Web Policies

(Formerly called Web Application Profiles)

Writing specific rule sets for web applications is a tedious task. The ModSecurity module provides a powerful language for protecting applications against a wide range of attacks - if the rules are properly written and organized.

Unfortunately the low-level rule language is somehow a double-edged sword: it empowers the experienced users to write good and complex rules, but often leaves the unexperienced one with a lot of frustration, since he is not capable of achieving his goals without a deep understanding of the rule language.

Moreover, when it comes to rule sets aiming at a positive security model approach, complex applications often imply comprehensive and complex rule sets.

With the concept of the Web Policy Language proposed in this project we aim at several goals for simplifying the creation of so-called white-listing based rule sets:

  • Create an abstract language for defining rules in a user-understandable and intuitive way
  • Make it possible to automatically generate ModSecurity rules from the given XML based Web Policies .
  • Provide a simple graphical editor for visualizing and modifying the policies.
  • Allow for the integration of other components, e.g. the REMO editor, by creating import and export interfaces using the simple XML that the language is based on.
  • Provide other tools for handling the XML based policies, such as the WebApplicationProfiler, which tries to automatically learn the policies from access-log or audit-log data.

Concept

The idea of creating an abstract language for writing web-application policies is not new. However, there has only been little support such as open-source tools for creating policies in an interchangable format. The policies which are subject to this project are created using a simple standalone Java application, which allows writing policies on a wide range of systems, even if your ModSecurity filter is deployed on a different architecture.

The way on creating policies and generating rule sets is depicted in the following figure:

This process is of course adaptable and even the proposed web policy language language allows for the integration of several external approaches (even black-listing is possible). The compilation/transformation into ModSecurity rules is based on XSLT, which allows you to write your own high-performance or customized rule generator.

Project Status

The project currently offers a first easy-to-use editor for creating and modifying web application policy definitions. The editor comes with a simple compiler which generates rules from the created profiles. Policies can be loaded and saved later on and a lot of the features which are part of the language are already accessable and usable within the editor.

You can access the first version of the editor at:

The XML based language is also still quite basic, but already allows for the specification of policies which cover a lot of todays application's properties. The proposed XML lanugage is in more detail described in here: