From jagill...@gmail.com on August 30, 2011 13:41:40

Primarily, these enhancements add an operational mode to the WAF in which all inputs to the web application are validated against a strict whitelist, and policy rules act as "exceptions" to allow a broader range of characters for particular input.

This model offers the following benefits:

• Accountability – creating “exceptions” is self documenting
• "Secure by Default" - any newly developed pages will have their parameters validated against the default whitelist
• Education - for any "exception" that strays from the default whitelist, developers will need to understand the security risk that allowing a broader range of characters for any particular parameter and handle those risks accordingly

However, this mode of operation may not be suitable for all web applications (i.e. if many "exceptions" are required).

Major Proposed Changes:

• Support For Aliases
  • For virtual patch rules in the policy file, a rule can now contain either an alias or pattern. Aliases must have been previously defined
• New Operational Mode: Validate All Parameters
  • Virtual patch rules created on the fly for all parameters of a given request that were not validated against any rules in the policy file
• Additional Support For Parsing Uploaded Filenames
  • Parse uploaded filenames in multipart messages
  • Prevent issues such as directory traversal with filenames

*** Example configuration files, use cases, and information can be made available upon request.

Authors: Jon Gill & Roger Seagle

Attachment: esapi-waf.diff

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=244