community-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ross Gardler (JIRA)" <>
Subject [jira] Closed: (COMDEV-44) [GSOC]A web application firewall within Apache
Date Sun, 04 Jul 2010 01:07:49 GMT


Ross Gardler closed COMDEV-44.

    Resolution: Won't Fix

> [GSOC]A web application firewall within Apache
> ----------------------------------------------
>                 Key: COMDEV-44
>                 URL:
>             Project: Community Development
>          Issue Type: New Feature
>            Reporter: Mayank Dhiman
>            Priority: Critical
> Proposal Title: Implement a web application firewall built close to the web server
> Student Name: Mayank Dhiman
> Student E-mail: (Gmail id) mayankdbest
> I. Brief Description
> Since the basic technologies used for Web Application Development are very easy to use
such that people who have no idea about security are able to get their websites up and running
without paying attention to security at all. There are many packages like WAMP, XAMPP etc
which do not provide any web application firewalls by default. People usually have to install
plug-ins of open source WAFs like mod-security or other proprietary counterparts. Thus there
are large amounts of websites containing insecure code most of them can be compromised by
fairly simple techniques like SQL Injection, XSS etc. as marked by OWASP's Top 10 list for
> Since security of web applications is not a priority by default Apache can stand up as
the first one to integrate a web application firewall by default which can defend the web
application against at least the most common attacks (for now) thus making the default installation
more secure and decreasing the number of web sites which are compromised by using these techniques.
> By definition:
> A web application firewall (WAF) is an appliance, server plug-in, or filter that applies
a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as
Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application,
many attacks can be identified and blocked. The effort to perform this customization can be
significant and needs to be maintained as the application is modified.
> II. Detailed Proposal
> Although there are a few web application firewalls available like modsecurity which can
be used as plug-ins with Apache but since the LAMP/WAMP/XAMPP
> platform has become so easy to work with that people who do not really have any focus
towards security build up quick solutions to get their content up and running as thus even
though many web servers are using web application firewalls but their numbers is comparatively
few and given the fact that security is not a priority on most people's list.
> So I propose a built in solution within Apache of a web application firewall (WAF) which
atleast provides a basic protection against various web application layer attacks.
> It can be implemented by incorporating the firewall within the server hierarchy as that
it acts like a sniffer for information esp. in various inject able fields like input fields,
cookies,  headers etc. which can be tested for signatures of various class of web application
attacks like SQL Injection, XSS (HTML Injection) etc.
> The idea is that the firewall will be ON by default upon installation but the user will
have the opportunity to turn it off or replace by some other open source or proprietary web
application firewall via plug-ins etc.
> This built in firewall within Apache will greatly help to decrease the amount of web
application attacks and will also help it to promote as a much secure Web Server as compared
to its competitors.
> III. Week Plan with list of deliverables
>     * (Till May 23rd, community bonding period)
>       Brainstorm with my mentor and the Apache community to come up with the most optimal
design for our Apache built in Web Application Firewall
>       Deliverable: A detailed report or design document on how to implement the basic
Web Application Firewall
>     * (May 24th, coding starts) Week 1 and Week 2:
>       Deliverables: Basic Integration with Apache and a Reverse Proxy 
>     * Week 3 and Week 4:
>       Deliverable: A signature database which can be updated 
>       *Week 5 and Week 6
>       Deliverable: Different Attack Signatures for the most common web application vulnerabilities
esp. those listed in OWASP list of Top 10 web application vulnerabilities
>     * Week 7, Week 8
>       De;iverable: Integration for prevention of more web application vulnerability signatures

>     * (July 19th) Week 9 Week 10 and Week 11:
>       Deliverable: Writing Tests and Web Application fuzzing via various methods
>     * (August 9th, tentative 'pencils down' date) Week 12:
>       Deliverable: Wind up the work. Write documentation and some tutorials etc.
>     * (August 16: Final evaluation)
> IV. Additional Information
> I am a second year Computer Science student at Punjab Engineering College (India) graduating
in May 2012.
> I participate in lots of underground hacking sites which mainly deal with web application
security like 
> And comprehensive site:-
> I have won hacking competitions at regional level in India and I'm also an avid supporter
of open source software. My interests include penetration testing, network security, web application
development, reverse engineering.
> I'll try my best to contribute to the open source world and try to make the world a safer
place to code in for web application developers.
> I have no specific time constraints throughout the GSoC period. I will devote a minimum
of 8 hours every day to GSoC.
> Time offset: UTC+5:30 (IST)
> V. References
> [1] OWASP Top 10 Web Application Vulnerabilities
> [2] Wikipedia page

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message