Web Application Profiles - Mixed Models

Work in Progress

There are several approaches which address the elevation of web-application security. In contrast to the positive security model which is inherent to the proposed profile approach, the core rules or PHP-IDS try to detect attacks be matching the requests against a pattern-database of known attacks.

As the strict positive approach is a lot more efficient when it comes to simple parameters like product IDs, date-field and the like, it will fail for validating free-text fields for instance. Thus, a strict positive model will not be sufficient to detect all attacks. The profiles therefore allow for the "selected" inclusion of pattern-based approaches into the profiles.

The editor for instance can import the filter-rules provided by the PHP-IDS project and allows to apply filters to a parameter. The PHP-IDS rules are tagged by specific tags which can be used to select the "attack type" to check for. A simple example is the following:

   ...
   <Parameter name="comment">
      <IncludeFilter tags="sqli" />
   </Parameter>
   ...

In this example, the filter rules which are tagged with "sqli" will all be incorporated into the compiled rule set and prevent sql-injections within the comment parameter based on the filters by PHP-IDS.

The use of the IncludeFilter element within the profiles is not yet supported by the ProfileCompiler included in the editor. However this feature will be added within the next release of the ProfileEditor.

Written by Christian Bockermann <chris@jwall.org>
Any feedback is welcome.