Aug 22 2008
IIS Secure Parameter Filter (SPF) Released
We have publicly released the Beta version of IIS Secure Parameter Filter (SPF) on our tools page. SPF is an application security module specifically designed to thwart parameter-based attacks against applications running on Microsoft IIS web servers. SPF requires minimal initial configuration and does not require making any modification to the underlying application code.
Those of you who attended the “Protecting Vulnerable Applications with IIS7” talk which I presented at Black Hat earlier this month will recognize SPF as the module which I demonstrated. The version we released today works with both IIS6 and IIS7 and is written in managed .NET code.
So what exactly does SPF do? SPF provides two primary protection mechanisms which are each explained in more detail below.
Tamper Protection
The tamper protection capabilities of SPF are primarily designed to thwart authorization attacks. Tamper protection works at the following levels:
- URI Protection - Protected URI’s require a cryptographic token to access. The only way to obtain a valid URI token is for the application to present you with a link to the URI. This is primarily designed to thwart direct browsing attacks where users can forcefully request pages for which they are not entitled.
- Query String Protection - Protected query string values are validated using a cryptographic token which ensures they were not tampered with. This protection is designed to secure embedded query string values from manipulation.
- Form Field Protection - Protected form fields that contain embedded values (i.e. Hidden Fields and Select Lists) are encrypted to prevent un-authorized viewing or modification by malicious users.
- HTTP Cookie Protection - Protected cookies are encrypted to prevent un-authorized viewing or modification by malicious users.
SPF tokens can also be bound to the calling user and set to expire, resulting in the ability to protect against Cross-Site Request Forgery and thwart certain types of hijacking, replay and cross-site scripting attacks.
Malicious Input Filtering
Malicious input filtering (referred to as Black List Protection) is designed to identify parameters that include known attack patterns. SPF supports Black List pattern matching against Query Strings, Post data, and Cookie values.
In some ways, this functionality can be compared to existing server filters like Microsoft’s URL Scan, but SPF provides much more flexible capabilities. Black List Protection was originally not within the scope of SPF’s protection mechanisms, however with the recent wave of SQL Injection worms it became apparent that URLScan (specifically the recently released 3.0 Beta version) is not sufficient for protecting web applications from attack.
URLScan is a good server-level protection mechanism that has been adapted to provide basic web application protection whereas SPF is designed specifically to defend web applications and therefore can provide more comprehensive protection against harmful input. SPF’s Black List Protection provides the following:
- Regular Expression Support - Provide a powerful mechanism for defining malicious input patterns
- Flexible Request Entity Coverage – Black List patterns can be applied to any combination of Query Strings, Post data or Cookie values. This level of HTTP request coverage is especially critical as SQL Injection worms become more advanced and move beyond exploiting Query String parameters. Specific URLs can also be excluded from Black List coverage for greater flexibility.
SPF is currently available for free download and use from the GDS Tools page. The current Beta of SPF provides full protection for any application running on IIS7 and for ASP.NET applications running on IIS6. Non-ASP.NET applications on IIS6 will be limited to only the Malicious Input Filtering (Black-List) capabilities of SPF. A detailed administration guide is included with the download.
This looks very interesting, an could help us in XSS mitigation. Do you have any ideas about the timescales for release? If you do then could you please e-mail me to let me know?
Thank,
Stuart
@Stuart — Two comments in reply to your question:
1 - SPF is undergoing some production testing now with some of our clients. The current beta available for download should be usable for evaluation purposes to determine whether it addresses your problem.
We released an updated version last week which specifically addressed performance optimization for Black-List protection mode. Our current plan going forward is as follows…
Currently in Progress:
a) Beta testing to identify any bugs within current SPF functionality
b) Performance optimizations for Tamper Protection functionality
Next Phase:
c) Implement additional enhancements/features that would be useful based on user feedback
We would love your (and everyone else’s) help on items A and C. Please let us know of any existing bugs or new feature requests that you come across. The performance improvements are internal code enhancements that we are already working on, so the next release will be significantly faster.
2 - As for XSS defenses, SPF provides XSS protection in two ways:
First, it has the capability to implement Black-List regular expression patterns which can be applied to any variant of Query Strings, POSTs, and Cookies (similar to mod_security for Apache) to defend against malicious input containing XSS payload.
Second, the tamper protection mechanism in SPF also provides inadvertent protection against reflected XSS vulnerabilities. Reflected XSS vulnerabilities are not exploitable on URLs protected with SPF since the cryptographic token required for any given URL is tied to the user’s session cookie and source IP address. So in effect, even if a reflected XSS vulnerability is present it will not be exploitable.
Hopefully my comment has answered your questions. As always, please keep us posted on any feedback or additional questions you have.