[Owasp-appsensor-project] Do we need a Blacklist Regex Repository?

Michael Coates michael.coates at owasp.org
Tue Feb 21 22:06:31 UTC 2012


I like the idea of the blacklists and do think we should create them for attack detection. But, we need to add a big warning at the top of the page "This is for attack detection and is not intended to protect or prevent attacks. Use whitelisting validation and contextual output encoding to safely handle user data in your application"

The worst thing would be for the blacklists to take off and then developers use those regexes instead of good defensive design.



Michael Coates
OWASP
michael.coates at owasp.org
@_mwc



On Feb 21, 2012, at 1:46 PM, Colin Watson wrote:

> Yes I think standalone.
> 
> I think these types of great ideas are more likely to be maintained if
> they don't just become a part of something else. For example I was
> thinking of submitting some things to the OWASP Logging project,
> rather than adding it to the AppSensor book v2 (yes it has begun).
> 
> Colin
> 
> On 21 February 2012 21:29, John Melton <jtmelton at gmail.com> wrote:
>> +1 for me as a standalone project - it'll be beneficial to others, and
>> I certainly don't have the chops to make it happen :)
>> 
>> On Tue, Feb 21, 2012 at 4:18 PM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>>> I wanted to send this to the list for feedback.  I have been thinking quite
>>> a bit on a this particular issue, especially after the recent thread on the
>>> SQL Injection detection RegExes -
>>> http://lists.owasp.org/pipermail/owasp-appsensor-project/2012-February/000342.html
>>> 
>>> I think that we (OWASP) need to develop a Blacklist Regex Repository for
>>> detecting common attack payloads (SQL injection, XSS, RFI, etc…).  Something
>>> similar to this old Validation RegEx Repo but for attacks -
>>> https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository
>>> 
>>> My thinking is that we should focus on the RegEx Repo and then various other
>>> projects can import/use them (AppSensor, ModSecurity CRS, etc..).  I would
>>> like to get good participation from the Breaker community to help vet the
>>> RegExs.  I know they will never be 100% foolproof but looking at some of the
>>> "example" blacklist RegExs floating around in various project code makes me
>>> cringe…  We can do better.
>>> 
>>> Not sure if this should be a stand-alone project or not (probably) but I
>>> would like your feedback.
>>> 
>>> Thanks.
>>> 
>>> --
>>> Ryan Barnett
>>> Trustwave SpiderLabs
>>> ModSecurity Project Leader
>>> OWASP ModSecurity CRS Project Leader
>>> 
>>> _______________________________________________
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>> 
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project



More information about the Owasp-appsensor-project mailing list