The Research And Implement Of The Technique Of Address Space Mapping In The Web Application Firewall

Web Service is the widest and most important Internet application, and the attacking means toward the web service went out constantly. Lots of attacks now are focus on the application layer to pass through general detection device of network layer. The detection and prevention of the attack from application layer is of practical value. Application-level Web security refers to vulnerabilities inherent in the code of a Web application itself. One way is putting a Web application firewall (WAF) before the enterprise intranet.Most of WAFs nowadays are based on the Reverse Proxy technology, which is the frame and base of the implementation of WAF. Reverse Proxy provides single access entry of the intranet, and it can be reached only by the URL address available in the global range. The structure of the enterprise intranet is very complex; it uses the embedded URLs to build connection between its web pages or services. Most of these links are relative. Present Reverse Proxy doesn't take the embedded URL into account. But many websites actually have absolute URLs which are based on the address space of internal server and can't be accessed.The technique of Address Space Mapping is a new technique embedded in the Reverse Proxy. It is placed at the front end of the Reverse Proxy, using certain tactics (rules) to transform the embedded URLs in the webpage independently and concentratively, and mapping them into the address space of Reverse Proxy. Only by using this, client request can go through Reverse Proxy and then reach the intranet, meanwhile the malice people can't bypass the detection of WAF.The scheme of Address Space Mapping is developed in WAF as Apache module, based on Apache's reverse proxy configuration. There are several key techniques: realizing HTML parsing utilizing the theory of Finite-state Automaton to detect embedded URL and do necessary transformation; processing complex script codes in dynamic web pages using"auto robot"; solving the transformation of URL and COOKIE by configuring the VPN accessing method. The related tests of the function and performance of the technique show that the module can attain the expected goal efficiently.