community-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mayank Dhiman (JIRA)" <>
Subject [jira] Created: (COMDEV-44) [GSOC]A web application firewall within Apache
Date Fri, 09 Apr 2010 11:51:51 GMT
[GSOC]A web application firewall within Apache

                 Key: COMDEV-44
             Project:  	 Community Development 
          Issue Type: New Feature
            Reporter: Mayank Dhiman
            Priority: Critical

Proposal Title: Implement a web application firewall built close to the web server
Student Name: Mayank Dhiman
Student E-mail: (Gmail id) mayankdbest

I. Brief Description
Since the basic technologies used for Web Application Development are very easy to use such
that people who have no idea about security are able to get their websites up and running
without paying attention to security at all. There are many packages like WAMP, XAMPP etc
which do not provide any web application firewalls by default. People usually have to install
plug-ins of open source WAFs like mod-security or other proprietary counterparts. Thus there
are large amounts of websites containing insecure code most of them can be compromised by
fairly simple techniques like SQL Injection, XSS etc. as marked by OWASP's Top 10 list for
Since security of web applications is not a priority by default Apache can stand up as the
first one to integrate a web application firewall by default which can defend the web application
against at least the most common attacks (for now) thus making the default installation more
secure and decreasing the number of web sites which are compromised by using these techniques.

By definition:
A web application firewall (WAF) is an appliance, server plug-in, or filter that applies a
set of rules to an HTTP conversation. Generally, these rules cover common attacks such as
Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application,
many attacks can be identified and blocked. The effort to perform this customization can be
significant and needs to be maintained as the application is modified.

II. Detailed Proposal

Although there are a few web application firewalls available like modsecurity which can be
used as plug-ins with Apache but since the LAMP/WAMP/XAMPP
platform has become so easy to work with that people who do not really have any focus towards
security build up quick solutions to get their content up and running as thus even though
many web servers are using web application firewalls but their numbers is comparatively few
and given the fact that security is not a priority on most people's list.
So I propose a built in solution within Apache of a web application firewall (WAF) which atleast
provides a basic protection against various web application layer attacks.

It can be implemented by incorporating the firewall within the server hierarchy as that it
acts like a sniffer for information esp. in various inject able fields like input fields,
cookies,  headers etc. which can be tested for signatures of various class of web application
attacks like SQL Injection, XSS (HTML Injection) etc.
The idea is that the firewall will be ON by default upon installation but the user will have
the opportunity to turn it off or replace by some other open source or proprietary web application
firewall via plug-ins etc.

This built in firewall within Apache will greatly help to decrease the amount of web application
attacks and will also help it to promote as a much secure Web Server as compared to its competitors.

III. Week Plan with list of deliverables

    * (Till May 23rd, community bonding period)
      Brainstorm with my mentor and the Apache community to come up with the most optimal
design for our Apache built in Web Application Firewall
      Deliverable: A detailed report or design document on how to implement the basic Web
Application Firewall

    * (May 24th, coding starts) Week 1 and Week 2:
      Deliverables: Basic Integration with Apache and a Reverse Proxy 

    * Week 3 and Week 4:
      Deliverable: A signature database which can be updated 
      *Week 5 and Week 6
      Deliverable: Different Attack Signatures for the most common web application vulnerabilities
esp. those listed in OWASP list of Top 10 web application vulnerabilities

    * Week 7, Week 8
      De;iverable: Integration for prevention of more web application vulnerability signatures

    * (July 19th) Week 9 Week 10 and Week 11:
      Deliverable: Writing Tests and Web Application fuzzing via various methods

    * (August 9th, tentative 'pencils down' date) Week 12:
      Deliverable: Wind up the work. Write documentation and some tutorials etc.

    * (August 16: Final evaluation)

IV. Additional Information

I am a second year Computer Science student at Punjab Engineering College (India) graduating
in May 2012.
I participate in lots of underground hacking sites which mainly deal with web application
security like
And comprehensive site:-

I have won hacking competitions at regional level in India and I'm also an avid supporter
of open source software. My interests include penetration testing, network security, web application
development, reverse engineering.
I'll try my best to contribute to the open source world and try to make the world a safer
place to code in for web application developers.

I have no specific time constraints throughout the GSoC period. I will devote a minimum of
8 hours every day to GSoC.
Time offset: UTC+5:30 (IST)

V. References

[1] OWASP Top 10 Web Application Vulnerabilities
[2] Wikipedia page

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message