• Choose a category
• All
• Classic-Fiction

SecFilterSelective REQUEST_METHOD !^GET$

# Accept only one parameter: id

SecFilterSelective ARGS_NAMES !^id$

# Parameter id is mandatory, and it must be

# a number, 4-14 digits long

SecFilterSelective ARG_id !^[[:digit:]]{4,14}$

# This script only accepts POST

SecFilterSelective REQUEST_METHOD !^POST$

# Accept three parameters: firstname, lastname, and email

SecFilterSelective ARGS_NAMES !^(firstname|lastname|email)$

# Parameter firstname is mandatory, and it must

# contain text 1-64 characters long

SecFilterSelective ARG_firstname !^[[:alnum:][:space:]]{1,64}$

# Parameter lastname is mandatory, and it must

# contain text 1-64 characters long

SecFilterSelective ARG_lastname !^[ [:alnum:][:space:]]{1,64}$

# Parameter email is optional, but if it is present

# it must consist only of characters that are

# allowed in an email address

SecFilterSelective ARG_email !(^$|^[[:alnum:].@]{1,64}$)

There is a small drawback to this configuration approach. To determine which block is applicable for a request, Apache has to look through all such directives present. For applications with a small number of scripts, this will not be a problem, but it may present a performance problem for applications with hundreds of scripts, each of which need a block.

A feature to allow user-defined types (predefined regular expressions), such as one present in mod_parmguard (see the sidebar), would significantly ease the task of writing configuration data.

* * *

mod_parmguard

There is an Apache module, mod_parmguard (http://www.trickytools.com/php/mod_parmguard.php), which is close to providing a complete solution to positive security model requirements. When I checked Version 1.3, the module was not stable for production use, but you should check on it from time to time to see if it improves.

Its configuration is XML-based and, for this purpose, easier to use than Apache-style configuration typical for other modules. Here's a short excerpt from its documentation for a page with a single parameter:

validate.php

Other interesting features of this module include a spider that analyzes the application and produces configuration data automatically and the ability to generate custom data types and save time writing the configuration.

* * *

Appendix A. Tools

When I was young, I had a lot of fun playing a game called Neuromancer, which takes place in a world created by William Gibson, in the book with the same name. The game was very good at giving a similar feeling (I now know) to that of a hacker learning about and making his way through a system for the first time. The Internet was young at the time (1989), but the game had it all: email, newsgroups, servers, hacking, and artificial intelligence. (I am still waiting for that last one to appear in real life.) I was already interested in programming at that time, but I think the game pushed me somewhat toward computer security.

In the game, your success revolved around having the right tools at the right time. It did not allow you to create your own tools, so the action was mostly in persuading shady individuals to give, trade, or sell tools. In real life, these tools would be known under the name exploits. (It was acceptable to use them in the game because the player was fighting the evil AI.) Now, many years later, it is funny to realize that real life is much more interesting and creative than any game will ever be. Still, the security business feels much the same as in that game I played ages ago. For both, it is important to do the following:

Start with a solid understanding of the technology

Have and use the correct tools

Write your own tools

This appendix contains a list of tools you may find useful to perform the activities mentioned throughout the book. While some of these are not essential (meaning