Web Application Firewall
Introduction to ModSecurity

$ whoami
- Chandrapal
- Security Enthusiast
- Maintainer of @HackwithGithub
Contact:
- @bnchandrapal
- @HackwithGithub

Overview
- Introduction to WAF
- Different WAFs
- Implementation Models
- Mode of Action
- Pros
- Introduction to ModSecurity
- ModSecurity Concepts
- Cons

Introduction to WAF

Internet - created for sharing resources - without
security concern

It was static and lots of blogs, manuals and images

No logins - even if present it was easy to bruteforce

Dynamic websites with logins evolved and HTTPS was
introduced

HTTPS prevents MitM not logical errors

Introduction to WAF

Firewalls -> IDS -> IPS

Firewalls - work at network level - scanning each and
every packet makes the network slow

WAF : Web Application Firewall

Deals with web applications only - logical level

Different WAF
- Appliance-based Web application firewalls : Mostly hardware
Ex: Netscaler MPX WAF by Citrix
- Cloud and hybrid Web application firewalls : Entire infrastructure shared
with WAF providers, DDoS protection. Hybrid solutions are great for distributed
environments (such as multiple business locations) or when virtual deployments
make sense for an organization.
Ex: Cloud WAF: Incapsula's industry-leading WAF service
WAF product from Qualys exemplifies a hybrid virtual appliance/cloud approach.

Implementation Models

Positive Model: Focuses on what content should be
allowed i.e. whitelisting technique

Negative Model: Focuses on what should not be
allowed i.e. blacklisting technique

Mixed Model: Combination of both positive and negative
models

Positive Model
A positive security model enforces positive behavior by
learning the application logic and then building a security
policy of valid known requests as a user interacts with the
application.
Example:
Page news.jsp, the field id could only accept characters [0-9]
and starting at number 0 until 65535.

Positive Model
Pros:

Better performance (less rules).

Less false positives.
Cons:

Much more time to implement.

Some vendors provide “automatic learning mode”, they
help, but are far from perfect, in the end, you always need
a skilled human to review the policies.

Negative Model
A negative security model recognize attacks by relying on a
database of expected attack signatures.
Example:
Do not allow in any page, any argument value (user input)
which match potential XSS strings like <script>, </script> ,
String.fromCharCode, etc.

Negative Model
Pros:

Less time to implement
Cons:

More false positives.

More processing time.

Less protection.

Mode of Action
Based on the mode of action taken by firewalls:
Passive mode: If any suspicious activity detected, it gets
logged and a message is sent to the admin for manual
action
Reactive mode: If any suspicious activity detected, it
automatically blocks / resets the connection

Deployment Options - Embedded

Deployment Options - Reverse Proxy
WAF goes
here

Deployment Options - Port Mirroring

Pros
Virtual Patching : security policy enforcement layer which
prevents the exploitation of known vulnerability
Authenticate users directly : allow or deny a specific
incoming telnet command from a particular user
Better content filtering capabilities : ability to examine
the payload of packet
Stops Data Leakage *

ModSecurity

13 years old

Protects millions of websites

Community Support

Open source license (Apache Software License v2) for
OWASP Core Rule Set

Commercial Rule Set by Trustwave Spiderlabs

OWASP Core Rule Set providing general protection

One config to rule them all (Apache, IIS, nginx)

Why ModSecurity ?
* www.zeroscience.mk

ModSecurity Concepts
Processing Phases:

Request Headers

Request Body

Response Headers

Response Body

Logging / Action

ModSecurity Concepts
Transformations

Can be nested / run in serial

Replace Comments (SQLi)

URL Encode / Decode

Hex Encode / Decode

JavaScript Decode

HTML Entity Decode

Uppercase / Lowercase

Cons

False Positives

Packets should pass 7 layers of OSI - consumes a lot of CPU
cycle

vulnerable to the security loopholes of the underlying operating
system - susceptible to DDoS

reduced scalability of web apps **

positive model : Model are generally more expensive and
sophisticated

negative model : Protects known vulnerabilities - not 0days

Cons

False positives
BEST PART - 56.0% companies get fp less than 25%
WORST PART - 4.0% companies get false positives more than 95%
[not well verse in regex]
[ Could be corrected with manual log inspection ]

Not user-friendly

THANK YOU
Any Questions

Resources
Official website: https://modsecurity.org/
https://github.com/SpiderLabs/owasp-modsecurity-crs
http://www.slideshare.net/zeroscience/cloudflare-vs-incapsula-vs-modsecurity
https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-Virtual-Patching-Surv
https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ]
https://www.youtube.com/watch?v=208bFToRJqo [BlackHat]
https://www.youtube.com/watch?v=pKGdIxArlKU