Re: Apache mode_security

[Ivan Ristic <ivan.ristic () gmail com>]

On 11/20/05, Stefano Di Paola <stefano.dipaola () wisec it> wrote:
> Hi all,
>
> I wrote down some little thoughts about the generation of rules for
> mod_security...specifically about the generation and integration of
> white list rules within old fashion general-purpose anti injection
> blacklist rules..
> Everyone can have a look and comment here:
> http://www.wisec.it/sectou.php?lang=en
>
> Title: Application Firewalls and Black/Whitelisting approach.
>
> Hope you'll find it useful.
> Any comments are welcome.

Neither approach is good enough in real-life, when used on its own.
(Although there may be specific cases where they can work rather
well.) As you say, negative rules can often be bypassed. It is also
difficult to enumerate all the possible attacks. In theory, positive
security model is much safer, but there is a problem of how to create
a good-enough model. This is especially a problem if the application
you are trying to protect is constantly changing. I believe the
solution is somewhere in the middle.

As for the spider-based approach, as Ofer mentioned, it allows you
only to assess the parameters that are server generated. The other
problem with this approach is that It is also very difficult to create
a foolproof spider (e.g. you would need to execute the embedded
JavaScript code). I prefer a traffic based approach (for positive
security model generation) and a run with real users and real data.
This is usually not a problem since, due to frequent changes in
applications, you must work to continuously update the security model
anyway.

--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org