WebApplicationProfiler

This project is an attempt to extract a web-application's profile from recorded audit-data and build a ruleset in terms of a positive security model. With the profile of an application we refer to a high-level XML description of the application structure by means of resources, parameters and parameter-types.

The WebApplicationProfiler implements a suite of tools to ease the creation of such high-level XML profiles. It consists of a ProfilerEngine which actually does the profile extraction from audit-logs or simple access-logs and a small visual editor, the ProfileEditor.

The WebApplicationProfiler is intended to be running as a daemon-process to continously monitor an application. For demonstration purposes there is a small standalone-application available:

• WebApplicationProfiler.jar (821k)
• WebApplicationProfiler-signed.jar (871k)

The profiler can simply be run by double-clicking the Java archive. The signed version of the Java archive is signed with my private key, see the security page for details.

Usage of the WebApplicationProfiler

The profiler internally starts an instance of the profiling engine and allows for the user to inject audit-log data to this engine. To do so, just select Learn Profile from the application's Profiler-menu.
The application will then ask for an input file to read data from. The simply select your local log data file. The profiler will automatically try to detect the appopriate file format.

After the audit-log file has been specified it allows for the user to specify a limit on the number of events that are to be processed. Specifying a value of -1 will process the whole file (which is the default).

Currently there is an implicit filtering used within the profiling process, which results in only positive requests (status < 400) being processed by the profiler. Since the profiler attempts to extract a positive model of your application there is no sense in including failed requests.

The Profile View

The main view of the WebApplicationProfiler is used to display the profile after it has been retrieved from the (internal) profiling engine. In later stages it will also be possible to connet to remote profiling engines. The profile is displayed within an profile editor view, which allows for the user to easily edit the learnt profile. Simply right-clicking on a resource, method or parameter will present a context sensitive menu of actions that can be applied to the selected object.

Generating ModSecurity Rulesets

The editor also provides the possibility to directly call a profile-compiler, which transforms the generated profile into a ruleset that can be included into ModSecurity. The compiler is yet a quite simple XSLT transformation.
In order to generate a rulesets based on the current profile, simply click on the Compile-icon in the toolbar or select Compile Profile from the Profiler-menu. The application will then prompt you for a file to which the generated rules should be saved.

Customized RuleSet Generation

As stated above, the generation of rules is based on XSLT. The simple XSLT currently used within the WebApplicationProfiler is contained within the Java archive and called SimpleTransformation.xslt. At the moment, there is no way to explicitly select a custom XSLT using the GUI, but future versions will provide a convenient way to do so. If you want to customize your Ruleset generation, you may simply write your own XSLT and specify it to be used by the profile compiler using the system properties:

   java -Dorg.jwall.web.profile.compiler.xslt_file=/path/to/Custom.xslt \
        -jar WebApplicationProfiler.jar

As a starting point for ruleset generation, the standard XSLT file is also available for download as a single file: