Menu
▾
▴
RE: [Owasp-input-api-developers] Re: goal and direction
|
From: vertigo <ve...@pa...> - 2002-04-04 23:23:08
|
Wait, wait, wait. There still seems to be some misunderstanding of exactly when we start filtering. This is NOT a proxy server; it is an API. We start filtering AFTER the web-server has processed the request. The proxy idea would be fine, until we started working with SSL. The idea of an "SSL Terminator" was discussed on one of the mailing lists I'm on. This would be, in effect, a man-in-the-middle attack on the SSL protocol. It works, it's dead simple, but we're not doing that. Nathan -----Original Message----- From: owa...@li... [mailto:owa...@li...]On Behalf Of Nik Cubrilovic Sent: Thursday, April 04, 2002 10:58 AM To: owa...@li... Subject: Re: [Owasp-input-api-developers] Re: goal and direction On Wed, 3 Apr 2002 Chr...@ey... wrote: > >Yes, web server plugins would be something more likely to fit into 'the > >big picture' at a later date, they would have to be written in C and be > >very specific to the target webserver (Apache1/Apache2/IIS). > > Perhaps I am confused about some implementation details. If we are going > to create Filters that sit in front of web applications, and which > intercept all HTTP requests before they ever reach the web app, how would > we do that if not in something like an Apache module or IIS ISAPI module? As a front end proxy even before the web server. ==> [proxy] ==> [webserver] ==> [application] there might obviously be SSL problems, and the webserver would see all request's coming in from the proxy (which would mess up ACL's). There is no reason why the 'proxy' cant be on the same machine as the webserver (webserver listening on localhost, proxy forwards requests). A model for the proxy might be (again, not much to do with filter's API, just discussion) as follows, request coming in from the top and passing through. [REQUEST] [FILTER USER INPUT] [BLOCK BAD INPUT] [LOG BAD INPUT/IDS] [CHECK SANITY OF HEADERS (NORMALISE)] [FORWARD REQUEST TO WEBSERVER] And then back from the webserver to the client [FILTER DB ERROR MESSAGES] - prevent 'information leakage' [FILTER UNEXPECTED SCRIPT (PAYLOADS)] I would not be suprised if there are existing implementations of this (cant recall any). Regards, -Nik _______________________________________________ Owasp-input-api-developers mailing list Owa...@li... https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers |
