Hi Ivan,
Il giorno gio, 24-11-2005 alle 12:14 +0000, Ivan Ristic ha scritto:
Neither approach is good enough in real-life, when used on its own.
(Although there may be specific cases where they can work rather
well.)
yes no absolute rules can be implemented in real life...and i hope none
thinks this! And of course black list approach, which is the usual
approach on mod_sec, should not be considered as well...
As you say, negative rules can often be bypassed. It is also
difficult to enumerate all the possible attacks. In theory, positive
security model is much safer, but there is a problem of how to create
a good-enough model.
Totally agreed! Approximation of the solution should be good enough and
ponderated in every real case !
This is especially a problem if the application
you are trying to protect is constantly changing.
I agree at all. Asynchronous approach is not really feasible in highly
dynamic contexts.
I believe the
solution is somewhere in the middle.
Maybe i was a little (too much:) generic in my thoughts...
but integration is in the middle i suppose...
I was infact talking about integration of black and white lists.
As for the spider-based approach, as Ofer mentioned, it allows you
only to assess the parameters that are server generated. The other
problem with this approach is that It is also very difficult to create
a foolproof spider (e.g. you would need to execute the embedded
JavaScript code).
Yes it only allows to get search-engine-based-worms away :)...
And yes i did not mentioned that Javascript is bad for this approach...
My idea was published by me to stimulate debate and i did not mean to
give a (absolute) solution (i know you know it but you're right...i
should have write it).
I prefer a traffic based approach (for positive
security model generation) and a run with real users and real data.
This is usually not a problem since, due to frequent changes in
applications, you must work to continuously update the security model
anyway.
eh...this is the real problem for hand made things...but a semi
automatic approach would help.. no?
What about for a learning phase? I mean a semi automatic generation of
rules, based on real clients inputs from the web...
yes it is untrustable...
but there should be some way out there :)
By the way , i wrote a mod_html_proxy based hmac signing for links on
the fly named Mod Anti Tamper:
Link: www.wisec.it/projects.php?id=3&lang=en
...an exercise in style ..and in alpha stage...
well, i know javascript is the killer for this kind things but, who
knows someone will find a solution for js problems as well...
I hope.
But this is another topic :)
IMHO, of course!
Regards,
Stefano
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
--
......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................
