WebApp Sec mailing list archives
Re: Apache mode_security
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Sat, 26 Nov 2005 14:06:16 +0100
Hi Ivan, Il giorno gio, 24-11-2005 alle 12:14 +0000, Ivan Ristic ha scritto:
Neither approach is good enough in real-life, when used on its own. (Although there may be specific cases where they can work rather well.)
yes no absolute rules can be implemented in real life...and i hope none thinks this! And of course black list approach, which is the usual approach on mod_sec, should not be considered as well...
As you say, negative rules can often be bypassed. It is also difficult to enumerate all the possible attacks. In theory, positive security model is much safer, but there is a problem of how to create a good-enough model.
Totally agreed! Approximation of the solution should be good enough and ponderated in every real case !
This is especially a problem if the application you are trying to protect is constantly changing.
I agree at all. Asynchronous approach is not really feasible in highly dynamic contexts.
I believe the solution is somewhere in the middle.
Maybe i was a little (too much:) generic in my thoughts... but integration is in the middle i suppose... I was infact talking about integration of black and white lists.
As for the spider-based approach, as Ofer mentioned, it allows you only to assess the parameters that are server generated. The other problem with this approach is that It is also very difficult to create a foolproof spider (e.g. you would need to execute the embedded JavaScript code).
Yes it only allows to get search-engine-based-worms away :)... And yes i did not mentioned that Javascript is bad for this approach... My idea was published by me to stimulate debate and i did not mean to give a (absolute) solution (i know you know it but you're right...i should have write it).
I prefer a traffic based approach (for positive security model generation) and a run with real users and real data. This is usually not a problem since, due to frequent changes in applications, you must work to continuously update the security model anyway.
eh...this is the real problem for hand made things...but a semi automatic approach would help.. no? What about for a learning phase? I mean a semi automatic generation of rules, based on real clients inputs from the web... yes it is untrustable... but there should be some way out there :) By the way , i wrote a mod_html_proxy based hmac signing for links on the fly named Mod Anti Tamper: Link: www.wisec.it/projects.php?id=3&lang=en ...an exercise in style ..and in alpha stage... well, i know javascript is the killer for this kind things but, who knows someone will find a solution for js problems as well... I hope. But this is another topic :) IMHO, of course! Regards, Stefano
-- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org
-- ......---oOOo--------oOOo---...... Stefano Di Paola Software Engineer Email: stefano.dipaola_at_wisec.it Email: stefano.dipaola1_at_tin.it Web: www.wisec.it ..................................
Current thread:
- Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 25)
- Re: Apache mode_security Stefano Di Paola (Nov 26)
- Re: Apache mode_security Ivan Ristic (Nov 28)
- Re: Apache mode_security Stefano Di Paola (Dec 04)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
- RE: Apache mode_security Serg B. (Nov 16)
- Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Serg B. (Nov 16)
- RE: Apache mode_security Ofer Shezaf (Nov 30)