-
Notifications
You must be signed in to change notification settings - Fork 39
/
ROADMAP
92 lines (76 loc) · 2.91 KB
/
ROADMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
=====================
ROADMAP / TODO list
=====================
There is always more to be done in a security package :-)
Let's prioritize some milestones, and indicate who's on it.
Remember that it doesn't matter who is on it, project is still
small enough that anyone can contribute to any part of it
.. as long as your contribution is an improvement.
Rules
=====
release: always ongoing
new stuff crops up all the time.
We want generic rules, rules that target specific attacks
as well as rulesets that are web-application specific
keeping rules up-t
o-date
making appropriate rules case-insensitive (ebf0:gamelinux)
porting rules from mod_security (comotion)
porting rules from VFW (escarpellini)
https://github.com/scarpellini/VFW imported rules todo
(cross-check with security.vcl rules)
* HTTP RFC ensuring/enforcement.
* Generic/"WEB-1" threats:
--- Dir Traversal;
--- Internal file extensions (SO, Web, VCS, etc);
--- Unix/Windows commands;
--- Bad UA (scanners);
* Load HTTP BODY (POST) - Prove Of Concept;
* Injection:
--- SQL Injection;
--- SSI Injection;
* XSS;
* Automated tests;
* Simple Web Interface (Dashboard);
* Module for handle HTTP BODY (POST) - VMOD;
* HTTP BODY VMOD improvements:
--- Handle content-types (webservices);
---- XML;
---- JSON;
* Dynamic Blacklist (Redis, maybe);
--- AVScan (passive/bground).
Parse Request VMOD
==================
release 0.8
(escarpellini / comotion / xcir)
Based on the OWASP work done for Varnish FireWall by
escarpellini, xcir has created a VMOD that does pretty much
what we needed and more.
Currently it is capable of parsing post, get and cookie data.
So most of the exciting stuff is about to happen now that this
VMOD gives us access to the request body. We need this to
- iterate over header names and values
- iterate over POST parameters
- do other body validation
Use the url code, auth, crashhandler, sheild VMODs?
- There have been improvements regarding deployment with vmods
- New version of many of the mentioned VMODs are available
- Need an updated list of Security.VCL / Varnish FireWall components
Web Interface
=============
This is not part of the VMOD plan anymore, as VFW is legacy. So I add
it here and hope for the best:
- We could use the basic VFW interface to use security.vcl (escarpellini)
- We could check options for other IDS/IPS Web UIs (ebf0:gamelinux)
Special-purpose modules
=======================
modules/cloak.vcl could be even cleverer
modules/request.vcl:
awaiting vmod to iterate over headers...
http 0.9 should send no headers!
todo maybe:
http 1.0 cannot have host, vary, warning, proxy-auth, content-md5, alternates,
Via,Upgrade, Etag, If-none-match, If-unmodified-since, if-match, cache-control, age,
Range => content-range, expect, accept-encoding, TE, Transfer-encoding: chunked
(but we should prolly accept these anyway, or maybe wash them?)
Connection header incorrectly forwarded by 1.0 proxy.