Web Application Profiles - Mixed Models
Work in Progress
There are several approaches which address the elevation of web-application security. In contrast
to the positive security model which is inherent to the proposed profile approach, the
core rules or PHP-IDS try to detect attacks
be matching the requests against a pattern-database of known attacks.
As the strict positive approach is a lot more efficient when it comes to simple parameters
like product IDs, date-field and the like, it will fail for validating free-text fields for instance.
Thus, a strict positive model will not be sufficient to detect all attacks. The profiles therefore
allow for the "selected" inclusion of pattern-based approaches into the profiles.
The editor for instance can import the filter-rules provided by the PHP-IDS project and allows to
apply filters to a parameter. The PHP-IDS rules are tagged by specific tags which can be used to
select the "attack type" to check for. A simple example is the following:
<IncludeFilter tags="sqli" />
In this example, the filter rules which are tagged with "sqli" will all be incorporated
into the compiled rule set and prevent sql-injections within the
based on the filters by PHP-IDS.
The use of the
element within the profiles is not yet supported by the
included in the editor. However this feature will be added within the next
release of the ProfileEditor
Written by Christian Bockermann <firstname.lastname@example.org>
Any feedback is welcome.