Deploying WAFHands-On Training Based on Apache / Reverse Proxy

and Mod Security / OWASP-CRS Adzmely Mansor

adzmely@gmail.com

Facts in a Nutshell

Facts in a Nutshell

published on March 2012 by security vendor Cenzic - most common application vulnerabilties:

XSS - 37%

SQL Injection - 16%

Path Disclosure - 5%

Denial of Service - 5%

Facts in a Nutshell

Code Execution - 4%

Memory Corruption - 4%

Cross Site Request Forgery (CSRF) - 4%

Information Disclosure - 3%

Arbitrary File - 3%

Facts in a Nutshell

Local File Inclusion - 2%

Remote File Inclusion - 1%

Overflow - 1%

Other - 15%

Facts in a Nutshell

some web applications coded/deployed badly with unaware exploitable vulnerabilities

SQL Injections

Cross Site Scripting - XSS

LFI / 00% - Null byte exploit

via File Upload, WSIWYG editor, etc

Facts in a Nutshell

Developers they should look at their code

code review

defensive programming - write better code

schedule for security assessment before deployment

etc

Facts in a Nutshell

NULL / VOID / Nobody

Nobody is doing it

(most of the time)

Facts in a Nutshell

Even if everybody, every single deployed web apps, with pre deployment code review, security assessment, etc

there might be some slips / un-noticeable exploitable vulnerable mistakes

present

future - new modules / enhancements

Facts in a Nutshell

Web Client

Web Server

Application

Application

Database Server

Firewall

Port 80HTTP Traffic

Facts in a Nutshell

WAF to the Rescue

an important additional preventive layer to every HTTP/HTTPS Network

Blind Spot

HTTP Traffic Logging

web server - well equipped to log traffic

but most not able to log request bodies

making attacks via POST request - undetectable

Blind Spot

HTTP Traffic Logging

Possible to log POST data in apache using dumpio module

big log file / consume space

images/binary files are logs/stored too

not practical in long run

Blind Spot

HTTP Traffic Logging

Possible to log POST data in apache using dumpio module

actual facts - mostly nobody ever heard of it or even knows bout the module

as debugging tools for developers

Core Components of a WAF

Open Source Approach via Apache/ModSecurity

Apache 2.x

One of the most used open source product

Available on many platforms

Free, fast, stable and reliable

Expertise widely available

mod_proxy - use as reverse proxy module for WAF building block with integrated LB

Mod Security

Add WAF functionality to Apache

Free, open source, commercially supported

Implement most WAF features

Popular and very widely used

Fast, reliable and predictable

Mod Security

Intrusion Detection / Prevention for Web Applications

Operate as Apache Module

Open Source and GPL

increase web application security by protecting know and unknown attacks (0day exploits)

Mod Security : use case

legacy applications - can’t modify / encoded (ioncube / zend encoder / byte code / etc)

temporary protection for newly discovered vulnerabilities

0 day exploits - un-notice/unknown

etc

OWASP CRS

in order for ModSecurity become useful:

must be configured with rules

rules for various different type of attacks

SQL Injection / XSS / LFI / RMI / etc

OWASP CRS

OWASP community has developed and maintain a set of rules called OWASP CRS

CRS provides generic protection from unknown vulnerabilities often found in web applications

Type of Deployments

Type of Deployment

Network-level device

Reverse Proxy

Embedded in web server

Type of Deployment

Network-level device

Reverse Proxy

Embedded in web server

Type of Deployment

Reverse-Proxy

a potential bottleneck

SPOF

some minor changes to network/DNS/etc

SSL/443 - termination required

Type of Deployment

Embedded in web server

Easy to add

Not a point of failure

use same web server resources

Reverse Proxy Deployment

Reverse Proxy

Building Block

Main entrance to all backend servers

all http requests forced to go through the proxy

centralization - ease management

access control / logging / monitoring

Reverse Proxy

Building block

possibilities of combining multiple backend web servers into one

hide the internals

Reverse Proxy

Building block

performance by providing transparent caching

CSS/JS/Images/etc - static contents can easily cached

response compression

Reverse Proxy

Building block

SSL termination

HTTPS/Encrypted session between client/browser and reverse proxy

HTTP/Un-encrypted session between reverse proxy and backend servers

Reverse Proxy

Building block

Scalability / High Availability

Load Balance - multiple reverse proxies

Active - Passive cluster providing HA

Reverse Proxy

Building block compressed into a single solution

Centralize Cluster

Integration

Performance

High Scalability / Availability

Reverse Proxy Model

Web Client ModSecurity

Apache

Nginx

IIS

www.acme.com

email.acme.com

dev.acme.com

Reverse Proxy Model

Web Client ModSecurity

Apache

Apache

Apache

192.168.1.111

192.168.1.112

192.168.1.113

LoadBalance www.acme.com

Reverse Proxy Model

Web Client ModSecurity

Apache

Apache

Apache

/images => http://192.168.1.111/images

/exam => http://192.168.1.112/exam

/tutorial => http://192.168.1.113

Integration Mapping www.acme.com

Lab Session Installations

ModSecurity Installation# Download and extract # wget http://www.modsecurity.org/download/modsecurity-apache_2.7.4.tar.gz tar xzf modsecurity-apache_2.7.4.tar.gz

# Intallation #

cd modsecurity-apache_2.7.4 ./configure

make install

cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

ModSecurity Configuration

# Modify Apache configuration in order to load mod security module #

vi /etc/httpd/conf/httpd.conf

# search for the line LoadModule in apache configuration file and add # following:

LoadModule security2_module modules/mod_security2.so

# modsecurity required mod_unique_id make sure it is un-commented

LoadModule unique_id_module modules/mod_unique_id.so

OWASP CRS Installation# Download OWASP-CRS and install #

cd /etc/httpd/ wget wget --output-document=owasp-crs.tgz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

tar xzf owasp-crs.tgz

mv SpiderLabs-owasp-modsecurity-crs-0f07cbb /etc/httpd/modsecurity-crs

cd /etc/httpd/modsecurity-crs

cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

OWASP CRS Installation

# Load base rules in /etc/httpd/conf/httpd.conf #

<IfModule security2_module> Include modsecurity-crs/modsecurity_crs_10_setup.conf Include modsecurity-crs/base_rules/*.conf </IfModule>

# restart your httpd service

service httpd restart

Installation TestOpen you browser

point to your WAF-VM IP address as your URL

you should get default Centos Welcome page

try to put some SQL injection in the URI of the “Welcome Page”

/?id=1 and 1=2 union select 1,2--%20

OWASP-CRS

/etc/httpd/conf.d/modsecurity.conf

default CRS engine rule: DetectionOnly

SecRuleEngine On|Off|DetectionOnly

Deploying Reverse Proxy WAF

Apache Proxy Module

mod_proxy.so

main module providing proxy and reverse proxy features

mod_proxy_balancer.so

load balancing module proxy / reverse proxy

Apache Proxy Module

mod_http_proxy.so

module providing HTTP/HTTPS proxy requests

make sure all three modules are loaded in httpd.conf

Reverse Proxy by Name

VirtualHost Reverse Proxy

when u have multiple backend domain/URL

name to single backend reverse proxy

name to multi load balance backend reverse proxy

VirtualHost Reverse Proxyorganize virtual hosts in one configuration folder

# Create mod security virtual host configuration folder #

mkdir /etc/httpd/conf.d/modsecVHosts

# Master configuration file to load all virtual host configuration # in newly created folder : /etc/httpd/conf.d/modsecVHosts.conf #

vi /etc/httpd/conf.d/modsecVHosts.conf

# edit and add as follow # Include conf.d/modsecVHosts/*.conf

VirtualHost Reverse Proxysample VirtualHost by name reverse proxy configuration

# Create mod security virtual host configuration #

<VirtualHost *:80> ServerName backend.com ErrorLog logs/modsecurity/backend.com-error_log CustomLog logs/modsecurity/backend.com-access_log common ProxyRequests off ProxyPass / http://backend.com/ ProxyPassReverse / http://backend.com/ ProxyPreserveHost On #ProxyPassReverseCookieDomain </VirtualHost>

VirtualHost Reverse Proxysample VirtualHost load balance reverse proxy configuration

# Create mod security virtual host configuration #

<Proxy balancer://backend1Cluster> BalancerMember http://192.168.1.111:80 BalancerMember http://192.168.1.112:80 BalancerMember http://192.168.1.113:80 </Proxy>

<VirtualHost *:80> ServerName backend.com ErrorLog logs/modsecurity/backend.com-error_log #CustomLog logs/modsecurity/backend.com-access_log common ProxyRequests off ProxyPass / balancer://backend1Cluster ProxyPassReverse / balancer://backend1Cluster ProxyPreserveHost On #ProxyPassReverseCookieDomain </VirtualHost>

Central Logging with WAF-FLE and mlogc

ModSec Logging

ModSec Logginghttp://www.waf-fle.org

PHP/MySQL web based application

current latest version 0.6.0 final (ly)# Download and extract waf-fle #

cd ~

wget http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz

tar zxf waf-fle_0.6.0.tar.gz

mv waf-fle /var/www/

ModSec Logginghttp://www.waf-fle.org

# Install waf-fle requirements #

yum install php yum install php-mysql yum install mysql-server mysql-devel yum install php-pecl-geoip yum install php-pecl-apc

# Install MAXMind GEOIP #

mkdir /usr/share/GeoIP/ cd /usr/share/GeoIP/ wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz wget http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz

gunzip *.gz

mv GeoLiteCity.dat GeoIPCity.dat cp GeoIPASNum.dat GeoIPISP.dat

ModSec Logginghttp://www.waf-fle.org

# WAF-Fle configuration and virtual host setup #

cp extra/waf-fle.conf /etc/httpd/conf.d vi /etc/httpd/conf.d/waf-file.conf

# edit according to your WAF-FLE installation under a dedicated virtualhost

# DB Setup #

mysqladmin create waffle

mysql -p

mysql> CREATE USER 'waffle'@'localhost' IDENTIFIED BY 'password'; mysql> GRANT SELECT , INSERT , UPDATE , DELETE, CREATE TEMPORARY TABLES ON `waffle` . * TO 'waffle'@'localhost';

mysql -p waffler extra/waffle.mysql

ModSec Logginghttp://yourWAFFLEname/waf-fle

login/pass - admin/admin

you need to change admin password and just follow the page instruction after that

Open Proxy HoneyPot

Open Proxy HoneyPot

Setup a Apache Open Proxy (public)

install mod security with :

SecRuleEngine DetectionOnly

conduct real time traffic analysis on the HTTP traffic

study internal user behavior

Content Injection with Mod Security