Escolar Documentos
Profissional Documentos
Cultura Documentos
Facts in a Nutshell
Facts in a Nutshell
published on March 2012 by security vendor Cenzic - most
common application vulnerabilties:
XSS - 37%
SQL Injection - 16%
Path Disclosure - 5%
Denial of Service - 5%
Facts in a Nutshell
Code Execution - 4%
Memory Corruption - 4%
Cross Site Request Forgery (CSRF) - 4%
Information Disclosure - 3%
Arbitrary File - 3%
Facts in a Nutshell
Local File Inclusion - 2%
Remote File Inclusion - 1%
Overflow - 1%
Other - 15%
Facts in a Nutshell
some web applications coded/deployed badly with unaware
exploitable vulnerabilities
SQL Injections
Cross Site Scripting - XSS
LFI / 00% - Null byte exploit
via File Upload, WSIWYG editor, etc
Facts in a Nutshell
Developers they should look at their code
code review
defensive programming - write better code
schedule for security assessment before deployment
etc
Facts in a Nutshell
NULL / VOID / Nobody
Nobody is doing it
(most of the time)
Facts in a Nutshell
Even if everybody, every single deployed web apps, with pre
deployment code review, security assessment, etc
there might be some slips / un-noticeable exploitable
vulnerable mistakes
present
future - new modules / enhancements
Facts in a Nutshell
Firewall
Web
Client
HTTP Traffic
Web
Server
Port 80
Application
Application
Database
Server
Facts in a Nutshell
WAF to the Rescue
an important additional preventive layer to every HTTP/
HTTPS Network
Blind Spot
HTTP Traffic Logging
web server - well equipped to log traffic
but most not able to log request bodies
making attacks via POST request - undetectable
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio
module
big log file / consume space
images/binary files are logs/stored too
not practical in long run
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio
module
actual facts - mostly nobody ever heard of it or
even knows bout the module
as debugging tools for developers
Core Components of a
WAF
Apache 2.x
One of the most used open source product
Available on many platforms
Free, fast, stable and reliable
Expertise widely available
mod_proxy - use as reverse proxy module for WAF building
block with integrated LB
Mod Security
Add WAF functionality to Apache
Free, open source, commercially supported
Implement most WAF features
Popular and very widely used
Fast, reliable and predictable
Mod Security
Intrusion Detection / Prevention for Web Applications
Operate as Apache Module
Open Source and GPL
increase web application security by protecting know and
unknown attacks (0day exploits)
OWASP CRS
in order for ModSecurity become useful:
must be configured with rules
rules for various different type of attacks
SQL Injection / XSS / LFI / RMI / etc
OWASP CRS
OWASP community has developed and maintain a set of
rules called OWASP CRS
CRS provides generic protection from unknown
vulnerabilities often found in web applications
Type of Deployments
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Reverse-Proxy
a potential bottleneck
SPOF
some minor changes to network/DNS/etc
SSL/443 - termination required
Type of Deployment
Embedded in web server
Easy to add
Not a point of failure
use same web server resources
Reverse Proxy
Deployment
Reverse Proxy
Building Block
Main entrance to all backend servers
all http requests forced to go through the proxy
centralization - ease management
access control / logging / monitoring
Reverse Proxy
Building block
possibilities of combining multiple backend web servers
into one
hide the internals
Reverse Proxy
Building block
performance by providing transparent caching
CSS/JS/Images/etc - static contents can easily cached
response compression
Reverse Proxy
Building block
SSL termination
HTTPS/Encrypted session between client/browser and
reverse proxy
HTTP/Un-encrypted session between reverse proxy
and backend servers
Reverse Proxy
Building block
Scalability / High Availability
Load Balance - multiple reverse proxies
Active - Passive cluster providing HA
Reverse Proxy
Building block compressed into a single solution
Centralize Cluster
Integration
Performance
High Scalability / Availability
email.acme.com
Web
Client
ModSecurity
Nginx
dev.acme.com
IIS
LoadBalance
www.acme.com
Web
Client
ModSecurity
192.168.1.112
Apache
192.168.1.113
Apache
Apache
Integration Mapping
www.acme.com
Web
Client
ModSecurity
Apache
Apache
Lab Session
Installations
ModSecurity Installation
# Download and extract
#
wget http://www.modsecurity.org/download/modsecurity-apache_2.7.4.tar.gz
tar xzf modsecurity-apache_2.7.4.tar.gz
# Intallation
#
cd modsecurity-apache_2.7.4
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
ModSecurity Configuration
# Modify Apache configuration in order to load mod security module
#
vi /etc/httpd/conf/httpd.conf
# search for the line LoadModule in apache configuration file and add
# following:
LoadModule security2_module modules/mod_security2.so
# modsecurity required mod_unique_id make sure it is un-commented
LoadModule unique_id_module modules/mod_unique_id.so
Installation Test
Open you browser
point to your WAF-VM IP address as your URL
you should get default Centos Welcome
page
try to put some SQL injection in the URI of
the Welcome Page
/?id=1 and 1=2 union select 1,2--%20
OWASP-CRS
/etc/httpd/conf.d/modsecurity.conf
default CRS engine rule: DetectionOnly
SecRuleEngine On|Off|DetectionOnly
Deploying Reverse
Proxy WAF
Reverse Proxy
by Name
ModSec Logging
ModSec Logging
http://www.waf-fle.org
PHP/MySQL web based application
current latest version 0.6.0 final (ly)
# Download and extract waf-fle
#
cd ~
wget http://www.waf-fle.org/wp-content/uploads/2013/04/waf-fle_0.6.0.tar.gz
tar zxf waf-fle_0.6.0.tar.gz
mv waf-fle /var/www/
ModSec Logging
http://www.waf-fle.org
# Install waf-fle requirements
#
yum
yum
yum
yum
yum
install
install
install
install
install
php
php-mysql
mysql-server mysql-devel
php-pecl-geoip
php-pecl-apc
ModSec Logging
http://www.waf-fle.org
# WAF-Fle configuration and virtual host setup
#
cp extra/waf-fle.conf /etc/httpd/conf.d
vi /etc/httpd/conf.d/waf-file.conf
# edit according to your WAF-FLE installation under a dedicated virtualhost
# DB Setup
#
mysqladmin create waffle
mysql -p
mysql> CREATE USER 'waffle'@'localhost' IDENTIFIED BY 'password';
mysql> GRANT SELECT , INSERT , UPDATE , DELETE, CREATE TEMPORARY TABLES
ON `waffle` . * TO 'waffle'@'localhost';
mysql -p waffler extra/waffle.mysql
ModSec Logging
http://yourWAFFLEname/waf-fle
login/pass - admin/admin
you need to change admin password and just follow
the page instruction after that