Signatures Are Not Enough

It’s a well known fact that many security filters, on both client and server, use pattern matching techniques in order to detect malicious attack payloads. For example, if you are trying to protect your application from SQL injection attacks, you will probably need to detect the pattern “union…select…from”, which is a good indication of a possible SQL injection attack payload.

Unvalidated Redirects and Forwards
While pattern matching is affective in many cases, I meet more and more cases where it’s not enough. We can see further evidence of that in the latest OWASP Top 10 2010, in which a new item - A10 was added - “Unvalidated Redirects and Forwards”.

A redirect facility is a function of the application that transfers users to different pages within or outside the application. For example, take a look at the following request to the application:

GET /site/redirect.php?to=http://site/target.html HTTP/1.1

The request is valid and we can see that the parameter “to” is used by the application as a redirect destination to a valid location in the application. Below we see how the same parameter is used by an attacker to redirect the user to a malicious application (which may be used for a phishing attack).

GET /site/redirect.php?to=http://malicious_site.com/hacker.html HTTP/1.1

Using the negative security approach in this case is not simple and may be not effective because allowed values are known, while disallowed values are endless; therefore a new approach is required.

In a recent presentation at the Israel OWASP annual chapter meeting, I presented the shortcomings and several alternative solutions to the practice of depending solely on signatures to detect malicious attacks.