WebApp Sec mailing list archives
Re: Apache mode_security
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Thu, 24 Nov 2005 12:14:00 +0000
On 11/20/05, Stefano Di Paola <stefano.dipaola () wisec it> wrote:
Hi all, I wrote down some little thoughts about the generation of rules for mod_security...specifically about the generation and integration of white list rules within old fashion general-purpose anti injection blacklist rules.. Everyone can have a look and comment here: http://www.wisec.it/sectou.php?lang=en Title: Application Firewalls and Black/Whitelisting approach. Hope you'll find it useful. Any comments are welcome.
Neither approach is good enough in real-life, when used on its own. (Although there may be specific cases where they can work rather well.) As you say, negative rules can often be bypassed. It is also difficult to enumerate all the possible attacks. In theory, positive security model is much safer, but there is a problem of how to create a good-enough model. This is especially a problem if the application you are trying to protect is constantly changing. I believe the solution is somewhere in the middle. As for the spider-based approach, as Ofer mentioned, it allows you only to assess the parameters that are server generated. The other problem with this approach is that It is also very difficult to create a foolproof spider (e.g. you would need to execute the embedded JavaScript code). I prefer a traffic based approach (for positive security model generation) and a run with real users and real data. This is usually not a problem since, due to frequent changes in applications, you must work to continuously update the security model anyway. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org
Current thread:
- Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 25)
- Re: Apache mode_security Stefano Di Paola (Nov 26)
- Re: Apache mode_security Ivan Ristic (Nov 28)
- Re: Apache mode_security Stefano Di Paola (Dec 04)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
- RE: Apache mode_security Serg B. (Nov 16)
- Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Serg B. (Nov 16)
- RE: Apache mode_security Ofer Shezaf (Nov 30)