SlideShare a Scribd company logo

The waf book intro attack elements v1.0 lior rotkovitch

Lior Rotkovitch
Lior Rotkovitch

The waf book intro

Software
1 of 29
Download to read offline
Practical Defensive Security for Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
70295 https://SIRT.club ©
Vulnerabilities - Software bugs Bugs = glitch – “unexpected condition in software” LR -> Security bug – bug that can be used to assist with attack goals. -> Vulnerability – software bugs with security ramifications NF Application Servers Web Servers WEB ISP bugs bugs CLOUD’S Web Application Database Servers https://SIRT.club 70295 ©
Vulnerabilities – security design bugs NF Application Servers Web Servers WEB ISP CLOUD’S Web Application Database Servers ▪ Design bugs– insecure implementations ▪ Misconfiguration bugs– wrong, defaults https://SIRT.club 70295 ©
Aggregated 21.21k 23.57 36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Expected traffic footprint https://SIRT.club app can’t detect nor enforce ©
Attacking the Web App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s 0 50 1 2 3 4 5 6 7 8 9 101112131415161718192021 IP’S IP1 IP2 IP3 IP4 IP5 Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k Hacking goals: ▪ Service ▪ App Data ▪ Computing power Web Application https://SIRT.club 70295 ©
Attack status brief Type: • Fun • Random • Targeted Motivation • Fun and Profit • Fame • Just because they can Execution: • Vulnerability hunting • DDoS • Brute force • Malware • BotNet • Automation • More… CLIENTS THE WEB https://SIRT.club 70295 ©
Hackers wants your assets ! your infra your data your users https://SIRT.club 70295 ©
Attack Elements HTTP Web Application Attacks occur when a vulnerable software meets the exploit that was sent by the attack agent in the attack surface Database App Servers Web Servers https://SIRT.club 70295 ©
Web Application HTTP Application/s Request handler/s Database/s Vulnerability Vulnerability – is a software condition (bug) with security implication that create a risk to the application assets Vulnerability examples: • Code • Configuration • Design • No ATF enforcement Vulnerability: root cause security bug Main reasons: • Validation • Functionality • Limitations https://SIRT.club 70295 ©
HTTP Application/s Request handler/s Database/s Attack Surface Attack surface examples: 1. Code – Function, library, URL, Parameter 2. Infrastructure – OS, servers, virtualization, keys, 3. System – hardware, network, devices Vulnerability location Attack surface – the place where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Web Application https://SIRT.club 70295 ©
HTTP Request handler/s Database/s Attack Agent Operate from: • Clouds • Mobiles • PC/ tablet • IoT Request generator tool Attack agent – the software vehicle that is used to sends the exploit to the attack surface Software Types: • CLI • Browser automation • Client framework Web Application Application/s https://SIRT.club 70295 ©
HTTP Request handler/s Database/s Exploit Actual code that activate the vulnerability Exploit – the code / pattern that activate the vulnerability and allow exploitation of the vulnerability. Exploit types: • POC exploit • Exploitation exploit • Weaponizing exploit – RCE Web Application Application/s https://SIRT.club 70295 ©
HTTP Request handler/s Database/s Attack Vector Attack technique and / or goal Web Application We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal Goals: • Deny service / impact performance – DoS • Extract data from DB – SQLi • Session stealing – XSS • Account take over – brute force Technique: • DoS (floods, load) • SQLi • XSS • Brute force • Etc… Application/s https://SIRT.club 70295 ©
Attack Elements Attack Agent Exploit Attack Vector Vulnerability Attack Surface A Bug is a software condition in software that wasn’t intended to happen and affect the functionality of the software. Vul is a bug with security implication that create a risk to the application assets i.e. Security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the software vehicle used to send the exploit to the attack surface the contains the vulnerability. Exploit – the code / pattern that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal https://SIRT.club 70295 ©
Threat Landscape - Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Hacker playground ..;-() Web Application https://SIRT.club 70295 ©
Threat Landscape - Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Cloud ${{:-}j Internet Cloud https://SIRT.club 70295 ©
Web Application HTTP Attack Automation Attack agent automation = Bot / Botnet Exploit automation = scanner Bot = AE automation Attack surface automation = scanner Vulnerability automation = Vulnerability hunting AUTO https://SIRT.club 70295 ©
Attack agent automation CLI browser Full Browser automation Full Human Browser simulators https://SIRT.club Automaton type– simulating browser capabilities 70295 ©
Exploit Automation https://SIRT.club Automaton type– Multiple exploit (Shifting exploits) Multiple exploit - Shifting exploits ▪ Shifting payloads ▪ Single app ▪ Same site E1 E2 E3 E4 E5 E6 E5 -> AS -> Vul 70295 ©
vul / attack surface Automation https://SIRT.club ▪ Different Vul ▪ Rotation AS:VUL pairs ▪ Many apps ▪ Many sites Automation – attack agent – shifting AS/Vul Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 70295 ©
https://SIRT.club Site A Site D Site C Site B Site E FQDN Target (site) Automation Automation – FQDN rotation ▪ Many apps ▪ Many sites 70295 ©
All automations Site C Site B Site A Site X… Automation { AS / E / AS / Vul } https://SIRT.club 70295 ©
X100 E HTTP Bot Node Botnet enlisting type: ▪ Purpose build ▪ Hacked ▪ Infected IP Botnet: C&C @ nodes Geo/ ISP/ Clouds AS V Bot Master nodes From Bot to Botnet https://SIRT.club 70295 ©
Attack automation - Botnet – disturbed Exploit pool Bot MASTER Purpose build Hacked Infected App A App B App C App D App A App B App C App D App D App B App C App A App D App C App B App A Site 3 Site 2 Site 1 https://SIRT.club 70295 ©
• C&C – 1 to many • Shifting Centralized nodes • Autonomous - https://SIRT.club 70295 ©
• SQLi • XSS • LFI/ RFI • RCE • CSRF Web Exploits • BF • CS • PS ATO • Floods • Loads DDoS BOT/S BOTNET/S Web Application Attack Surface /s Vulnerabilities Exploit Attack Agent ATTACK AUTOMATION AUTO https://SIRT.club Summary 70295 ©
Attack Traffic Footprint 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / Top URL RPS Avr / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k https://SIRT.club Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ Attack automation GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 70295 ©
https://SIRT.club By: Lior Rotkovitch “Man’s biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©

Recommended

The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchLior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasGestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasNextel S.A.
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Recommended

The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchLior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasGestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazasNextel S.A.
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdfTaseen Ali
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
sumnevaSERT Presentation
sumnevaSERT PresentationsumnevaSERT Presentation
sumnevaSERT PresentationScott Spendolini
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesAndrew Ferrier
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointNextel S.A.
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Security_Bootcamp_Intro
Security_Bootcamp_IntroSecurity_Bootcamp_Intro
Security_Bootcamp_Introsudip pudasaini
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...Lior Rotkovitch
 

More Related Content

Similar to The waf book intro attack elements v1.0 lior rotkovitch

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesAndrew Ferrier
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointNextel S.A.
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Similar to The waf book intro attack elements v1.0 lior rotkovitch (20)

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
sumnevaSERT Presentation
sumnevaSERT PresentationsumnevaSERT Presentation
sumnevaSERT Presentation
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check PointDetección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check Point
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Security_Bootcamp_Intro
Security_Bootcamp_IntroSecurity_Bootcamp_Intro
Security_Bootcamp_Intro
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 

More from Lior Rotkovitch

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...Lior Rotkovitch
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfLior Rotkovitch
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...Lior Rotkovitch
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfLior Rotkovitch
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchThe waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchLior Rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Lior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineLior Rotkovitch
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchLior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitchLior Rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training Lior Rotkovitch
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתLior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 

More from Lior Rotkovitch (19)

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchThe waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
 

Recently uploaded

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 

Recently uploaded (20)

Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 

The waf book intro attack elements v1.0 lior rotkovitch

  • 1. Practical Defensive Security for Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
  • 3. Vulnerabilities - Software bugs Bugs = glitch – “unexpected condition in software” LR -> Security bug – bug that can be used to assist with attack goals. -> Vulnerability – software bugs with security ramifications NF Application Servers Web Servers WEB ISP bugs bugs CLOUD’S Web Application Database Servers https://SIRT.club 70295 ©
  • 4. Vulnerabilities – security design bugs NF Application Servers Web Servers WEB ISP CLOUD’S Web Application Database Servers ▪ Design bugs– insecure implementations ▪ Misconfiguration bugs– wrong, defaults https://SIRT.club 70295 ©
  • 5. Aggregated 21.21k 23.57 36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Expected traffic footprint https://SIRT.club app can’t detect nor enforce ©
  • 6. Attacking the Web App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s 0 50 1 2 3 4 5 6 7 8 9 101112131415161718192021 IP’S IP1 IP2 IP3 IP4 IP5 Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k Hacking goals: ▪ Service ▪ App Data ▪ Computing power Web Application https://SIRT.club 70295 ©
  • 7. Attack status brief Type: • Fun • Random • Targeted Motivation • Fun and Profit • Fame • Just because they can Execution: • Vulnerability hunting • DDoS • Brute force • Malware • BotNet • Automation • More… CLIENTS THE WEB https://SIRT.club 70295 ©
  • 8. Hackers wants your assets ! your infra your data your users https://SIRT.club 70295 ©
  • 9. Attack Elements HTTP Web Application Attacks occur when a vulnerable software meets the exploit that was sent by the attack agent in the attack surface Database App Servers Web Servers https://SIRT.club 70295 ©
  • 10. Web Application HTTP Application/s Request handler/s Database/s Vulnerability Vulnerability – is a software condition (bug) with security implication that create a risk to the application assets Vulnerability examples: • Code • Configuration • Design • No ATF enforcement Vulnerability: root cause security bug Main reasons: • Validation • Functionality • Limitations https://SIRT.club 70295 ©
  • 11. HTTP Application/s Request handler/s Database/s Attack Surface Attack surface examples: 1. Code – Function, library, URL, Parameter 2. Infrastructure – OS, servers, virtualization, keys, 3. System – hardware, network, devices Vulnerability location Attack surface – the place where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Web Application https://SIRT.club 70295 ©
  • 12. HTTP Request handler/s Database/s Attack Agent Operate from: • Clouds • Mobiles • PC/ tablet • IoT Request generator tool Attack agent – the software vehicle that is used to sends the exploit to the attack surface Software Types: • CLI • Browser automation • Client framework Web Application Application/s https://SIRT.club 70295 ©
  • 13. HTTP Request handler/s Database/s Exploit Actual code that activate the vulnerability Exploit – the code / pattern that activate the vulnerability and allow exploitation of the vulnerability. Exploit types: • POC exploit • Exploitation exploit • Weaponizing exploit – RCE Web Application Application/s https://SIRT.club 70295 ©
  • 14. HTTP Request handler/s Database/s Attack Vector Attack technique and / or goal Web Application We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal Goals: • Deny service / impact performance – DoS • Extract data from DB – SQLi • Session stealing – XSS • Account take over – brute force Technique: • DoS (floods, load) • SQLi • XSS • Brute force • Etc… Application/s https://SIRT.club 70295 ©
  • 15. Attack Elements Attack Agent Exploit Attack Vector Vulnerability Attack Surface A Bug is a software condition in software that wasn’t intended to happen and affect the functionality of the software. Vul is a bug with security implication that create a risk to the application assets i.e. Security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the software vehicle used to send the exploit to the attack surface the contains the vulnerability. Exploit – the code / pattern that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal https://SIRT.club 70295 ©
  • 16. Threat Landscape - Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Hacker playground ..;-() Web Application https://SIRT.club 70295 ©
  • 17. Threat Landscape - Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Cloud ${{:-}j Internet Cloud https://SIRT.club 70295 ©
  • 18. Web Application HTTP Attack Automation Attack agent automation = Bot / Botnet Exploit automation = scanner Bot = AE automation Attack surface automation = scanner Vulnerability automation = Vulnerability hunting AUTO https://SIRT.club 70295 ©
  • 19. Attack agent automation CLI browser Full Browser automation Full Human Browser simulators https://SIRT.club Automaton type– simulating browser capabilities 70295 ©
  • 20. Exploit Automation https://SIRT.club Automaton type– Multiple exploit (Shifting exploits) Multiple exploit - Shifting exploits ▪ Shifting payloads ▪ Single app ▪ Same site E1 E2 E3 E4 E5 E6 E5 -> AS -> Vul 70295 ©
  • 21. vul / attack surface Automation https://SIRT.club ▪ Different Vul ▪ Rotation AS:VUL pairs ▪ Many apps ▪ Many sites Automation – attack agent – shifting AS/Vul Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 70295 ©
  • 22. https://SIRT.club Site A Site D Site C Site B Site E FQDN Target (site) Automation Automation – FQDN rotation ▪ Many apps ▪ Many sites 70295 ©
  • 23. All automations Site C Site B Site A Site X… Automation { AS / E / AS / Vul } https://SIRT.club 70295 ©
  • 24. X100 E HTTP Bot Node Botnet enlisting type: ▪ Purpose build ▪ Hacked ▪ Infected IP Botnet: C&C @ nodes Geo/ ISP/ Clouds AS V Bot Master nodes From Bot to Botnet https://SIRT.club 70295 ©
  • 25. Attack automation - Botnet – disturbed Exploit pool Bot MASTER Purpose build Hacked Infected App A App B App C App D App A App B App C App D App D App B App C App A App D App C App B App A Site 3 Site 2 Site 1 https://SIRT.club 70295 ©
  • 26. • C&C – 1 to many • Shifting Centralized nodes • Autonomous - https://SIRT.club 70295 ©
  • 27. • SQLi • XSS • LFI/ RFI • RCE • CSRF Web Exploits • BF • CS • PS ATO • Floods • Loads DDoS BOT/S BOTNET/S Web Application Attack Surface /s Vulnerabilities Exploit Attack Agent ATTACK AUTOMATION AUTO https://SIRT.club Summary 70295 ©
  • 28. Attack Traffic Footprint 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / Top URL RPS Avr / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k https://SIRT.club Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ Attack automation GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 70295 ©
  • 29. https://SIRT.club By: Lior Rotkovitch “Man’s biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©