WAF是时候跟正则表达式说再见 破见 weibo.com/u/5261507198 正则表达式不适合用于构建WAF 现有WAF的解决方案 如何构建未来的WAF  Part 1  Part 2  Part 3 议题内容 Part 1 正则表达式不适合用于构建WAF 感性认识—误报和漏报难以平衡 尝试寻找有理证明 WAF自身安全 正则表达式 正则表达式 计算复杂度 正则表达式DDOS攻击 非Regex DOS WAF防御能力 正则表达式DDOS攻击 提出一种正则表达式的DDOS攻击： 正则表达式的最坏时间复杂度大于等 于?(?2 )，该正则表达式可被DDOS 攻击 输入长度 (K) PCRE/PHP(ms) JAVA(ms) 1 0.5 32 2 23 53 4 111 142 * select.*from 影响范围 owasp-modsecurity-crs Discuz_X3.3_SC_UTF8 wordpress-4.7.1 某云WAF/360_safe3.php (?i:(?:(union(.*?)select(.*?)from))) (?i:

0 码力 | 24 页 | 1.66 MB | 1 年前

3

防护，保证应用系统的安全运行。 （2）WAF WAF 通过分析来自客户端的 HTTP 请求，并根据其规则库对其进行检查， 以检测和阻止恶意攻击。在 Web 防护过程中，WAF 是一种专为保护 Web 应 用设计的防火墙。它位于 Web 应用和 Internet 之间，能够监控、过滤并阻止 HTTP 流量中的恶意攻击，如 SQL 注入、XSS 和 CSRF 攻击等。在 API 防护 过程中，WAF 可以提供实时监测和分析 可以提供实时监测和分析 API 的访问日志，并能够迅速发现异 常行为。WAF 可以记录所有请求数据，包括来源 IP、用户代理、参数等，并能 够根据事先设置的安全策略进行分析和识别。当异常行为被发现时，WAF 可以 立即采取行动，根据预设的安全策略阻止恶意请求，从而快速响应和快速阻止攻 击。 （3）API 网关 API 网关具有身份认证、访问控制、数据校验、限流熔断等功能，可以帮 云原生安全威胁分析与能力建设白皮书 SQL Structured Query Language 结构化查询语言 SSH Secure Shell 安全外壳 VLAN Virtual Local Area Network 虚拟局域网 WAF Web Application Firewalls 网站应用级入侵防御系统 XSS Cross Site Scripting 跨站脚本攻击 云原生安全威胁分析与能力建设白皮书 67 附 录

Running node-waf configure build will create a file build/default/hello.node which is our Addon. 运行 node-waf configure build，我们就创建了一个 Addon 实例 build/default/hello.node。 node-waf is just WAF, the python-based python-based build system. node-waf is provided for the ease of users. node-waf 就是 WAF,，一种基于 python 的编译系统，而 node-waf 更加易于使 用。 All Node addons must export a function called init with this signature: 另外，在

iisadmin"可停止服务器的IIS服务） 23 防护方法 n 代码级防护 q 验证输入 q 参数化SQL q 输出检查 q 使用存储过程 n 平台级别防护 q 在运行期间防护：使用WAF、URL重写等 q 配置数据库安全策略（权限配置、关闭默认账号、审计等） 24 3.2.跨站脚本攻击 25 概述 n Cross Site Scripting（简写为XSS） q 务攻击系统 等 109 DDoS攻击防护产品 WEB应用防火墙 n WEB应用防火墙(简称：WAF) ，工作在网络应用层， 对来自WEB应用程序客户端的各类请求进行内容检测 和验证，确保其安全性与合法性，对非法的请求将予 以实时阻断，从而对各类网站进行有效防护。 n WAF产品应该具备以下功能： q 针对各类WEB应用攻击的检测和防御能力，如SQL注入、跨站脚 本等，满足对检测、防御能力在广度和深度上的要求 WEB应用漏洞扫描能力，加强WEB应用自身的安全性 110 q 代表产品：昊天电子政务防护系统、绿盟WEB应用防火墙、梭 子鱼应用防火墙、 Imperva SecureGrid WEB 应用防火墙…… n 以昊天WAF产品为例： 111 WEB应用防火墙 WEB应用主机加固 n WEB应用主机加固工具主要实时截取和分析 软件的执行流或交互的协议流，实时发现和过 滤攻击。 n 代表性产品： q Real

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 12.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 12.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 13.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 13.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 13.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to

a minimal implementation of a build helper for the Waf build system . First, we need to create a recipe for the python_requires that will export waf_environment.py, where all the implementation of the from conans import ConanFile from waf_environment import WafBuildEnvironment class PythonRequires(ConanFile): name = "waf-build-helper" version = "0.1" exports = "waf_environment.py" 13.4. Creating a case, the build helper for Waf will create one file named waf_toolchain.py that will contain linker and compiler flags based on the Conan settings. To pass that information to Waf in the file, you have to