Forest header image

Symfony Finland
Random things on PHP, Symfony and web development

A Web Application Firewall (WAF) with PHP and PSR-7?

Web sites and applications are a tempting target for malicious activities. Rather than the classic defacing of a website (to show you hacked) is fast becoming a thing of the past. Today the motivation of attackers is to hide the fact that your site or application has been compromised.

Stealing user data and other sensitive user information once you have an access to a web application is an obvious motivation to hack into a computer system. From time to time you read news about large sites such as Ashley Madison leaking user information.

In addition to leaking data, web servers are the perfect tool or orchestrating Distributed Denial of Services (DDoS) attacks. In this type of attack the aim is to limit the usability or completely disable the target by an overwhelming number of distributed traffic. One of the most prominent of these is Operation Payback which crippled MasterCard in revenge for WikiLeaks ban.

DDoS attacks have traditionally been made from vulnerable personal computers, but web applications have become a better target. Personal devices are continuously moving to being turned on intermittently and often on crowded mobile networks, where as web applications are always on and have an abundance of bandwidth.

Operating Systems are supported by Open Source communities and companies like Microsoft and Apple. These organisations have tasked security specialists and have a direct interest in providing security patches. Web sites and applications, on the other hand can be nowadays created and deployed by pretty much anyone and are easily left without security maintenance. Just like that Windows XP your aunt still uses for online banking...

Block on network, server or application level

Firewalls come in many shapes and sizes. Your webhost likely operates one for you to prevent DDoS attacks and traffic to other than the most common ports needed for web hosting traffic. But a network level firewall won't likely block HTTP traffic that is from robots going through your site looking for vulnerabilities, similar to what GoogleBot is doing to index your content.

Web Application Firewalls (WAFs) are another type of firewall that can be an applicance or a server plugin. WAFs apply a set of rules to HTTP conversations, to prevent attacks such as cross-site scripting (XSS) and SQL injections. NAXSI is an example of such a WAF for the Nginx webserver.

After looking at network and web server level firewalls, let's go deeper down the rabbit hole and go to the web application itself. PHP used to have automatic escaping of input via the Magic Quotes functionality, which has been deprecated. This could be considered as a form of sanitation done by a WAF.

A WAF with PHP using PSR-7?

PHP applications have traditionally used superglobals such as $_SERVER, $_GET and $_POST to handle request data. This made every application quite unique in how they handled HTTP messages coming in and going out. In 2015 the PHP-FIG group agreed on a specification to unify this in the form of PSR-7 recommendation to define HTTP message interfaces.

PSR-7 aims to unify the way PHP applications handle HTTP-messages, making it possible to pass the requests from one application to another. These are often called middlewares and illustrated with an onion and it's layers. The concept is familiar from PSGI/Plack and more recently from Connect.

With PSR-7 applications can pass messages forward within these layers. You could build a firewall middleware that would be the first one to respond to the request. If the firewall deems the request malicious, then will log it and drop in on the spot. If your custom application receives a request to the WordPress login page, why strain it with continuing bootstrapping?

Doing security at this layer is obviously not ideal, but it is very accessible to all web developers comfortable with contemporary PHP. It could be easily distributed and installed to the millions of installations of PHP applications running on shared hosting to Virtual Private Servers (VPS). Some existing efforts already exist: Easy access control for PHP and PSR-7 Firewall, but at this point they are limited in functionality.

The requirements for a useful firewall include at bare minimum the following:

  • PSR-7 compliant ;)
  • Lightweight with low overhead
  • Drop-dead simple installation (via Composer?)
  • Easy updates, code and fingerprints (via Composer and SQLite?)
  • A critical mass of PSR-7 compliant applications

This could be a practical approach to help defend against common threats and even filter out outgoing DDoS traffic for compromised applications. You can think of it as a WordPress Firewall for all PSR-7 compliant PHP applications. Sadly making WordPress itself into a compliant application is not trivial:

Learn more about PSR-7:

Written by Jani Tarvainen on Tuesday November 3, 2015
Permalink - Tags: php, security, firewall, psr7

« This November in PHP: PHP 7, Symfony 3, eZ Platform and Drupal 8 - PHP microframeworks and the Symfony Framework Micro Kernel »