Introduction to Mod security session April 2016
-
Upload
rahul -
Category
Technology
-
view
455 -
download
1
Transcript of Introduction to Mod security session April 2016
![Page 1: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/1.jpg)
Rahul Choudhary @r3dinf0
![Page 2: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/2.jpg)
What is Web Application Firewall (WAF)???
• Protects a web application by adding a security layer • present between a user and a web server • Understands HTTP traffic better than traditional firewalls • Checks for malicious traffic and blocks it
User requests web application Ex: proxyserver.com WAF identifies and block malicious
requests Ex: using ModSecurity
Web
Application Servers
![Page 3: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/3.jpg)
ModSecurity is a toolkit for real-time web application monitoring, logging, and access control
![Page 4: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/4.jpg)
What ModSecurity Can do ???
• Real-time application security monitoring and access control • Virtual patching • Full HTTP traffic logging • Continuous passive security assessment • Web application hardening
![Page 5: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/5.jpg)
What ModSecurity Can do ???
• HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.
• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
• HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks.
• Common Web Attacks Protection - detecting common web application security attack.
• Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.
![Page 6: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/6.jpg)
What ModSecurity Can do ???
• Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application.
• Trojan Protection - Detecting access to Trojans horses.
• Identification of Application Defects - alerts on application misconfigurations.
• Error Detection and Hiding - Disguising error messages sent by the server.
![Page 7: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/7.jpg)
ModSecurity Processing Phases ..
• Request Headers • Request Body • Response Headers • Response Body • Logging / Action
![Page 8: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/8.jpg)
ModSecurity’ s Rules Language Syntax
SecRule TARGETS OPERATOR [ACTIONS]
Tells ModSecurity where to look
(such as ARGS, ARGS_NAMES or
COOKIES).
Tells ModSecurity how to
process data
Tells ModSecurity what to do if
a rule matches (such as deny,
exec or setvar).
SecRule ARGS "(?i)(<script[^>]*>[\s\S]*?<\/script[^>]*>|<script[^>]*>[\s\S]*?<\/script[[\s\S]]*[\s\S]|<script[^>]*>[\s\S]*?<\/script[\s]*[\s]|<script[^>]*>[\s\S]*?<\/script|<script[^>]*>[\s\S]*?)" "id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
![Page 9: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/9.jpg)
ModSecurity Transformations ..
• SQLi • URL Encode / Decode • Hex Encode / Decode • JavaScript Decode • HTML Entity Decode • Uppercase / Lowercase • MD5 / SHA1 • Normalize Paths
![Page 10: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/10.jpg)
Ok I understand .. But how can I deploy it ???
ModSecurity supports two deployment options: • Embedded ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded option is a great choice for those who already have their architecture laid out and don't want to change it.
• Reverse proxy deployment
When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protection
![Page 11: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/11.jpg)
Core Rule Set (CRS) ..???
OWASP community has developed and maintain a set of rules called OWASP CRS CRS provides generic protection from unknown vulnerabilities often found in web applications
![Page 12: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/12.jpg)
Core Rules …
HTTP protocol protection • RFCs • Defined policy Common Web Attack Protections • XSS, SQLi, CSRF, HTTP Response Splitting Automation Detection • Bots, web crawlers, web scanners. Trojan Protection Server Error Hiding / DLP • Mask errors sent by the server • Data Loss Prevention
![Page 13: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/13.jpg)
Core Rule Set (CRS) run modes ..???
The CRS can run in two modes: traditional and anomaly scoring. Traditional mode:- the first rule that matches will block the request Anomaly scoring mode:- the rules increment counters that "enumerate badness", and if the rule exceeds a threshold then the request is blocked.
![Page 14: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/14.jpg)
Enough …. Give me a scenario !!
x.y.z.a
ModSecurity configured with Apache serving as
reverse proxy
1.2.3.4 DVWA deployed on web
server
--- AWS Environment for Testing purpose ---
![Page 15: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/15.jpg)
Apache configured as Reverse Proxy …
![Page 16: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/16.jpg)
Access Vulnerable DVWA host on cloud
![Page 17: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/17.jpg)
DVWA SQL Test
MODSECURITY : OFF
MODSECURITY : OFF
![Page 18: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/18.jpg)
DVWA SQL Test
MODSECURITY : ON
MODSECURITY : ON
![Page 19: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/19.jpg)
DVWA XSS Test MODSECURITY : ON
![Page 20: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/20.jpg)
![Page 21: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/21.jpg)
DVWA File Inclusion Test MODSECURITY : OFF
![Page 22: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/22.jpg)
ModSecurity Audit Log during Attack MODSECURITY : ON
![Page 23: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/23.jpg)
MODSECURITY ATTACK LOGS !!
![Page 24: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/24.jpg)
Sample commands to Track & Block...
Track ip addresses : curl ipinfo.io/49.44.51.20 |cut -d " " -f3,4 Rotate ModSecurity logs : while true;do cat modsec_audit.log| grep -e HTTP/1.1 -e 000;sleep 10;clear;done or tail –f modsec_audit.log Block ip : iptables -A INPUT -s xx.xx.xx.xx -j DROP
![Page 25: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/25.jpg)
How to install ???
Refer : https://modsecurity.org/download.html
![Page 26: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/26.jpg)
Play online with MODSECURITY !!!
![Page 27: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/27.jpg)
Relevant Talks …
https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ] https://www.youtube.com/watch?v=208bFToRJqo&nohtml5=False [BlackHat] https://www.youtube.com/watch?v=pKGdIxArlKU&nohtml5=False
![Page 28: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/28.jpg)
Must to attend !! …
![Page 29: Introduction to Mod security session April 2016](https://reader034.fdocuments.net/reader034/viewer/2022051101/58eeac6d1a28ab7d538b467d/html5/thumbnails/29.jpg)