Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Mod security session April 2016

Introduction to ModSecurity, CRS & Demo

  • Login to see the comments

Introduction to Mod security session April 2016

  1. 1. Rahul Choudhary @r3dinf0
  2. 2. What is Web Application Firewall (WAF)??? • Protects a web application by adding a security layer • present between a user and a web server • Understands HTTP traffic better than traditional firewalls • Checks for malicious traffic and blocks it User requests web application Ex: WAF identifies and block malicious requests Ex: using ModSecurity Web Application Servers
  3. 3. ModSecurity is a toolkit for real-time web application monitoring, logging, and access control
  4. 4. What ModSecurity Can do ??? • Real-time application security monitoring and access control • Virtual patching • Full HTTP traffic logging • Continuous passive security assessment • Web application hardening
  5. 5. What ModSecurity Can do ??? • HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy. • Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation • HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks. • Common Web Attacks Protection - detecting common web application security attack. • Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.
  6. 6. What ModSecurity Can do ??? • Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application. • Trojan Protection - Detecting access to Trojans horses. • Identification of Application Defects - alerts on application misconfigurations. • Error Detection and Hiding - Disguising error messages sent by the server.
  7. 7. ModSecurity Processing Phases .. • Request Headers • Request Body • Response Headers • Response Body • Logging / Action
  8. 8. ModSecurity’ s Rules Language Syntax SecRule TARGETS OPERATOR [ACTIONS] Tells ModSecurity where to look (such as ARGS, ARGS_NAMES or COOKIES). Tells ModSecurity how to process data Tells ModSecurity what to do if a rule matches (such as deny, exec or setvar). SecRule ARGS "(?i)(<script[^>]*>[sS]*?</script[^>]*>|<script[^>]*>[sS]*?</script[[sS]]*[sS]|<script[^ >]*>[sS]*?</script[s]*[s]|<script[^>]*>[sS]*?</script|<script[^>]*>[sS]*?)" "id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeU ni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC- 22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_an omaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{}- OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
  9. 9. ModSecurity Transformations .. • SQLi • URL Encode / Decode • Hex Encode / Decode • JavaScript Decode • HTML Entity Decode • Uppercase / Lowercase • MD5 / SHA1 • Normalize Paths
  10. 10. Ok I understand .. But how can I deploy it ??? ModSecurity supports two deployment options: • Embedded ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded option is a great choice for those who already have their architecture laid out and don't want to change it. • Reverse proxy deployment When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protection
  11. 11. Core Rule Set (CRS) ..??? OWASP community has developed and maintain a set of rules called OWASP CRS CRS provides generic protection from unknown vulnerabilities often found in web applications
  12. 12. Core Rules … HTTP protocol protection • RFCs • Defined policy Common Web Attack Protections • XSS, SQLi, CSRF, HTTP Response Splitting Automation Detection • Bots, web crawlers, web scanners. Trojan Protection Server Error Hiding / DLP • Mask errors sent by the server • Data Loss Prevention
  13. 13. Core Rule Set (CRS) run modes ..??? The CRS can run in two modes: traditional and anomaly scoring. Traditional mode:- the first rule that matches will block the request Anomaly scoring mode:- the rules increment counters that "enumerate badness", and if the rule exceeds a threshold then the request is blocked.
  14. 14. Enough …. Give me a scenario !! x.y.z.a ModSecurity configured with Apache serving as reverse proxy DVWA deployed on web server --- AWS Environment for Testing purpose ---
  15. 15. Apache configured as Reverse Proxy …
  16. 16. Access Vulnerable DVWA host on cloud
  20. 20. DVWA File Inclusion Test MODSECURITY : OFF
  21. 21. ModSecurity Audit Log during Attack MODSECURITY : ON
  23. 23. Sample commands to Track & Block... Track ip addresses : curl |cut -d " " -f3,4 Rotate ModSecurity logs : while true;do cat modsec_audit.log| grep -e HTTP/1.1 - e 000;sleep 10;clear;done or tail –f modsec_audit.log Block ip : iptables -A INPUT -s xx.xx.xx.xx -j DROP
  24. 24. How to install ??? Refer : download.html
  25. 25. Play online with MODSECURITY !!!
  26. 26. Relevant Talks … [Defcon ] [BlackHat]
  27. 27. Must to attend !! …