Description
Proposal Title: Implement a web application firewall built close to the web server
Student Name: Mayank Dhiman
Student E-mail: (Gmail id) mayankdbest
I. Brief Description
Since the basic technologies used for Web Application Development are very easy to use such that people who have no idea about security are able to get their websites up and running without paying attention to security at all. There are many packages like WAMP, XAMPP etc which do not provide any web application firewalls by default. People usually have to install plug-ins of open source WAFs like mod-security or other proprietary counterparts. Thus there are large amounts of websites containing insecure code most of them can be compromised by fairly simple techniques like SQL Injection, XSS etc. as marked by OWASP's Top 10 list for 2010.
Since security of web applications is not a priority by default Apache can stand up as the first one to integrate a web application firewall by default which can defend the web application against at least the most common attacks (for now) thus making the default installation more secure and decreasing the number of web sites which are compromised by using these techniques.
By definition:
A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
II. Detailed Proposal
Although there are a few web application firewalls available like modsecurity which can be used as plug-ins with Apache but since the LAMP/WAMP/XAMPP
platform has become so easy to work with that people who do not really have any focus towards security build up quick solutions to get their content up and running as thus even though many web servers are using web application firewalls but their numbers is comparatively few and given the fact that security is not a priority on most people's list.
So I propose a built in solution within Apache of a web application firewall (WAF) which atleast provides a basic protection against various web application layer attacks.
It can be implemented by incorporating the firewall within the server hierarchy as that it acts like a sniffer for information esp. in various inject able fields like input fields, cookies, headers etc. which can be tested for signatures of various class of web application attacks like SQL Injection, XSS (HTML Injection) etc.
The idea is that the firewall will be ON by default upon installation but the user will have the opportunity to turn it off or replace by some other open source or proprietary web application firewall via plug-ins etc.
This built in firewall within Apache will greatly help to decrease the amount of web application attacks and will also help it to promote as a much secure Web Server as compared to its competitors.
III. Week Plan with list of deliverables
- (Till May 23rd, community bonding period)
Brainstorm with my mentor and the Apache community to come up with the most optimal design for our Apache built in Web Application Firewall
Deliverable: A detailed report or design document on how to implement the basic Web Application Firewall
- (May 24th, coding starts) Week 1 and Week 2:
Deliverables: Basic Integration with Apache and a Reverse Proxy
- Week 3 and Week 4:
Deliverable: A signature database which can be updated
*Week 5 and Week 6
Deliverable: Different Attack Signatures for the most common web application vulnerabilities esp. those listed in OWASP list of Top 10 web application vulnerabilities
- Week 7, Week 8
De;iverable: Integration for prevention of more web application vulnerability signatures
- (July 19th) Week 9 Week 10 and Week 11:
Deliverable: Writing Tests and Web Application fuzzing via various methods
- (August 9th, tentative 'pencils down' date) Week 12:
Deliverable: Wind up the work. Write documentation and some tutorials etc.
- (August 16: Final evaluation)
IV. Additional Information
I am a second year Computer Science student at Punjab Engineering College (India) graduating in May 2012.
I participate in lots of underground hacking sites which mainly deal with web application security like
http://www.hackthissite.org/user/view/thinker_01/
http://www.hellboundhackers.org/profile/thinker_01.html
And comprehensive site:-
http://www.wechall.net/profile/thinker_01
I have won hacking competitions at regional level in India and I'm also an avid supporter of open source software. My interests include penetration testing, network security, web application development, reverse engineering.
I'll try my best to contribute to the open source world and try to make the world a safer place to code in for web application developers.
I have no specific time constraints throughout the GSoC period. I will devote a minimum of 8 hours every day to GSoC.
Time offset: UTC+5:30 (IST)
V. References
[1] OWASP Top 10 Web Application Vulnerabilities http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
[2] Wikipedia page http://en.wikipedia.org/wiki/Application_firewall