tag:blogger.com,1999:blog-732257695511948254.post3787314701620451515..comments2009-06-18T03:01:59.949-07:00Claudio Criscionehttp://www.blogger.com/profile/12202628660778574382noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-732257695511948254.post-70409188091167593502009-06-18T03:01:59.949-07:002009-06-18T03:01:59.949-07:00We all know that whitelisting is not always possible due to time/money constraints, even if it’s the best way to protect our applications. Unfortunately, WAFs are very commonly used as out of the box solutions, using generic rules and blacklists. <br /><br />Anyway, I see your point and I frankly support the idea of providing multiple lines of defense.<br /><br />Cheers. Luca.Luca Carettonihttp://www.blogger.com/profile/09957564681262364569noreply@blogger.comtag:blogger.com,1999:blog-732257695511948254.post-41159962231853450572009-06-18T00:24:25.355-07:002009-06-18T00:24:25.355-07:00As written in the whitepaper the best practice to deliver protection from RFI attack is having 2 levels:<br />* zero-day protection<br />* positive security protection<br /><br />The zero-day protection rules can be bypassed by the HPP but the positive security protection contains rules that can detect the example that you gave in your blog.<br /><br />ModSecurity RFI positive security rule would say – if value in parameter “par” is not from allowed predefined values and value is URL - trigger RFI attack. <br /><br />e.g. ‘par’ allows 1-4 digits<br /><br />SecRule &quot;ARGS:par&quot; !^\d{1,4}$ &quot;chain,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,deny,phase:2,msg:&#39;Remote File Inclusion&#39; &quot;<br />SecRule &quot;ARGS:par&quot; (ht|f)tps?://<br /><br />Or KatzOrhttp://www.blogger.com/profile/16214055072579620536noreply@blogger.com