ModSecurity uses a set of rules that tell it what to do when it receives a particular request. Depending upon the nature of the request, ModSecurity can pass the request, do extra logging or drop the request entirely.
Actions are also cumulative, so if a particular client – determined by IP address – sends too many bad requests, that client can be blocked.
Because the ruleset specifies the actions of the WAF, the security of the Portal is entirely determined by the ruleset used. Any changes to the ruleset, will necessarily affect the overall security.
The Zuar Portal contains the Core Rule Set (CRS), version 3 from the Open Web Application Security Project (OWASP).
CRS3 includes protection for:
- SQL Injection
- Cross Site Scripting
- Code injection (Java, PHP, Shell)
- Remote File Injection
- Local File Injection
- Session Fixation
- Scripting/Scanner/Bot Detection
- Metadata/Error Leakages
Not all of these are relevant to a given portal instance - for instance, there is PHP, so PHP code injection isn’t possible – but it’s still important to identify any client attempting such an attack and block them.
Each CRS3 release goes through a rigorous regression test suite, including significant penetration testing and 100% test coverage.