SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.
Why SPF is required?
The data passed to a typical web application never originates from the user. Embedded inputs such as hidden form fields, selectable form elements, cookies, and URL parameters all originate within the application yet these values are often vulnerable to tampering and manipulation attacks. In theory web application firewalls can easily prevent these attacks, but in reality they rarely do.
You dont have to write extra filters for attack such as Input Tampering & Injection, URI Tampering and Cross-Site Attacks , Request Forgery, URL Hijacking, etc. Or you can cross verify your filters with this standard written filters. you will not see some flash coming on your web server saying it is secure . After applying filter when you check your web server logs you will see the diffrence. Making web pages and launching web aaplication have become easy with many tools but securing those application has now become a new challange. Applying correct SPF will secure you.
Download IIS Secure Parameter Filter here
Related External Links
Searches leading to this post:iis secure cookie filter, IIS Secure Parameter Filter (SPF) documentation, iis spf, parameter in iis filter
You must log in to post a comment.