polito.it
Politecnico di Torino (logo)

A formal model of web application firewall security capabilities

Dario Marchitelli

A formal model of web application firewall security capabilities.

Rel. Cataldo Basile. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2024

[img] PDF (Tesi_di_laurea) - Tesi
Restricted to: Repository staff only until 30 April 2026 (embargo date).
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (2MB)
Abstract:

This thesis presents a novel approach to enhance the accessibility and flexibility of application-level security. It introduces a formal model of security controls that abstracts the low-level languages used by different Web Application Firewall (WAF) frameworks. The model is designed to simplify the definition of security capabilities through an XML-based abstract language, allowing administrators to specify security controls without needing detailed knowledge of the underlying frameworks. The model is enforced by a Java tool that translates the abstract language into framework-specific rules, addressing the challenges posed by the proliferation of diverse security tools. This approach reduces the risk of technology lock-in, enabling easier adoption of newer, more advanced frameworks. The thesis shows how this model can be extended to support the widely used ModSecurity framework, incorporating key features such as HTTP request and response body inspection, as well as user-defined variable management. The extended model was validated using the ModSecurity Core Rule Set (CRS), demonstrating its ability to effectively represent and enforce key WAF controls. This work contributes to reducing the complexity of managing WAF rules, offering system administrators a more flexible and adaptable solution to modern web application security challenges.

Relators: Cataldo Basile
Academic year: 2024/25
Publication type: Electronic
Number of Pages: 141
Subjects:
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/33054
Modify record (reserved for operators) Modify record (reserved for operators)