Post on 12-Feb-2016
description
Deploying WAFHands-On Training Based on Apache / Reverse Proxy
and Mod Security / OWASP-CRS Adzmely Mansor
adzmely@gmail.com
Facts in a Nutshell
Facts in a Nutshell
published on March 2012 by security vendor Cenzic - most common application vulnerabilties:
XSS - 37%
SQL Injection - 16%
Path Disclosure - 5%
Denial of Service - 5%
Facts in a Nutshell
Code Execution - 4%
Memory Corruption - 4%
Cross Site Request Forgery (CSRF) - 4%
Information Disclosure - 3%
Arbitrary File - 3%
Facts in a Nutshell
Local File Inclusion - 2%
Remote File Inclusion - 1%
Overflow - 1%
Other - 15%
Facts in a Nutshell
some web applications coded/deployed badly with unaware exploitable vulnerabilities
SQL Injections
Cross Site Scripting - XSS
LFI / 00% - Null byte exploit
via File Upload, WSIWYG editor, etc
Facts in a Nutshell
Developers they should look at their code
code review
defensive programming - write better code
schedule for security assessment before deployment
etc
Facts in a Nutshell
NULL / VOID / Nobody
Nobody is doing it
(most of the time)
Facts in a Nutshell
Even if everybody, every single deployed web apps, with pre deployment code review, security assessment, etc
there might be some slips / un-noticeable exploitable vulnerable mistakes
present
future - new modules / enhancements
Facts in a Nutshell
Web Client
Web Server
Application
Application
Database Server
Firewall
Port 80HTTP Traffic
Facts in a Nutshell
WAF to the Rescue
an important additional preventive layer to every HTTP/HTTPS Network
Blind Spot
HTTP Traffic Logging
web server - well equipped to log traffic
but most not able to log request bodies
making attacks via POST request - undetectable
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
big log file / consume space
images/binary files are logs/stored too
not practical in long run
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
actual facts - mostly nobody ever heard of it or even knows bout the module
as debugging tools for developers
Core Components of a WAF
Open Source Approach via Apache/ModSecurity
Apache 2.x
One of the most used open source product
Available on many platforms
Free, fast, stable and reliable
Expertise widely available
mod_proxy - use as reverse proxy module for WAF building block with integrated LB
Mod Security
Add WAF functionality to Apache
Free, open source, commercially supported
Implement most WAF features
Popular and very widely used
Fast, reliable and predictable
Mod Security
Intrusion Detection / Prevention for Web Applications
Operate as Apache Module
Open Source and GPL
increase web application security by protecting know and unknown attacks (0day exploits)
Mod Security : use case
legacy applications - can’t modify / encoded (ioncube / zend encoder / byte code / etc)
temporary protection for newly discovered vulnerabilities
0 day exploits - un-notice/unknown
etc
OWASP CRS
in order for ModSecurity become useful:
must be configured with rules
rules for various different type of attacks
SQL Injection / XSS / LFI / RMI / etc
OWASP CRS
OWASP community has developed and maintain a set of rules called OWASP CRS
CRS provides generic protection from unknown vulnerabilities often found in web applications
Type of Deployments
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Reverse-Proxy
a potential bottleneck
SPOF
some minor changes to network/DNS/etc
SSL/443 - termination required
Type of Deployment
Embedded in web server
Easy to add
Not a point of failure
use same web server resources
Reverse Proxy Deployment
Reverse Proxy
Building Block
Main entrance to all backend servers
all http requests forced to go through the proxy
centralization - ease management
access control / logging / monitoring
Reverse Proxy
Building block
possibilities of combining multiple backend web servers into one
hide the internals
Reverse Proxy
Building block
performance by providing transparent caching
CSS/JS/Images/etc - static contents can easily cached
response compression
Reverse Proxy
Building block
SSL termination
HTTPS/Encrypted session between client/browser and reverse proxy
HTTP/Un-encrypted session between reverse proxy and backend servers
Reverse Proxy
Building block
Scalability / High Availability
Load Balance - multiple reverse proxies
Active - Passive cluster providing HA
Reverse Proxy
Building block compressed into a single solution
Centralize Cluster
Integration
Performance
High Scalability / Availability
Reverse Proxy Model
Web Client ModSecurity
Apache
Nginx
IIS
www.acme.com
email.acme.com
dev.acme.com
Reverse Proxy Model
Web Client ModSecurity
Apache
Apache
Apache
192.168.1.111
192.168.1.112
192.168.1.113
LoadBalance www.acme.com
Reverse Proxy Model
Web Client ModSecurity
Apache
Apache
Apache
/images => http://192.168.1.111/images
/exam => http://192.168.1.112/exam
/tutorial => http://192.168.1.113
Integration Mapping www.acme.com
Lab Session Installations
ModSecurity Installation# Download and extract # wget http://www.modsecurity.org/download/modsecurity-apache_2.7.4.tar.gz tar xzf modsecurity-apache_2.7.4.tar.gz
# Intallation #
cd modsecurity-apache_2.7.4 ./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
ModSecurity Configuration
# Modify Apache configuration in order to load mod security module #
vi /etc/httpd/conf/httpd.conf
# search for the line LoadModule in apache configuration file and add # following:
LoadModule security2_module modules/mod_security2.so
# modsecurity required mod_unique_id make sure it is un-commented
LoadModule unique_id_module modules/mod_unique_id.so
OWASP CRS Installation# Download OWASP-CRS and install #
cd /etc/httpd/ wget wget --output-document=owasp-crs.tgz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar xzf owasp-crs.tgz
mv SpiderLabs-owasp-modsecurity-crs-0f07cbb /etc/httpd/modsecurity-crs
cd /etc/httpd/modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
OWASP CRS Installation
# Load base rules in /etc/httpd/conf/httpd.conf #
<IfModule security2_module> Include modsecurity-crs/modsecurity_crs_10_setup.conf Include modsecurity-crs/base_rules/*.conf </IfModule>
# restart your httpd service
service httpd restart
Installation TestOpen you browser
point to your WAF-VM IP address as your URL
you should get default Centos Welcome page
try to put some SQL injection in the URI of the “Welcome Page”
/?id=1 and 1=2 union select 1,2--%20
OWASP-CRS
/etc/httpd/conf.d/modsecurity.conf
default CRS engine rule: DetectionOnly
SecRuleEngine On|Off|DetectionOnly
Deploying Reverse Proxy WAF
Apache Proxy Module
mod_proxy.so
main module providing proxy and reverse proxy features
mod_proxy_balancer.so
load balancing module proxy / reverse proxy
Apache Proxy Module
mod_http_proxy.so
module providing HTTP/HTTPS proxy requests
make sure all three modules are loaded in httpd.conf
Reverse Proxy by Name
VirtualHost Reverse Proxy
when u have multiple backend domain/URL
name to single backend reverse proxy
name to multi load balance backend reverse proxy
VirtualHost Reverse Proxyorganize virtual hosts in one configuration folder
# Create mod security virtual host configuration folder #
mkdir /etc/httpd/conf.d/modsecVHosts
# Master configuration file to load all virtual host configuration # in newly created folder : /etc/httpd/conf.d/modsecVHosts.conf #
vi /etc/httpd/conf.d/modsecVHosts.conf
# edit and add as follow # Include conf.d/modsecVHosts/*.conf
VirtualHost Reverse Proxysample VirtualHost by name reverse proxy configuration
# Create mod security virtual host configuration #
<VirtualHost *:80> ServerName backend.com ErrorLog logs/modsecurity/backend.com-error_log CustomLog logs/modsecurity/backend.com-access_log common ProxyRequests off ProxyPass / http://backend.com/ ProxyPassReverse / http://backend.com/ ProxyPreserveHost On #ProxyPassReverseCookieDomain </VirtualHost>
VirtualHost Reverse Proxysample VirtualHost load balance reverse proxy configuration
# Create mod security virtual host configuration #
<Proxy balancer://backend1Cluster> BalancerMember http://192.168.1.111:80 BalancerMember http://192.168.1.112:80 BalancerMember http://192.168.1.113:80 </Proxy>
<VirtualHost *:80> ServerName backend.com ErrorLog logs/modsecurity/backend.com-error_log #CustomLog logs/modsecurity/backend.com-access_log common ProxyRequests off ProxyPass / balancer://backend1Cluster ProxyPassReverse / balancer://backend1Cluster ProxyPreserveHost On #ProxyPassReverseCookieDomain </VirtualHost>
Central Logging with WAF-FLE and mlogc
ModSec Logging
ModSec Logginghttp://www.waf-fle.org
PHP/MySQL web based application
current latest version 0.6.0 final (ly)# Download and extract waf-fle #
cd ~
wget http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz
tar zxf waf-fle_0.6.0.tar.gz
mv waf-fle /var/www/
ModSec Logginghttp://www.waf-fle.org
# Install waf-fle requirements #
yum install php yum install php-mysql yum install mysql-server mysql-devel yum install php-pecl-geoip yum install php-pecl-apc
# Install MAXMind GEOIP #
mkdir /usr/share/GeoIP/ cd /usr/share/GeoIP/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
gunzip *.gz
mv GeoLiteCity.dat GeoIPCity.dat cp GeoIPASNum.dat GeoIPISP.dat
ModSec Logginghttp://www.waf-fle.org
# WAF-Fle configuration and virtual host setup #
cp extra/waf-fle.conf /etc/httpd/conf.d vi /etc/httpd/conf.d/waf-file.conf
# edit according to your WAF-FLE installation under a dedicated virtualhost
# DB Setup #
mysqladmin create waffle
mysql -p
mysql> CREATE USER 'waffle'@'localhost' IDENTIFIED BY 'password'; mysql> GRANT SELECT , INSERT , UPDATE , DELETE, CREATE TEMPORARY TABLES ON `waffle` . * TO 'waffle'@'localhost';
mysql -p waffler extra/waffle.mysql
ModSec Logginghttp://yourWAFFLEname/waf-fle
login/pass - admin/admin
you need to change admin password and just follow the page instruction after that
Open Proxy HoneyPot
Open Proxy HoneyPot
Setup a Apache Open Proxy (public)
install mod security with :
SecRuleEngine DetectionOnly
conduct real time traffic analysis on the HTTP traffic
study internal user behavior
Content Injection with Mod Security