This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
Of all the commercial and open-source HTTP proxies available, the Apache Web server stands out with its ability to parse and rewrite content. Apache includes a fast and stable built-in HTTP proxy as part of its core distribution, and its modular design allows you to tune it extensively, so you can deploy it in a proxy-only configuration. You can leverage its content-awareness to build a filtering and rewriting HTTP proxy.
Starting with version 2.0, Apache includes the PCRE (Perl Compatible Regular Expressions) library as a built-in pattern-matching engine, which substantially improves the performance of regular expressions. It also allows for the ordering of multiple parsing and rewriting operations, based on the type of content.
These features, combined with the third-party and built-in modules discussed later, provide a powerful toolkit for protecting Web applications.
Mod_security (www.modsecurity.org) is at the heart of your firewall's Web intrusion prevention capabilities. It began as a simple pattern-based filtering engine to block network worm traffic, but has matured into a full-blown Web security suite.
Mod_security signatures use a regular expression-based
filtering language that will be familiar to users of Snort, and can be automatically updated via the mod_security site, much like typical IDS signatures. These include filters against cross-site scripting and SQL statements in URLs, and traffic that contains shell commands and path or user ID information.
Free, frequently updated signatures for mod_security are available for download at www.gotroot.com.
Mod_security also normalizes and sanitizes Uni- code traffic to protect against URL-encoding attacks.
Mod_security's pattern matching can also be used to prevent error message leakages that might give an attacker useful information. Any messages that might disclose Web server configurations can be filtered and redirected to a generic error message. You can also use mod_security to enforce what file types can be requested from the environment, such as .php, .asp, .jsp, and .html files.
This was first published in September 2006