You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Primarily, these enhancements add an operational mode to the WAF in which all inputs to the web application are validated against a strict whitelist, and policy rules act as "exceptions" to allow a broader range of characters for particular input.
This model offers the following benefits:
Accountability – creating “exceptions” is self documenting
"Secure by Default" - any newly developed pages will have their parameters validated against the default whitelist
Education - for any "exception" that strays from the default whitelist, developers will need to understand the security risk that allowing a broader range of characters for any particular parameter and handle those risks accordingly
However, this mode of operation may not be suitable for all web applications (i.e. if many "exceptions" are required).
Major Proposed Changes:
Support For Aliases
For virtual patch rules in the policy file, a rule can now contain either an alias or pattern. Aliases must have been previously defined
New Operational Mode: Validate All Parameters
Virtual patch rules created on the fly for all parameters of a given request that were not validated against any rules in the policy file
Additional Support For Parsing Uploaded Filenames
Parse uploaded filenames in multipart messages
Prevent issues such as directory traversal with filenames
*** Example configuration files, use cases, and information can be made available upon request.
From jagill...@gmail.com on August 30, 2011 13:41:40
Primarily, these enhancements add an operational mode to the WAF in which all inputs to the web application are validated against a strict whitelist, and policy rules act as "exceptions" to allow a broader range of characters for particular input.
This model offers the following benefits:
However, this mode of operation may not be suitable for all web applications (i.e. if many "exceptions" are required).
Major Proposed Changes:
*** Example configuration files, use cases, and information can be made available upon request.
Authors: Jon Gill & Roger Seagle
Attachment: esapi-waf.diff
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=244
The text was updated successfully, but these errors were encountered: