forked from comotion/security.vcl
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathROADMAP
80 lines (64 loc) · 2.37 KB
/
ROADMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
=====================
ROADMAP / TODO list
=====================
There is always more to be done in a security package :-)
Let's prioritize some milestones, and indicate who's on it.
Remember that it doesn't matter who is on it, project is still
small enough that anyone can contribute to any part of it
.. as long as your contribution is an improvement.
Rules
=====
release: always ongoing
new stuff crops up all the time.
We want generic rules, rules that target specific attacks
as well as rulesets that are web-application specific
keeping rules up-to-date
making appropriate rules case-insensitive (ebf0:gamelinux)
porting rules from mod_security (comotion)
porting rules from VFW (escarpellini)
https://github.com/scarpellini/VFW imported rules todo
(cross-check with security.vcl rules)
* HTTP RFC ensuring/enforcement.
* Generic/"WEB-1" threats:
--- Dir Traversal;
--- Internal file extensions (SO, Web, VCS, etc);
--- Unix/Windows commands;
--- Bad UA (scanners);
* Load HTTP BODY (POST) - Prove Of Concept;
* Injection:
--- SQL Injection;
--- SSI Injection;
* XSS;
* Automated tests;
* Simple Web Interface (Dashboard);
* Module for handle HTTP BODY (POST) - VMOD;
* HTTP BODY VMOD improvements:
--- Handle content-types (webservices);
---- XML;
---- JSON;
* Dynamic Blacklist (Redis, maybe);
--- AVScan (passive/bground).
POST Security VMOD
==================
release: 0.9
(escarpellini / comotion)
Most of the exciting stuff will happen once we've build a VMod that gives
us access to the request body. We need this to
- iterate over header names and values
- iterate over POST parameters
- do other body validation
Use the url code, auth, crashhandler, sheild vmods?
- deployment with vmods is rather tricky today, work on this
- VFW web interface to use security.vcl (escarpellini)
Special-purpose modules
=======================
modules/cloak.vcl could be even cleverer
modules/request.vcl:
awaiting vmod to iterate over headers...
http 0.9 should send no headers!
todo maybe:
http 1.0 cannot have host, vary, warning, proxy-auth, content-md5, alternates,
Via,Upgrade, Etag, If-none-match, If-unmodified-since, if-match, cache-control, age,
Range => content-range, expect, accept-encoding, TE, Transfer-encoding: chunked
(but we should prolly accept these anyway, or maybe wash them?)
Connection header incorrectly forwarded by 1.0 proxy.