I wanted to share with you some tidbits on our new project called Web Protection Library (WPL) which contains libraries to protect web applications from common vulnerabilities and attacks. Our goal is to offer comprehensive web application protection with minimal configuration. With the release of Anti-XSS 3.0 we offered Cross Site Scripting attack protection in the form of a custom library and http module called Security Runtime Engine (SRE). SRE offered automated XSS attack protection at the runtime which does not require any code changes to the application.
We are taking the same approach and providing protections for SQL Injection, Click Jacking, File Canonicalization, etc. in WPL. Similarly we will also be enhancing the HTML Encoding library to support LDAP Input Encoding as well as XPATH input encoding. SQL Injection protection via a module is already implemented in a solution by Maqbool called SQL Detect which will be integrated with SRE. SQL Detect provides protection by analyzing input to detect any SQL commands. In WPL we also want to create a new Request Validation module which offers better protection and less inconvenience to developers. Architecturally, WPL will contain two main components, encoding libraries for custom implementation and a runtime engine which is a wrapper around those libraries for automated protection.
The following are some of the enhancements we are planning for WPL.
We will post more as we flush out the finer details.