Web Application FirewallIntroduction to ModSecurity
$ whoamiChandrapal
Security Enthusiast
Maintainer of @HackwithGithub
Contact:@bnchandrapal
@HackwithGithub
OverviewIntroduction to WAF
Different WAFs
Implementation Models
Mode of Action
Pros
Introduction to ModSecurity
ModSecurity Concepts
Cons
Introduction to WAFInternet - created for sharing resources -
without security concern
It was static and lots of blogs, manuals and images
No logins - even if present it was easy to bruteforce
Dynamic websites with logins evolved and HTTPS was
introduced
HTTPS prevents MitM not logical errors
Introduction to WAFFirewalls -> IDS -> IPS
Firewalls - work at network level - scanning each and every
packet makes the network slow
WAF : Web Application Firewall
Deals with web applications only - logical level
Different WAF- Appliance-based Web application firewalls :
Mostly hardwareEx: Netscaler MPX WAF by Citrix
- Cloud and hybrid Web application firewalls : Entire
infrastructure shared with WAF providers, DDoS protection. Hybrid
solutions are great for distributed environments (such as multiple
business locations) or when virtual deployments make sense for an
organization.Ex: Cloud WAF: Incapsula's industry-leading WAF
service WAF product from Qualys exemplifies a hybrid virtual
appliance/cloud approach.
Implementation ModelsPositive Model: Focuses on what content
should be allowed i.e. whitelisting technique
Negative Model: Focuses on what should not be allowed i.e.
blacklisting technique
Mixed Model: Combination of both positive and negative
models
Positive ModelA positive security model enforces positive
behavior by learning the application logic and then building a
security policy of valid known requests as a user interacts with
the application.
Example:Page news.jsp, the field id could only accept characters
[0-9] and starting at number 0 until 65535.
Positive ModelPros: Better performance (less rules).
Less false positives.
Cons:Much more time to implement.
Some vendors provide automatic learning mode, they help, but are
far from perfect, in the end, you always need a skilled human to
review the policies.
Negative ModelA negative security model recognize attacks by
relying on a database of expected attack signatures.
Example:Do not allow in any page, any argument value (user
input) which match potential XSS strings like , ,
String.fromCharCode, etc.
Negative ModelPros: Less time to implement
Cons: More false positives.
More processing time.
Less protection.
Mode of ActionBased on the mode of action taken by
firewalls:Passive mode: If any suspicious activity detected, it
gets logged and a message is sent to the admin for manual
actionReactive mode: If any suspicious activity detected, it
automatically blocks / resets the connection
Deployment Options - Embedded
Deployment Options - Reverse ProxyWAF goes here
Deployment Options - Port Mirroring
ProsVirtual Patching : security policy enforcement layer which
prevents the exploitation of known vulnerabilityAuthenticate users
directly : allow or deny a specific incoming telnet command from a
particular userBetter content filtering capabilities : ability to
examine the payload of packetStops Data Leakage *
ModSecurity13 years old
Protects millions of websites
Community Support
Open source license (Apache Software License v2) for OWASP Core
Rule Set
Commercial Rule Set by Trustwave Spiderlabs
OWASP Core Rule Set providing general protection
One config to rule them all (Apache, IIS, nginx)
Why ModSecurity ?
* www.zeroscience.mk
ModSecurity ConceptsProcessing Phases:Request Headers
Request Body
Response Headers
Response Body
Logging / Action
ModSecurity ConceptsTransformationsCan be nested / run in
serial
Replace Comments (SQLi)
URL Encode / Decode
Hex Encode / Decode
JavaScript Decode
HTML Entity Decode
Uppercase / Lowercase
ConsFalse Positives
Packets should pass 7 layers of OSI - consumes a lot of CPU
cycle
vulnerable to the security loopholes of the underlying operating
system - susceptible to DDoS
reduced scalability of web apps **
positive model : Model are generally more expensive and
sophisticated
negative model : Protects known vulnerabilities - not 0days
ConsFalse positives
BEST PART - 56.0% companies get fp less than 25%WORST PART -
4.0% companies get false positives more than 95% [not well verse in
regex]
[ Could be corrected with manual log inspection ]
Not user-friendly
THANK YOUAny Questions
Resources
Official website:
https://modsecurity.org/https://github.com/SpiderLabs/owasp-modsecurity-crshttp://www.slideshare.net/zeroscience/cloudflare-vs-incapsula-vs-modsecurityhttps://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-Virtual-Patching-Survey-Results/https://www.youtube.com/watch?v=HkA_YRSb3jU
[Defcon ]https://www.youtube.com/watch?v=208bFToRJqo
[BlackHat]https://www.youtube.com/watch?v=pKGdIxArlKU
