I see that web protection library (WPL) comes with 2 different options:
- Security Runtime Engine (SRE)
- AntiXSS Library
The first one seems great since no code is necessary, it's a HTTPModule. The second requires to manually add the escaping logic on the code.
Despite this advantage I mentioned, SRE is not very popular and I'm wondering why. There is any known problem with this library or any big advantage of using AntiXSS that I'm not seeing?
Thanks!
The biggest flaw I see in the SRE is that looks to me like it is reliant on "blacklisting" behavior. For example, it tries to detect SQL statements in order to provide SQL Injection protection. Blacklisting is weak, simply from the fact that you would have to know all potentially harmful input in order to provide 100% protection.
http://www.owasp.org/index.php/Data_Validation#Data_Validation_Strategies
That is not to say that I don't see any value in the SRE. I think that it looks like a nice tool to have in your arsenal, but it would be something to be considered an additional layer of defense.
The only other disadvantage I see to using this library is that it may encourage coders to be lazy about learning how to secure their applications. Relying on any individual tool to offer protection (or even a bunch of tools to offer protection) is foolish at best. It's very easy for a programmer to inadvertently introduce security flaws that thwart the best of tools. Therefore, a good developer, one who is concerned about security will not rely on such a tool, but will do the escaping anyway, rather than trusting a tool to do it for them.
In other words, this looks like a good tool to use, but not at the expense of taking precautions on your own. And the programmers that already know how to defend against common web attacks are generally smart enough to know not to rely solely on a tool. They are also likely already coding defensively, and if you're already protecting against SQL Injection, adding a module that does the same thing seems redundant. I would venture to guess that this is the reason for the lack of popularity.
One other side note is that the functionality provided by this is similar to what you'd find in a good Web Application Firewall (WAF). It's subject to the same basic fundamental flaws. This is a nice read on why a WAF is not enough, which also answers why SRE is not enough, and why we would not rely on it.
http://www.acunetix.com/blog/news/implementing-a-web-application-firewall-only-is-not-enough-to-secure-web-applications/