SPF是一款专为Microsoft IIS Web服务器设计的应用安全模块,利用加密技术动态保护应用程序参数免受篡改。它能有效防御参数篡改、URL操纵及重放攻击等威胁,并允许通过正则表达式定义黑名单来阻止已知攻击。
What is SPF?
SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.
Why do I need SPF?
The majority of the data passed to a typical web application never originates from the user. Embedded inputs such as hidden form fields, selectable form elements, cookies, and URL parameters all originate within the application yet these values are often vulnerable to tampering and manipulation attacks. In theory web application firewalls can easily prevent these attacks, but in reality they rarely do.
In today's era of point-and-click GUI web application development, software developers are often completely unaware of the tremendous amount of hidden input being passed by their web applications. Do you REALLY know every entry point into your web application? If the answer is no, then you need SPF.
How does SPF Work?
SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.
Why do I need SPF?
The majority of the data passed to a typical web application never originates from the user. Embedded inputs such as hidden form fields, selectable form elements, cookies, and URL parameters all originate within the application yet these values are often vulnerable to tampering and manipulation attacks. In theory web application firewalls can easily prevent these attacks, but in reality they rarely do.
In today's era of point-and-click GUI web application development, software developers are often completely unaware of the tremendous amount of hidden input being passed by their web applications. Do you REALLY know every entry point into your web application? If the answer is no, then you need SPF.
How does SPF Work?
SPF is an HttpModule written in C# that runs on IIS6 and IIS7. SPF uses request and response filters to dynamically protect all URLs and embedded input values at run-time. The SPF request filter ensures that only the original un-tampered inputs are accepted by the application on every request, securing these values against input driven attacks such as Input Tampering & Injection, URI Tampering and Cross-Site Attacks (XSS, Request Forgery, URL Hijacking, etc).
扫一扫
570
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
