URL Filtering for Web Application Security

Larry Price

MoonShadowECommerce

Web Application Security

Exposed
Open
Vulnerable

Web Applications, particularly those available for public use have the following attributes.

They are Exposed to the network. They are Open to receiving input from anyone. They are Vulnerable to attacks from the trivial to the complex. I'm only going to talk about the first two items tonight.

What a URL is.

an entry point into your application
a function or method call
a String of Characters

A URL is a string of characters

Anatomy of a URL

http://domain.tld/path/elements.html?variable=value

Tools That Come with Apache

mod_rewrite

example mod_rewrite usage

ServerName  www.domain.tld
DocumentRoot /data/www/domain.tld
ReWriteEngine on
ReWriteRule ^/images/.*$ - [L]
ReWriteRule ^/graphics/.*\.gif$ - [L]
ReWriteRule ^/([a-zA-Z]*)/(.*)$ /data/svc/endpoint?type=$1&name=$2

Open and Closed Sets

Open Set ^.*$
Closed Set ^/mumble/[a-z]{8}$

Why People Mess with your site.

Money
Google Juice
Use Your resources for nefarious purposes.

itproforum.com 01/15/2008

Spiders, Bots and Scammers.