If you can't read please download the document
Upload
chandrapal-b-n
View
236
Download
0
Embed Size (px)
Citation preview
Web Application FirewallIntroduction to ModSecurity
$ whoamiChandrapal
Security Enthusiast
Maintainer of @HackwithGithub
Contact:@bnchandrapal
@HackwithGithub
OverviewIntroduction to WAF
Different WAFs
Implementation Models
Mode of Action
Pros
Introduction to ModSecurity
ModSecurity Concepts
Cons
Introduction to WAFInternet - created for sharing resources - without security concern
It was static and lots of blogs, manuals and images
No logins - even if present it was easy to bruteforce
Dynamic websites with logins evolved and HTTPS was introduced
HTTPS prevents MitM not logical errors
Introduction to WAFFirewalls -> IDS -> IPS
Firewalls - work at network level - scanning each and every packet makes the network slow
WAF : Web Application Firewall
Deals with web applications only - logical level
Different WAF- Appliance-based Web application firewalls : Mostly hardwareEx: Netscaler MPX WAF by Citrix
- Cloud and hybrid Web application firewalls : Entire infrastructure shared with WAF providers, DDoS protection. Hybrid solutions are great for distributed environments (such as multiple business locations) or when virtual deployments make sense for an organization.Ex: Cloud WAF: Incapsula's industry-leading WAF service WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.
Implementation ModelsPositive Model: Focuses on what content should be allowed i.e. whitelisting technique
Negative Model: Focuses on what should not be allowed i.e. blacklisting technique
Mixed Model: Combination of both positive and negative models
Positive ModelA positive security model enforces positive behavior by learning the application logic and then building a security policy of valid known requests as a user interacts with the application.
Example:Page news.jsp, the field id could only accept characters [0-9] and starting at number 0 until 65535.
Positive ModelPros: Better performance (less rules).
Less false positives.
Cons:Much more time to implement.
Some vendors provide automatic learning mode, they help, but are far from perfect, in the end, you always need a skilled human to review the policies.
Negative ModelA negative security model recognize attacks by relying on a database of expected attack signatures.
Example:Do not allow in any page, any argument value (user input) which match potential XSS strings like , , String.fromCharCode, etc.
Negative ModelPros: Less time to implement
Cons: More false positives.
More processing time.
Less protection.
Mode of ActionBased on the mode of action taken by firewalls:Passive mode: If any suspicious activity detected, it gets logged and a message is sent to the admin for manual actionReactive mode: If any suspicious activity detected, it automatically blocks / resets the connection
Deployment Options - Embedded
Deployment Options - Reverse ProxyWAF goes here
Deployment Options - Port Mirroring
ProsVirtual Patching : security policy enforcement layer which prevents the exploitation of known vulnerabilityAuthenticate users directly : allow or deny a specific incoming telnet command from a particular userBetter content filtering capabilities : ability to examine the payload of packetStops Data Leakage *
ModSecurity13 years old
Protects millions of websites
Community Support
Open source license (Apache Software License v2) for OWASP Core Rule Set
Commercial Rule Set by Trustwave Spiderlabs
OWASP Core Rule Set providing general protection
One config to rule them all (Apache, IIS, nginx)
Why ModSecurity ?
* www.zeroscience.mk
ModSecurity ConceptsProcessing Phases:Request Headers
Request Body
Response Headers
Response Body
Logging / Action
ModSecurity ConceptsTransformationsCan be nested / run in serial
Replace Comments (SQLi)
URL Encode / Decode
Hex Encode / Decode
JavaScript Decode
HTML Entity Decode
Uppercase / Lowercase
ConsFalse Positives
Packets should pass 7 layers of OSI - consumes a lot of CPU cycle
vulnerable to the security loopholes of the underlying operating system - susceptible to DDoS
reduced scalability of web apps **
positive model : Model are generally more expensive and sophisticated
negative model : Protects known vulnerabilities - not 0days
ConsFalse positives
BEST PART - 56.0% companies get fp less than 25%WORST PART - 4.0% companies get false positives more than 95% [not well verse in regex]
[ Could be corrected with manual log inspection ]
Not user-friendly
THANK YOUAny Questions
Resources
Official website: https://modsecurity.org/https://github.com/SpiderLabs/owasp-modsecurity-crshttp://www.slideshare.net/zeroscience/cloudflare-vs-incapsula-vs-modsecurityhttps://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-Virtual-Patching-Survey-Results/https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ]https://www.youtube.com/watch?v=208bFToRJqo [BlackHat]https://www.youtube.com/watch?v=pKGdIxArlKU