I wanted to share with you some tidbits on our new project called Web Protection Library (WPL) which contains libraries to protect web applications from common vulnerabilities and attacks. Our goal is to offer comprehensive web application protection with minimal configuration. With the release of Anti-XSS 3.0 we offered Cross Site Scripting attack protection in the form of a custom library and http module called Security Runtime Engine (SRE). SRE offered automated XSS attack protection at the runtime which does not require any code changes to the application.
We are taking the same approach and providing protections for SQL Injection, Click Jacking, File Canonicalization, etc. in WPL. Similarly we will also be enhancing the HTML Encoding library to support LDAP Input Encoding as well as XPATH input encoding. SQL Injection protection via a module is already implemented in a solution by Maqbool called SQL Detect which will be integrated with SRE. SQL Detect provides protection by analyzing input to detect any SQL commands. In WPL we also want to create a new Request Validation module which offers better protection and less inconvenience to developers. Architecturally, WPL will contain two main components, encoding libraries for custom implementation and a runtime engine which is a wrapper around those libraries for automated protection.
The following are some of the enhancements we are planning for WPL.
- Library Enhancements
- LDAP Encoding Methods – Methods to encode LDAP input strings for safe use within LDAP Expressions.
- XPATH Encoding Methods – Methods to encode XPATH input strings for safe use within XPATH expressions.
- Automated SRE Enhancements
- SQL Injection Detection – Detect SQL injection attempts via the input.
- File Canonicalization Detection – Detect file canonicalization attempts via the input.
- ClickJacking Protection – Provide ClickJacking header enforcement.
- Securing Non-Persistent cookies – Provide HTTPOnly flag encforement for cookies.
- Enforcing SSL – Check and Redirect request to SSL.
- Attack Detection – Detect Multiple Attacks
- Rich Configuration – Tweak engine execution using configuration
- Mitigation Option – Option to either reject the request or mitigate the attack.
- Logging – Log all detections, provide multiple logging options.
- Reporting – Provide log parser and reports
We will post more as we flush out the finer details.