Re: Apache mode_security

[Stefano Di Paola <stefano.dipaola () wisec it>]

Hi Ivan,

Il giorno gio, 24-11-2005 alle 12:14 +0000, Ivan Ristic ha scritto: 
> Neither approach is good enough in real-life, when used on its own.
> (Although there may be specific cases where they can work rather
> well.) 

yes no absolute rules can be implemented in real life...and i hope none
thinks this! And of course black list approach, which is the usual
approach on mod_sec, should not be considered as well...

> As you say, negative rules can often be bypassed. It is also
> difficult to enumerate all the possible attacks. In theory, positive
> security model is much safer, but there is a problem of how to create
> a good-enough model.

Totally agreed! Approximation of the solution should be good enough and
ponderated in every real case !

>  This is especially a problem if the application
> you are trying to protect is constantly changing.

I agree at all. Asynchronous approach is not really feasible in highly
dynamic contexts. 


>  I believe the
> solution is somewhere in the middle.

Maybe  i was a little (too much:) generic in my thoughts...
but integration is in the middle i suppose...
I was infact talking about integration of black and white lists.

> As for the spider-based approach, as Ofer mentioned, it allows you
> only to assess the parameters that are server generated. The other
> problem with this approach is that It is also very difficult to create
> a foolproof spider (e.g. you would need to execute the embedded
> JavaScript code).

Yes it only allows to get search-engine-based-worms away :)...
And yes i did not mentioned that Javascript is bad for this approach...
My idea was published by me to stimulate debate and i did not mean to
give a (absolute) solution (i know you know it but you're right...i
should have write it).

> I prefer a traffic based approach (for positive 
> security model generation) and a run with real users and real data.
> This is usually not a problem since, due to frequent changes in
> applications, you must work to continuously update the security model
> anyway.

eh...this is the real problem for hand made things...but a semi
automatic approach would help.. no?
What about for a learning phase? I mean a semi automatic generation of
rules, based on real clients inputs from the web...
yes it is untrustable...
but there should be some way out there :)

By the way , i wrote a mod_html_proxy based hmac signing for links on
the fly named Mod Anti Tamper:
Link: www.wisec.it/projects.php?id=3&lang=en 
...an exercise in style ..and in alpha stage... 
well, i know javascript is the killer for this kind things but, who
knows someone will find a solution for js problems as well...
I hope.
But this is another topic :)

IMHO, of course!

Regards,

Stefano 

> --
> Ivan Ristic
> Apache Security (O'Reilly) - http://www.apachesecurity.net
> Open source web application firewall - http://www.modsecurity.org
-- 

......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................