
/>
</recipe>
<recipe id="was#12345">
<!-- Do not accept files longer than one MB -->
<rule
<!-- accesses the property size of the collection -->
what="request.params.files.*.size"
type="gt"
pattern="1048576"
/>
</recipe>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]