What is SPF?
SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.

Why do I need SPF?
The majority of the data passed to a typical web application never originates from the user. Embedded inputs such as hidden form fields, selectable form elements, cookies, and URL parameters all originate within the application yet these values are often vulnerable to tampering and manipulation attacks. In theory web application firewalls can easily prevent these attacks, but in reality they rarely do.

In today's era of point-and-click GUI web application development, software developers are often completely unaware of the tremendous amount of hidden input being passed by their web applications. Do you REALLY know every entry point into your web application? If the answer is no, then you need SPF.

How does SPF Work?
SPF is an HttpModule written in C# that runs on IIS6 and IIS7. SPF uses request and response filters to dynamically protect all URLs and embedded input values at run-time. The SPF request filter ensures that only the original un-tampered inputs are accepted by the application on every request, securing these values against input driven attacks such as Input Tampering & Injection, URI Tampering and Cross-Site Attacks (XSS, Request Forgery, URL Hijacking, etc).


Last edited Jan 26, 2010 at 5:44 AM by bholyfield, version 5