What is SPF?
Why do I need SPF?
The majority of the data passed to a typical web application never originates from the user. Embedded inputs such as hidden form fields, selectable form elements, cookies, and URL parameters all originate within the application yet these values are often vulnerable to tampering and manipulation attacks. In theory web application firewalls can easily prevent these attacks, but in reality they rarely do.
In today's era of point-and-click GUI web application development, software developers are often completely unaware of the tremendous amount of hidden input being passed by their web applications. Do you REALLY know every entry point into your web application? If the answer is no, then you need SPF.
How does SPF Work?
SPF is an HttpModule written in C# that runs on IIS6 and IIS7. SPF uses request and response filters to dynamically protect all URLs and embedded input values at run-time. The SPF request filter ensures that only the original un-tampered inputs are accepted by the application on every request, securing these values against input driven attacks such as Input Tampering & Injection, URI Tampering and Cross-Site Attacks (XSS, Request Forgery, URL Hijacking, etc).