Weblog

The biggest change in this release is the way the PreventCSRF, PreventSQLi and PreventXSS options work. In previous release, those options could only be turned on of off. The idea of those features was to only turn them on when a web application was vulnerable for such attack or there was a serious suspicion it was. However, many people turned them on, even when the web application was very secure. This led to issues, specially with the PreventSQLi option, because requests that would lead to an SQL injection on a vulnerable application were blocked. But since the application was not vulnerable for SQL injection, the block was unjust.

To make those options more useful, you can now make Hiawatha run them in detect-mode. Hiawatha will look for attacks, report them (via logfiles and the Monitor), but won't block any request. You can use this to learn what kind of attacks take place at your website, the amount of attacks and, most important, how many of those attacks are actual attacks or only match the pattern of an attack.

The Let's Encrypt script and the support for it has also been improved. The script itself now supports revocation of a certificate. Hiawatha will now also ignore the RequireTLS setting for requests to /.well-know/acme-challenge/, because the Let's Encrypt CA server will request a verification file from that directory during certificate request or renewal via HTTP. A redirect to HTTPS will disrupt that process.

Heiko
5 June 2016, 11:11
Successfully installed on OpenBSD current, Raspbian and Debian.
Raspbian Package updated.
Thank you Hugo.
ZEROF
5 June 2016, 12:21
Updated without problem and good to see pattern updated as wel.

Thanks Hugo.
Fred
6 June 2016, 00:13
Hi Hugo,

Using
PreventCSRF = detect 
I will learn what kind of attacks take place at my website..
But what do we do with the info?
How do we then block specific attacks ?
Am I rigth to assume that setting
PreventCSRF = block
will be the same outcome of
PreventCSRF = on
in previous version of hiawatha ?
ng0
6 June 2016, 01:54
Thanks!
I just pushed a version bump to Gentoo portage. Successfully built and running on a hardened-gentoo musl system.
Hugo Leisink
6 June 2016, 21:31
@Fred: Yes, the older 'on' parameter will now be seen as 'block'.
Fred
7 June 2016, 00:03
Hugo, I'm reallys orry but I don't get it..
Why would you run PreventCSRF in detect mode?
Once you have the data and know what attacks take place on the server, how do you then stop these specific attack? do the prevent mode provide any security at all?
Any chance you could provide more info on this please?

Sorry if I am not understanding something really basic

Fred
Chris Wadge
8 June 2016, 02:25
Looks like the nested XSLT bug introduced in 10.x is still present, but otherwise seems to be yet another solid release. Thanks, Hugo.
Hugo Leisink
8 June 2016, 07:56
@Fred: You can use the information collected via the prevent mode to fix your application. Or, if that's not possible, run the prevention in block mode, accepting that some well-intended requests will be blocked.
Fred
8 June 2016, 10:18
Got IT
Thank you for your patience
Hugo Leisink
8 June 2016, 10:28
No problem, you're welcome.
David Oliver
10 June 2016, 00:02
Thanks, Hugo. And Chris. Smooth upgrades on all machines.
Marco Bignami
22 June 2016, 18:28
Hi, don't know if this may be useful to any other user but I started a COPR repository for Hiawatha for Fedora 23, Fedora 24 and EL7 packages.
It resides on COPR server in mbignami/hiawatha project (sorry cannot post direct link as it's seen as spam).
Hugo Leisink
22 June 2016, 20:55
Thanks! I've replaced the Fedora repository I had at the download page with yours. The other one contained an outdated version.