Post on 13-Apr-2017
Rahul Choudhary @r3dinf0
What is Web Application Firewall (WAF)???
• Protects a web application by adding a security layer • present between a user and a web server • Understands HTTP traffic better than traditional firewalls • Checks for malicious traffic and blocks it
User requests web application Ex: proxyserver.com WAF identifies and block malicious
requests Ex: using ModSecurity
Web
Application Servers
ModSecurity is a toolkit for real-time web application monitoring, logging, and access control
What ModSecurity Can do ???
• Real-time application security monitoring and access control • Virtual patching • Full HTTP traffic logging • Continuous passive security assessment • Web application hardening
What ModSecurity Can do ???
• HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.
• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
• HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks.
• Common Web Attacks Protection - detecting common web application security attack.
• Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.
What ModSecurity Can do ???
• Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application.
• Trojan Protection - Detecting access to Trojans horses.
• Identification of Application Defects - alerts on application misconfigurations.
• Error Detection and Hiding - Disguising error messages sent by the server.
ModSecurity Processing Phases ..
• Request Headers • Request Body • Response Headers • Response Body • Logging / Action
ModSecurity’ s Rules Language Syntax
SecRule TARGETS OPERATOR [ACTIONS]
Tells ModSecurity where to look
(such as ARGS, ARGS_NAMES or
COOKIES).
Tells ModSecurity how to
process data
Tells ModSecurity what to do if
a rule matches (such as deny,
exec or setvar).
SecRule ARGS "(?i)(<script[^>]*>[\s\S]*?<\/script[^>]*>|<script[^>]*>[\s\S]*?<\/script[[\s\S]]*[\s\S]|<script[^>]*>[\s\S]*?<\/script[\s]*[\s]|<script[^>]*>[\s\S]*?<\/script|<script[^>]*>[\s\S]*?)" "id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
ModSecurity Transformations ..
• SQLi • URL Encode / Decode • Hex Encode / Decode • JavaScript Decode • HTML Entity Decode • Uppercase / Lowercase • MD5 / SHA1 • Normalize Paths
Ok I understand .. But how can I deploy it ???
ModSecurity supports two deployment options: • Embedded ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded option is a great choice for those who already have their architecture laid out and don't want to change it.
• Reverse proxy deployment
When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protection
Core Rule Set (CRS) ..???
OWASP community has developed and maintain a set of rules called OWASP CRS CRS provides generic protection from unknown vulnerabilities often found in web applications
Core Rules …
HTTP protocol protection • RFCs • Defined policy Common Web Attack Protections • XSS, SQLi, CSRF, HTTP Response Splitting Automation Detection • Bots, web crawlers, web scanners. Trojan Protection Server Error Hiding / DLP • Mask errors sent by the server • Data Loss Prevention
Core Rule Set (CRS) run modes ..???
The CRS can run in two modes: traditional and anomaly scoring. Traditional mode:- the first rule that matches will block the request Anomaly scoring mode:- the rules increment counters that "enumerate badness", and if the rule exceeds a threshold then the request is blocked.
Enough …. Give me a scenario !!
x.y.z.a
ModSecurity configured with Apache serving as
reverse proxy
1.2.3.4 DVWA deployed on web
server
--- AWS Environment for Testing purpose ---
Apache configured as Reverse Proxy …
Access Vulnerable DVWA host on cloud
DVWA SQL Test
MODSECURITY : OFF
MODSECURITY : OFF
DVWA SQL Test
MODSECURITY : ON
MODSECURITY : ON
DVWA XSS Test MODSECURITY : ON
DVWA File Inclusion Test MODSECURITY : OFF
ModSecurity Audit Log during Attack MODSECURITY : ON
MODSECURITY ATTACK LOGS !!
Sample commands to Track & Block...
Track ip addresses : curl ipinfo.io/49.44.51.20 |cut -d " " -f3,4 Rotate ModSecurity logs : while true;do cat modsec_audit.log| grep -e HTTP/1.1 -e 000;sleep 10;clear;done or tail –f modsec_audit.log Block ip : iptables -A INPUT -s xx.xx.xx.xx -j DROP
How to install ???
Refer : https://modsecurity.org/download.html
Play online with MODSECURITY !!!
Relevant Talks …
https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ] https://www.youtube.com/watch?v=208bFToRJqo&nohtml5=False [BlackHat] https://www.youtube.com/watch?v=pKGdIxArlKU&nohtml5=False
Must to attend !! …