Tuesday, August 18, 2009

IIS Secure Parameter Filter (SPF)

SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.

SPF is an HttpModule written in C# that runs on IIS6 and IIS7. SPF uses request and response filters to dynamically protect all URLs and embedded input values at run-time. The SPF request filter ensures that only the original un-tampered inputs are accepted by the application on every request, securing these values against input driven attacks such as Input Tampering & Injection, URI Tampering and Cross-Site Attacks (XSS, Request Forgery, URL Hijacking, etc).

SPF can be downloaded from spf.codeplex.com

No comments: