ModSecurity WAF using a Whitelist Approach

Description

A Web Application Firewalls usually detects and prevents attacks like SQL injection. It achieves that by using regular expression to filter potential harmful strings. A common setup is using ModSecurity as a plugin for Apache in combination with the OWASP Core Rule Set. Initially you use a "training phase" to adapt the rule set to your web application. Or basically, fix all the false positives.

We implemented a different approach for a customer, that still suffered from False Positives. Most concepts are using a blacklist of characters or strings that they filter out or block. But it is also possible to implement a whitelist approach, defining what characters are valid for each input field.

In this specific customer case, the software package build process also creates the whitelist ruleset for ModSecurity: The development team creates a definition file of software endpoints, parameters, and input types. During the build, a translator compiles this into regular expressions to only allow secure data passing through the WAF.

back to projects
  • ModSecurity
  • WAF
  • Web Application Firewall