Upload
rich-helton
View
4.509
Download
0
Tags:
Embed Size (px)
Citation preview
Introduction to Web Application Firewalls
From Rich Helton’s October 2010 Web Application Firewall classes
WAF ( A quick fix)
Instead of rewriting code, some potentially quicker methods is to put an application to intercept the HTTP traffic ahead of the HTTP server known as a Web Application Firewall (WAF).
The WAF takes configurations like a normal firewall on what traffic to pass and reject. The difference is that it is responding specifically to an HTTP server like Apache or IIS.
For Apache, the most popular approach is to use its Open Source plugin called mod_security. http://www.modsecurity.org/
For IIS, WebKnight from AQTronix, http://aqtronix.com/?PageID=99 is the most popular Open Source solution.
Not everything can be covered by a WAF, especially session hijacking flaws, but XSS and SQL Injection can be mitigated. http://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls
WAF ( Not just a server fix)
WAFs are filters that sit in front of the Web Application. Depending on their configuration, they will deny, or log,
validated information from the Internet into the Application.
They are a good source in auditing the information that is hitting the Web site and the scans that are constantly taking place.
Pro’s and Con’s
Pro’s: Installing a WAF is quicker, in most cases, than changing
code and re-deploying a Web Application. WAF’s may find issues, by using its rule sets, that the code
may not be prepared to find. This is because WAFs have thousands of rules generated by industry experts.
Con’s:WAFs are limited by the rules that are installed in them. Therefore, if the rule is not there, it cannot protect against it. Validation is a better protection, because form level validation will use white-listing on what input is allowed, versus black-listing on the input that is denied.
ModSecurity/ApacheLabs
Lab1(Applying Tomcat)
Tomcat will need Apache
Starting Apache:
If there is an error, run the “StartApache.bat” in the lab and observe the error. Likely Apache may already be started.
Check Apache by IE http://localhost/ and it returns:
Tomcat will need Apache
To link Tomcat and Apache, the mod_jk module will need to be installed, see http://tomcat.apache.org/connectors-doc/ . Also known as the Tomcat Connector.
Note: Tomcat can also use Microsoft’s IIS, instead of Apache, utilizing the Microsoft ISAPI plugin. The easiest way to install the mod_jk connector is to have
Tomcat generate “conf/auto/mod_jk.conf” from its Container and have Apache reference it from its “conf/httpd.conf” file: LoadModule jk_module modules/mod_jk.so
Include C:/Apache2/apache-tomcat-6.0.28/conf/auto/mod_jk.conf
See http://www.johnturner.com/howto/apache2-tomcat4129-jk-winxp-howto.html
Tomcat will need Apache
Tomcat will need Apache
Start in “C:\Labs\Lab_Mod_JK”. Run the “TestApacheConfig.bat”
The Apache directory is pre-installed in “C:\Apache2”. Tomcat will be pre-installed in “C:\Apache2\apache-
tomcat-6.0.28”
Tomcat will need Apache
You might receive the following screen from the generated mod_jk.conf:
The mod_jk.conf is generated from Tomcat and is running an old version of Tomcat. This file can be edited and copied to a new location and referenced, such as “C:\Apache2\apache-tomcat-6.0.28\conf” .
Installing mod_jk
mod_jk is the module that Tomcat and Apache will use to communicate. The C:\Apache2\apache-tomcat-6.0.28\conf\auto\mod_jk.conf file is generated from Tomcat at startup to tell Apache which files are available.
The Apache httpd.conf is configured to find the mod_jk.so module and configuration files by adding the following lines:
This is both in the Lab1 directory and already modified.
Installing mod_jk
Notice that the mod_jk.log will log the communications from Apache to Tomcat.
A workers.properties also has to be created in the $tomcat/conf to describe the ajp13 (mod_jk protocol) threads across port 8009.
Tomcat’s server.xml also has to be modified to listen with the mod_jk.so file:
Starting Tomcat/Apache
After a successful Start in Apache, and running C:\Apache2\apache-tomcat-6.0.28\bin\startup.bat . You can see it is successful by looking at the logs for an exceptions (look for the keyword exception in the files) and a successful start:
Port 8009
Port 8009 was used in the configuration workers.properties and server.xml to communicate between Apache and Tomcat. Using a product like fport.exe from Foundstone, the port should appear to be open and listening from java starting it, notice port 8009:
Now Try a Struts XSS Sample
Calling http://localhost/mandiant-struts-form-vulnerable/index.jsp
Now Try a Struts XSS Sample
Typing in the XSS “<script>alert(123)</script>”, XSS appears:
Lab2(Adding ModSecurity)
Apache mod_security
The mod_security module information can be found at http://www.modsecurity.org/
Load the mod_security and unique id modules (this example is XP) in conf/httpd.conf: LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Add the base configuration and some of the base rules: Include conf/mod_security.conf
Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf
Include conf/base_rules/modsecurity_crs_23_request_limits.conf
Include conf/base_rules/modsecurity_crs_35_bad_robots.conf
Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf
Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Apache mod_unique_id
The modules/mod_unique_id.so has to be installed for mod_security to work.
To check to see which modules are currently being used by Apache, run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
Apache mod_unique_id
Ensuring that the field is set in Apache2/httpd.conf :
Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
Apache mod_security2
Copying the libxml2.dll, mod_security2.so, and pcre.dll to Apache2/modules, and adding the following to httpd.conf :
Now run httpd –t –D DUMP_MODULES from the
Apache2/bin directory to see security2_module:
mod_security2 minimal configuration
Changing the modsecurity.conf-minimal to modsecurity.conf, the httpd.conf needs to call it:
Setting the rules to “500 Internal Server Error”, the XSS
now returns an error code of 500:
Testing which rules may apply
http://www.modsecurity.org/demo/phpids has a smoketest to verify which rules may apply
ModSecurity Template for Building Rules
Lab3(Manipulating Rules)
Apache mod_security logs
The mod_security logs show what the mod_security blocked. If the minimal configuration was used with mod_security, it
will send which rule that it blocked on to the “Apache2/logs/mod_audit.log.”
The log will match a rule that will define, usually through a Regex expression, the blocking sequence.
To log, the location of the logs need to be defined, as well as their level of logging.
SecAuditEngine On Enables audit logging for all transactions.
SecAuditEngine RelevantOnly Enables audit logging only for transactions that match a rule, or that have a status code that matches the regular expression configured via SecAuditLo- gRelevantStatus.
SecAuditEngine Off Disables audit logging.
Defining logging (modsecurity.conf)
What do the mod_audit log say?
It blocked the mandiant page for the following reasons:
What do the mod_audit log say?
Looking closer,
It appears that the phids filter identified “<scri” as XSS.
What do the mod_audit log say?
Looking closer,
It appears that the phids filter identified “<scri” as XSS.
A simple test
Let’s see what happens when we remove the 41_phids_filters.conf
I am going to leave Tomcat running, it is not processing the rules, only Apache.
I am going to stop Apache, delete the 41_phids_filters.conf file, test the configuration, and start Apache.
The Apache configuration tested good, always test with changes…
This time it didn’t block,but triggered an audit rule
In the modsecurity_crs_41_xss_attacks.conf, it says pass and audit:
Conclusion
Adding the file 41_phids_filters.conf back in will start the process to block again.
Another alternative is to set the xss_attacks.conf rule to block by changing the rule from changing “pass” to “deny”.
There are many, many rules, and more than likely, they overlap in some manner.
This exercise was to show how to manipulate the rules just in case some of them block normal business activities.
Lab4(Logging Only)
Startup
Ensure that Apache is set to block XSS with phids rules as before.
In this exercise, we will simply log and not block. By default, modsecurity only logs, so we need to simply
commit out the deny statement in the httpd.conf, after stopping Apache, check the config, and restart Apache.
XSS passes through
This time XSS passes through
The XSS alerts are logged
In the audit log we see the phpids alerts for XSS, along with the other rules as well. This is because it was not blocked by the phpids alert and kept going:
Lets test some tools(scanning with Netsparker)
It found XSS(scanning with Netsparker)
ModSecurity audit logs
When Netsparker scanned the site, the audit logs went from 32 KB to 732 KB. This is because it was capturing the NetSparker attacks.
Turning on “deny” again(XSS went away)
Conclusions
The most interesting part of this exercise is that we have the ability to capture an audit log , without blocking anything, and understand what attacks are hitting the web site.
Lab5(FingerPrinting)
Startup
Ensure that Apache is set to block XSS with phids rules as before.
By knowing the Web Server type, and patches, it provides hackers a roadmap of what attacks to perform.
ModSecurity can fake the signature. Changing the httpd.conf:
HttpPrint scans our type (Apache)
Let’s pretend to be an IIS machine
Changing the httpd.conf:
And the mod_security.conf:
Now we are Apache appearing as IIS 5.0
WebKnight/IISLabs
Lab1(Starting IIS/Hacme Bank)
WebKnight
WebKnight is an Open Source Web Application Firewall from AQTronix, http://aqtronix.com/?PageID=99
IIS 5.1 and SQL Server 2008 be installed from (Need ISO/Disk for XP while Installing) Web Platform Installer http://www.microsoft.com/web/downloads/platform.aspx
What also will prove useful is the Web Visual Studio 2010 Express, http://www.microsoft.com/web/downloads/platform.aspx
The version of HacmeBank is an updated version of HacmeBank to work on the modern .NET frameworks, it may work with versions 2.0 – 4.0. It was updated from the older versions found at http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/Using_O2_on:_HacmeBank
Ensure IIS is started and HacmeBank installed (Control Panel-> Administrative
Tools->Internet Information Services)
Webknight
HacmeBank has 3 main pieces: The Hacme_Bank_V2_WS – Hacme Bank Web Service
that will provide the Login web service to the Database, has .asmx files.
The Hacme_Bank_V2_Website – provides the asp files for the pages and forms.
The FoundStone_Bank Database will have to be installed.
FoundStone_Bank DB(SQL Server Management Studio)
Installing FoundStone_Bank DB
With the newer source code, there is a both a sql script and installer for the Database:
Visual Studio Web Express
Most of the management can be done by Visual Studio:
.NET Version
Be very aware of which .NET version is set for the Web Site, it will change many things.
Test the Hacme Web Service
http://localhost/HacmeBank_v2_WS/WebServices/UserManagement.asmx
Test the Hacme Web Service
Login Service, user “jv”, password “jv789”.
Test the Hacme Web Service
Return of “0001” means that it found it in the database.
Test the Hacme Web Site
http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, UserName “jv”, Password “jv789”.
Test the Hacme Web Site
Joe Vilella will Login OK.
Lab2(SQL Injection Test)
Intro to SQL Injection…
Many web pages communicate directly to a backend database for processing.
For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.
Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.
Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.
SQL may return errors in the web page that even lists the correct tables to query so that the hacker may make more accurate attempts to get data.
SQL Injection
SQL Injection is the ability to inject malicious SQL commands into the backend code.
For example:
SELECT * FROM users WHERE username = ‘USRTEXT ' AND password = ‘PASSTEXT’
Passing ' OR 1=1-- in the USRTEXT field generates:
SELECT * FROM users WHERE username = ‘’ OR 1=1 -- '
AND password = ‘PASSTEXT’ The OR 1=1 returns true and the rest is commented
out
Common attack strings
‘ or 27(hex) – delineates SQL string values.“ or 22 (hex) – also delineates SQL string values.; or 3B (hex) - terminates statements.# or 23(hex) - also terminates a statement. (Access DB)/* or 2F2A (hex) - comment delimiter.-- or 2D2D (hex) – also comment delimiter.( or 28 (hex) or ) or 29 (hex) – logical sub clauses.{ or 7B (hex) or } or 7D (hex) – terminates a question.exec – used to call MS-SQL stored procedures.
union – a SQL command very common to SQL injection.
SQL Injection
http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
SQL Injection
Joe Vilella will Login OK without a Username and Password.
Common Code fixes to SQL Injection…
Validate the form field to only accept specific input for the fields. For example, for login name use ^[0-9a-zA-Z]*$, which is
Regular expressions for an alpha-numerical field.
For Apache Struts, use the org.apache.struts.validator.ValidatorPlugin, http://www.owasp.org/index.php/Data_Validation_(Code_Review) .
For JSPs/Servlets, validate in the Servlet using the with the “java.utile.regex” framework in a similar manner.
Don’t use SQL Use Prepared Statements, or Hibernate, to call the database.
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
Lab3(XSS)
XSS in a form
http://localhost/HacmeBank_v2_Website/aspx/main.aspx?function=PostMessageForm
, type “<script>alert(document.cookie);</script>”
XSS
The cookie script will execute
Lab4(Install WebKnight)
WebKnight
A copy will be in MyDocuments:
WebKnight
The WebKnight page is http://aqtronix.com/?PageID=99 How to install can be found at
http://aqtronix.com/?PageID=99#Install The WebKnight FAQ can be found at
http://aqtronix.com/?PageID=114 and troubleshooting http://aqtronix.com/?PageID=114#trouble
WebKnight
Starting the Install:
WebKnight
Hit Typical:
WebKnight
Already done:
SQL Injection
http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
SQL Injection
Out of the Box, it blocked SQL Injection.
Lab5(WebKnight)
WebKnight
The Webknight product has a Loaded .xml that shows what is currently loaded, a WebKnight.xml on what needs to be loaded next and a Robots.xml dedicated to Bots.
If you ever get into trouble, you can delete the WebKnight.XML and the default will be created.
WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml
Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
Once every minute, the Loaded.xml will replace itself with the WebKnight.xml.
WebKnight
The Webknight product has editors for looking at the logs and xml:
That are read from the AQTRONIX directory in Program Files:
WebKnight
You can even edit the WebKnight.XML directly if desired:
WebKnight
We don’t really know what was blocked. Looking at Log Anaylsis, part of the block was a shadow file:
WebKnight Loaded XML
WebKnight has several sections to configure sections of the configuration file.
WebKnight
By default, file uploads, Frontpage Extensions, WebDAV, ASP.NET and many protocols are turned off…..
WebKnight Logging
What to log can be specified
WebKnight Authentication
We can deny blank passwords, Admin passwords, common passwords , etc.
WebKnight Robots
We can deny Bots of various kinds.
WebKnight Robots.xml
Webknight aggressively attacks Bots, http://www.aqtronix.com/?PageID=114
WebKnight Robots.xml
Webknight has a Robots.xml just to configure for this effort:
Lab6(Config WebKnight)
Configuring WebKnight
Configuring WebKnight is mostly a combination of going between testing the site for desired results, looking at WebKnight’s Log Analysis to validate if the desired results match perceived results,a and using the WebKnight Configuration tool to change the results until they meet the desired outcome.
Always stop/start IIS after the changes.
WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml
Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
WebKnight
Looking back at WebKnight, the shadow.txtbox.gif appears as a shadow file and was blocked.
WebKnight
We set WebKnight to temporarily allow all files as test and Soap calls. Wait a minute for it to load as a Loaded.XML.
WebKnight
Now we can log in.
WebKnight
And SQL Injection is blocked.
WebKnight
Logging Only, instead of blocking, set the Incident Response section to “Response Log Only”.
SQL Injection
Joe Vilella will Login OK without a Username and Password.
SQL Injection
Joe Vilella will Login OK without a Username and Password.
Lab7(NetSparker)
Configuring WebKnight
Ensure that WebKnight is in Logging Only mode from the last exercise.
Ensure that Netsparker is installed, if not install it from the “My Documents” directory. It will require the .NET 3.5 framework.
Start scanning with Netsparker
If you are in Logging Only mode
If in Logging Only Mode, Netsparker will report many issues with the Hacme site.
The WebKnight logs will have many alerts in it from NetSparker attacking IIS.
Turn off the Logging Only mode
Double check by both checking the Loaded.xml and test the site for SQLInjection.
Rescan with the Logging Only mode off
The scan is cleaner
If there is time, we can go through the WebKnight.xml, change some settings, test, and continue to reconfigure WebKnight to get the optimal results.
Final Thoughts
Final Thoughts
Are there any Questions? Feel free to contact me at [email protected] Also, always only try these tools with your own
test site or with permission of the system owner.