Coming from a family of civil engineers, I always knew that it is a rigorous process to ensure that a building is safe and secure for its occupants. But, its the first time I got a chance to see the complete construction lifecycle when they started building a multi-story business complex next to the building I live in.
Recently a floating point DoS vulnerability surfaced in both PHP and Java. The crux of the problem is that PHP and Java apps go into an infinite loop and hang when trying to process numeric values in the (approximate) range of 2.2250738585072011E-208 to 2.2250738585072013E-208. For more information see here,here and here.
No matter how good a black list is there will always be a way to
their payloads using various characters. Billy Hoffman demonstrated
this very clearly in his book Ajax Security where he shows how to encode
payloads using whitespace and tabs (p.115-116). A better approach,
such as a whitelist, is needed to provide holistic protection for web
Recently we had a client application that allowed file uploads which was flooded with various viruses and malware that were uploaded to the server. The client's WAF requirements were to detect the malware before it hit the back-end server and blacklist the offenders. After all, if the client is uploading malware, you probably don't want to allow them access to the rest of your site either. This is, of course, a double edge sword, as it has the possibility of blocking valid IPs, such as those behind a NATted address. In this case, that was not a concern.
One of the more common complaints I hear about ModSecurity is that it breaks an application's functionality when put in front. While the complaint is mainly directed at the Core Rule Set (CRS) and not the ModSecurity engine, new users probably can't differentiate between the two and have very little documentation available explaining how to properly whitelist rules. This post if aimed at helping users understand the various options available to them when whitelisting CRS rules.
Just over a year ago, I became a very real victim of the global financial crisis. The US - Australia E3 free trade visa is awesome, but it has a sting in the tail – once I had lost my job, our little family had to return from the USA within ten days. More importantly, our health insurance would run out around the same time, and you simply can’t be alive without health insurance in the USA. Leaving was pretty tough as I loved living in and travelling the USA, we had a life and friends, and my daughter was born there and at that time, didn’t have a passport let alone Australian citizenship.
Fairly often applications include a password recovery feature that uses extremely weak questions. Password recovery mechanisms are problematic as they can be used as a secondary means of authentication which are not subject to the same strict criteria as the primary means of authentication. A perfect example of this is when U.S.
ModSecurity is typically used to identify (and possibly stop) syntax based attacks. It is very easy to write a rule to identify a specific attack pattern. Having said that, it is also possible to identify a number of non-syntax based attacks as well. I hope to demonstrate several of these over the next few weeks.