From phpAppWall Wiki
Welcome to the official phpAppWall wiki
- A bug has been fixed in the installer, that made it impossible to install. Anyone experiencing this issue, should download version BETA 1a here.
- After 1½ year of intensive work, its finally here.. The first public release (beta 1) of phpAppWall.. Grab it from the Downloads section.
phpAppWall is a "Self-Learning" PHP Application Firewall.
It's an easy to use, security framework for PHP applications, that "learns" whats normal for your site and can block unwanted/dangerous requests. It is a Firewall, not an IDS, so it dosen't do "block-what-may-be-dangerous", rather it does "block-whats-not-expected". This is the right way to do security, because it will catch almost all 0-day (new/unknown) exploits.
Its made to be usable on any web application, without prior knowledge of the code. If eg. you use large projects like Wordpress, Joomla, TYPO3, php-Nuke ect., you don't have a real chance to check that the application (or plugins) dosen't contain security flaws like SQL injection, remote file inclusion, command execution ect..
By including phpAppWall, and teaching it what is normal, you will have eliminated 99.99999999999%* of all typical exploits.
- ↑ Disclaimer: exact number of .9's not actually calculated ;)
Why is phpAppWall different than <insert application-firewall product here>
Because phpAppWall is PHP, it is inside the PHP code being run, right next to your underlying application (ie. Wordpress). phpAppWall "knows" and understands PHP and thus it will not be fooled by your typical evasion techniques. A typical application firewall, is a layer external to your application and often even external to your webserver. They will try to normalize data, do cleanup on data and inspect it according to predefined rules. Basically they take a "guess" if the data is evil or not. This fails more often than not and evading a typical application firewall is usually not that hard. phpAppWall doesnt guess. It either knows, or knows-not. If the data is something it doesn't know, it doesnt get though.
phpAppWall sees the data exactly like the underlying application. It accesses the exact same memory structures and arrays as your application does. So there is really no layer of "misinterpretation" that would allow things to slip through to the underlying PHP and be parsed again, in a different (or evil) way.
How it works
An example: A typical PHP web application would have an argument called "id".
A typical security flaw, would be using the id directly in an SQL statement, leading to "SQL Injection". Eg:
http://example.com/index.php?id=1 OR UNION SELECT * FROM whatever
When running with phpAppWall, it will automatically learn that "id" normally only contains an integer value (a number) and thus will automagically block anything else when running in Enforced mode.
phpAppWall will identify and classify numerous types of data, from numeric types like float, int and negative int, to email adresses, urls, paths (both relative and absolute) and many many more.
Another great example of this, is PHPSESSID. This is the cookie set by PHP when you use sessions on your site. phpAppWall will instantly learn that this type is ALWAYS and ONLY an md5 sum and deny anything else.