on
November 23rd 2005 at 8:46 am in Ideas & Concepts, Internet & Technology, Security & Privacy, Software As I was reading this article on Slashdot this morning telling about how web-browser developers are working together on security. As usual, something stood out:
IE 7 is one of the first browsers to implement some of the ideas discussed such as colour coding location bars and an anti-phishing database.
Yay, an anti-phishing database.
Where is this data stored? On a central machine somewhere on the Internet? Or might it be stored on the local machine itself? They can guarantee that the machine can’t be fooled to query domain-name’s IP addresses on a rogue DNS server through, say, installing something through a nasty DRM ’solution’ that allows calls like ExecuteCode( ) or RebootMachine( )? 
And all this talk about browser security, but…
What about webserver security?
Everybody seems to forget what important role a webserver plays today. It serves pages, and people actually read them (otherwise, why would they request the page in the first place?). A few years ago I had this idea here (the demo & forum are currently down, because the module didn’t cleanly compile on the newer Apache).
DIVERA is an acronym for ‘Deep Inspecting Variables and Erroneous Requests from Aliens‘. (Or, as ShaolinTiger once suggested, from Assholes…)
Basically, the idea is that the webserver refuses to serve pages it didn’t before send out a link to in the HTML. This would redirect malicious requests, where SQL or Javascript is inserted or a exploit is attempted, to another page informing the end-user that his IP is now blocked for all the websites running on the web-server, together with a reason as to why.
Upon visiting the webserver within that 24 hour period, a message such as this might appear:
Your IP is blocked.
This web-server has been receiving malicious requests from your machine. You might want to check your machine for virusses and worms. You have been blocked for 24 hours. If, after 24 hours, this machine still receives such requests, the block will be reinstated.
We all know that warning doesn’t help (they’ll just click it away and disregard it), but, when you immediately block people from visiting all the web-sites on your machine, then (and only then), will people actually start to care about stuff like this. (Or they’ll just never visit your machine again, but if everyone used this module that would prevent them from visiting anything.)
The solution that the module provides not only prevents people from accessing pages that were never meant to be public; it also prevents people from leeching images that have predictable filenames. Additionally, it can be configured to only accept numeric input on, for instance, the p= variable, preventing SQL to get inserted.
I had implemented this as a module, but I never gotten around to rewrite it for Apache 2.0 (although I noticed there are very interesting ‘hooks’ that can be used in the 2 version). What started as a Proof of Concept quickly grew out into a workable 1.3 module. And it works: the DIVERA forum is a totally vulnerable phpBB installation. Soon after I installed it, lots of additional vulnerabilities popped up as well. None of the exploits were succesful.
There still are some bugs in it, though (such as one that prevents multiple VirtualHosts from being correctly handled in certain situations), and probably some memory leaks here and there as well. Time is always an issue, but I hope I have got enough to actually finish the module, or at least, reach some kind of stable stage.
no comments 
