Security Thoughts
Sunday, November 20, 2005, 12:32
Application Firewalls and Black/Whitelisting approach
It's been a bunch of time that i'm thinking about what's the best approach for application firewalls:
"deny all, allow goodmembers" (whitelist approach)
"allow all, deny badmembers" (blacklist approach)
A very good application firewall is Mod_Security.
Blacklist approach has intrinsic drawbacks, infact there is often some potential way to bypass deny rules.
It would be better to integrate a whitelist approach with our deny rules.
How could we do this?
Let's suppose we have a webbot or a spider that analyzes our pages and extract URIs where variables are present
(i.e. href="/index.php?id=4").
In most cases these variables have numerical or alphanumerical values.
If our spider could infer value types from every variable associated with URIs, then we could generate
a whitelist of rules for our web firewall.
This whitelist togheter with blacklist rules anti Xss and anti SQL Injection should give us a more complete
web firewall.
Unfortunately i don't have time to develop my own webbot, so by googling on the web i found a very nice
software (GPL) developed by Comune di Prato (Tuscany, Italy) based on ht://Dig and used for accessibility check and
link check:
ht://Check.
ht://Check has a lot of features everyone could enjoy to read by himself, but there's
a very interesting one which could be used for our purposes and for Pentesting:
ht://Check stores all tags and attributes found in the analyze phase, in a single Database (MySQL).
I wont explain how to use ht://Check for Pentesting, but let's see how we can take advantage of ht://Check
to generate whitelisting rules for mod_Security.
Let's suppose we run htcheck on www.example.com.
- On configuration file htcheck.conf, set:
start_url: http://www.example.com/ (choose your own site! example.com doesn't exists ;)
- Launch htcheck:
$ htcheck -vsi
Wait for htcheck to finish....
htCheck will give us a resume....that's not interesting for our purpose...
What it is interesting is inside htcheck DB.
$ mysql -u user -p htcheck
mysql> show tables;
+-------------------+
| Tables_in_htcheck |
+-------------------+
| Accessibility |
| Cookies |
| HtmlAttribute |
| HtmlStatement |
| Link |
| Schedule |
| Server |
| Url |
| htCheck |
+-------------------+
...
'Url' table in particular.
By entering the following query:
select DISTINCT SUBSTRING_INDEX(url,'?',1),SUBSTRING(url,INSTR(url,'?')+1) from Url where url like'%?%'
MySQL will give us a two column output with URLs and query string respectively...
Well, now we have all informations to collect _all_ query stings inside our web site.
The next step is to develop a little sowftware to extract these informations and to translate them in
whitelist rules for mod_security.
Here is a little perl program developed for this task. Automatic Rules Generation for Mod_security - Rule-o-matic.
Launch it after htcheck, and you'll have your Ad Hoc Whitelist rules in output.
E.g:
Url Record:
----------------
|/docs.php|id=2|
----------------
will become:
<Location /docs.php>
SecFilterInheritance On
SecFilterSelective "ARG_id" "!^\d$"
</Location>
This rule means:
When someone asks for '/docs.php' page with a 'id' variable, his value can be only numeric.
This is for query string but we could think about implementig the same on hidden values in forms which are often fixed values or cookie values.
Ok. I know this is not exaustive but..."There's no taste like home-made pasta!"
Wednesday, February 23, 2005, 20:15
How to read a whole file in an c array in a "safe" way
Today i was googling looking for some "safe" piece of coding written to give
the possibility to read a file in a big array.
I found nothing...:( so here is my (realloc) solution.
If there are any errors feel free to comment it.
saferead.c
« 1 2 3 4 XML
Admin login | This weblog is from www.mylittlehomepage.net
Wisec is brought to you by...
Wisec is written and mantained by
Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
