XACML Read resources - xacml

I'm trying to do a rule that allows access to any resource just when the action is read for every user. I have the doubt if I need to put something like any users like here
<Rule Effect="Permit" RuleId="Rule Permit #1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">any
</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true">
</AttributeDesignator>
</Match>
And then the action
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read
</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
Or maybe I can delete the first part and put directly the action because the resource is any.
Thank you!!

You only need to Match the action:
<Rule Effect="Permit" RuleId="Rule Permit #1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
In this case, if and only if the action-id equals 'read', the Rule evaluates to Permit, regardless of user or resource attributes, in other words: for any user or resource. Beware that the final decision depends on the rule combining algorithm on your enclosing Policy (and possibly policy combining algorithm on your PolicySet if you have one). If you get something different, that's an issue with the XACML implementation.

Related

URL Rewrite Force to https except one domain

First of all, I need to say that after hours googling, I could not find a way to to get the result I need.
Here's the problem:
I have 2 domains for my website, for example: (foo.com) and
(bar.com)
I need foo.com domain to be redirected to HTTPS
I need bar.com to remain on its HTTP and do NOT redirect to HTTPS
I have tried many rules, but none of them did the job. for example:
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{REQUEST_URI}" negate="true" pattern="^(www.)?bar.com$$" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
This should redirect foo.com to HTTPS:
<rule name="Add WWW prefix to foo.com and use HTTPS" stopProcessing="true">
<match url="(.*)" ignoreCase="true" />
<conditions>
<add input="{HTTP_HOST}" pattern="^foo\.com" />
</conditions>
<action type="Redirect" url="https://www.foo.com/{R:1}" redirectType="Permanent" />
</rule>
And for bar.com:
<rule name="Force NonHTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Redirect" url="http://{HTTP_HOST}/{REQUEST_URI}" />
</rule>
Take a look at stopProcessing attribute in the first rule. It should stop processing of next rules when the foo.com will be matched. This won't allow "Force NonHTTPS" rule to trigger.

IIS Url Rewrite Rules - www/SSL - web.config

I am trying to write some rewrite rules in the <system.webServer> section of the web.config file.
My aim is that any url missing the www section would be rewritten as www.myurl.com. I believe that this should actually be a 301 redirect? To add to this, I also want to make sure that I am using SSL with HSTS.
I need to make sure that I don't fix this rule to a single domain, for example, it needs to work for foo.com and bar.com along with any others that I might choose to support in the future (there could be quite a few when I start looking at country specific domains).
Here is what I have so far:
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Non WWW redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^(www|office365|bdf01)\." negate="true" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://www.{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
The above has 3 rules:
- HTTP to HTTPS
- Non-WWW to WWW
- HSTS
It looks as though my HTTP-HTTPS rule is working fine, but that is the only one.
The non-www redirect needs to be able to allow specific sub-domains. THe example above should not add the www. to the url's of office365.foo.com or bdf01.foo.com This part doesn't work - See example 1.
I'm not certain how best to test HSTS, but I am using a website called woorank to review the website and it says that HSTS is not enabled. Not sure if this is working, but appears not
I'm not really sure how the pattern matching works within these rules, so would be more than happy for links to resources that can help me understand this part better. Any help would be gratefully appreciated
Example 1
When I go to the home page of http://foo.com, I should be taken to https://www.foo.com, instead I am taken to https://foo.com. Likewise, If I navigate to http://office365.foo.com I should actually get https://office365.foo.com but I still get the same http:// address.

How to include root resource values in XACML Response when using Multiple decision Hierarchical resource profile?

I am working with XACML 3.0. When I am using the XACML v3.0 Hierarchical Resource Profile, how can I include root resource values in the XACML Response?
Ex:
Customer
|-->Name
|-->FirstName,LastName
Here,Customer is the Top root Resource .FirstName and LastName are the children of Name.
Here in my XACML Request I will send the top resource name Customer.By using Hierarchical resource feature of XACML3.0 ,Resource finder will evaluate the child resources.
How can i get root values Customer and Name in XACML Response?
Here the XACML Request,
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:root-resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">customer</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:resource:scope" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Descendants</AttributeValue>
</Attribute>
</Attributes>
</Request>
As one can see from the request, it contains 4 action categories, 1 subject category and 1 resource category. The latter uses the hierarchical resource profile. The repetition of the action category follows the Multiple Decision Profile of XACML. Essentially, it means that I am asking: "Can admin update...? Can admin read...? Can admin write...? Can admin delete...?"

Preserving URL when using SSL Redirect for multiple websites pointing to same folder

I have multiple websites pointing to a central folder (IIS 7.5)
company1.domain.com/wo pointing to D:\inetpub\wo
company2.domain.com/wo pointing to D:\inetpub\wo
company3.domain.com/wo pointing to D:\inetpub\wo
All the websites work for both HTTP and HTTPS (if typed manually). However, the sites have to connect via HTTPS. I want to setup automatic SSL redirect to but am having issues. I created URL Rewrite rule but since this is only one webconfig file the URL redirects to only one website (not maintaining the URL).
How do I setup SSL redirect so that the URLs are preserved and all websites point to the same folder?
Any assistance will be greatly appreciated.
Thanks
You should include the host header when checking if HTTPS is enabled and then redirect to the https URL for the appropriate domain.
Here's an example:
<rewrite>
<rules>
<clear />
<rule name="Force HTTPS - www.domain1.com" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="\.domain1\.com$" />
</conditions>
<action type="Redirect" url="https://www.domain1.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
<rule name="Force HTTPS - www.domain2.com" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
<add input="{HTTP_HOST}" pattern="\.domain2\.com$" />
</conditions>
<action type="Redirect" url="https://www.domain2.com{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
<!-- add more rules for other domains if needed -->
</rule>
</rules>
</rewrite>
You can add as many rules for domain names as you want.
EDIT: Sorry, I misread your question. In that case it's even simpler:
<rewrite>
<rules>
<clear />
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" negate="true" pattern="^ON$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
No need to check for the host header, just include the host name in the redirect. You only have to make sure that you have SSL certificates for all domain names.

Protection from SQL injection in ColdFusion

I am trying to improve my application's security. Whenever I receive data from the user (whether through POST or GET) that is supposed to be an integer, I validate that appropriately. But often the data is VARCHAR, and sometimes can contain HTML.
How do I protect my DB from SQL injection in that case?
Does <cfqueryparam value="#form.textInput#" cfsqltype="cf_sql_varchar"> protect the query from sending a malicious SQL statement inside a VARCHAR value?
The short answer is yes.
cfqueryparam will stop some sql injection attacks from occuring.
There are other attack variables that can be used, so be careful, but well written coldfusion can be very safe.
Be wary of Cross site scripting attacks if you are storing and later displaying input html, be especially careful of javascript tags.
The short answer to your question is 'yes'.
I block hacking attempts using three methods.
I use cfqueryparam in all my database queries. I will use cfparam at the top of the template/cfm files for url scope variables.
I have used Portcullis or variants of it. You can get it from http://portcullis.riaforge.org/. Portcullis will also defend against some cross site scripting attacks.
I use Windows IIS 7.5 (Windows Server 2008 R2). I use the URL Rewrite feature to block the bulk of URL based attacks. You can do similar things with Apache and the rewrite that it supports. Here are my IIS URL Rewrite rules:
<?xml version="1.0" encoding="UTF-8"?>
<appcmd>
<CONFIG CONFIG.SECTION="system.webServer/rewrite/globalRules" path="MACHINE/WEBROOT/APPHOST" overrideMode="Inherit" locked="false">
<system.webServer-rewrite-globalRules>
<rule name="SQL Injection - EXEC - SCRIPT_NAME" stopProcessing="true">
<match url="^.*EXEC\s*[\(|%28].*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - EXEC - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*EXEC\s*[\(|%28].*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - CAST - SCRIPT_NAME" stopProcessing="true">
<match url="^.*CAST\s*[\(|%28].*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - CAST - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*CAST\s*[\(|%28].*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE - SCRIPT_NAME" stopProcessing="true">
<match url="^.*DECLARE.*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - DECLARE - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*DECLARE.*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - NVARCHAR - SCRIPT_NAME" stopProcessing="true">
<match url="^.*CHAR\s*[\(|%28].*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - NVARCHAR - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*CHAR\s*[\(|%28].*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - sp_password - SCRIPT_NAME" stopProcessing="true">
<match url="^.*sp_password.*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - sp_password - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*sp_password.*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - xp - SCRIPT_NAME" stopProcessing="true">
<match url="^.*%20xp_.*$" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="SQL Injection - xp - QS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="^.*%20xp_.*$" />
</conditions>
<serverVariables>
</serverVariables>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
</system.webServer-rewrite-globalRules>
</CONFIG>
</appcmd>
These rules are added to the C:\Windows\System32\inetsrv\config\applicationHost.config file for IIS. However I do ****NOT**** recommend that you directly edit this file. One mistake and IIS will not load. Instead copy & paste the rules above and save them as "iis-global-rewrite.xml". Then run the following batch file to add the rules to your IIS server:
C:\Windows\System32\inetsrv\appcmd.exe set config -in < iis-global-rewrite.xml
The IIS rewrite rules should work with IIS 7.0 (Windows Server 2008) but I have not tested it.
These rules could also be applied to a single site using the web.config file if you do not have access to the server.
Why do I use three different methods for protection? Because none of them cover all the bases. The IIS rewrite rules only protect against URL based attacks. Hackers can also use form submission attacks that do the same thing. I prefer the IIS rules as a first line of protection because it will work with all sites on the server including PHP, ASP, etc. Portcullis is a good second line of defense for ColdFusion because it will catch form based attacks and some cross site scripting attacks. The last line of defense is the cfqueryparam/cfparam code which protects against URL/form based SQL injection attacks.
If all three of these methods are used the server/site should be very secure. I would still advise reviewing server logs from time to time as attacks do evolve and improve.