Portable Web Application Firewall Rule Format

The portable web application firewall rule format was designed to allow protection rules to work across environments, protection devices, and web servers. There are four useful use cases:

1. Vendor-produced recipes; Software vendors will typically release a patch or an upgrade to fix a vulnerability but not all users will be able to upgrade at once. Some vendors may choose to provide their users with recipes that will server as a temporary protective measure.
2. Third-party recipes; Even if vendors do not produce recipes, if there is a sufficiently large demand third-parties may choose to offer protection recipes for free or for a fee.
3. Recipes written by hand; There is a plethora of protective devices on the market today. Administrators will want to learn only one language to configure web application firewalls.
4. Automated recipe creation; Automated vulnerability scanning is often used in situations where manual assessment is not feasible or possible. Automated tools are capable of unearthing very specific information about vulnerabilities. With a widely-accepted web application firewall rule format it becomes feasible for automated vulnerability scanning tools to interact with protective devices directly to install temporary protective measures.

The primary goal of this project is to allow protection rules to be specified for known application problems. My goal was certainly not to establish a full web application firewall vocabulary, for several reasons: 1) the scope of web application firewall functionality is not yet well defined, 2) I don't think it is possible to get web application firewall vendors to adopt a single configuration format, and 3) attempt to standardize everything would prevent vendors from adding innovative functionality.

An effort to produce a formal specification is under way. I have decided to release a rough draft of the specification in order to solicit feedback from the general public:

• pepper-20050822.pdf