ESAPI WAF Enhancements

[GoogleCodeExporter]

Primarily, these enhancements add an operational mode to the WAF in which all 
inputs to the web application are validated against a strict whitelist, and 
policy rules act as "exceptions" to allow a broader range of characters for 
particular input.

This model offers the following benefits:
* Accountability – creating “exceptions” is self documenting
* "Secure by Default" - any newly developed pages will have their parameters 
validated against the default whitelist
* Education - for any "exception" that strays from the default whitelist, 
developers will need to understand the security risk that allowing a broader 
range of characters for any particular parameter and handle those risks 
accordingly

However, this mode of operation may not be suitable for all web applications 
(i.e. if many "exceptions" are required).

Major Proposed Changes:
* Support For Aliases
 - For virtual patch rules in the policy file, a rule can now contain either an alias or pattern. Aliases must have been previously defined

* New Operational Mode: Validate All Parameters
 - Virtual patch rules created on the fly for all parameters of a given request that were not validated against any rules in the policy file

* Additional Support For Parsing Uploaded Filenames
 - Parse uploaded filenames in multipart messages
 - Prevent issues such as directory traversal with filenames

*** Example configuration files, use cases, and information can be made 
available upon request.

Authors: Jon Gill & Roger Seagle

Original issue reported on code.google.com by jagill...@gmail.com on 30 Aug 2011 at 5:41

Attachments:

• esapi-waf.diff

[GoogleCodeExporter]

Original comment by M.Gelma...@gmail.com on 13 Nov 2014 at 6:20

• Added labels: Type-Task

[GoogleCodeExporter]

finally got some action after 3.5 yrs lol

Original comment by jagill...@gmail.com on 14 Nov 2014 at 8:18