Submit Search
Upload
The waf book intro attack elements v1.0 lior rotkovitch
•
0 likes
•
54 views
Lior Rotkovitch
Follow
The waf book intro
Read less
Read more
Software
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 29
Download now
Download to read offline
Recommended
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
API SECURITY
API SECURITY
Tubagus Rizky Dharmawan
Web Application Security
Web Application Security
Chris Hillman
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazas
Nextel S.A.
Hacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
Recommended
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
Security_Testing_Presentation
Security_Testing_Presentation
Razil Shaik
API SECURITY
API SECURITY
Tubagus Rizky Dharmawan
Web Application Security
Web Application Security
Chris Hillman
Gestiona el riesgo de las grandes amenazas
Gestiona el riesgo de las grandes amenazas
Nextel S.A.
Hacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Amazon Web Services
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
mobsf.pdf
mobsf.pdf
Taseen Ali
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
Web Application Security
Web Application Security
sudip pudasaini
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
Relayware
Web Application Security
Web Application Security
Abdul Wahid
sumnevaSERT Presentation
sumnevaSERT Presentation
Scott Spendolini
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check Point
Nextel S.A.
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
Security_Bootcamp_Intro
Security_Bootcamp_Intro
sudip pudasaini
Secure coding guidelines
Secure coding guidelines
Zakaria SMAHI
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
More Related Content
Similar to The waf book intro attack elements v1.0 lior rotkovitch
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Amazon Web Services
F5 Web Application Security
F5 Web Application Security
MarketingArrowECS_CZ
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
mobsf.pdf
mobsf.pdf
Taseen Ali
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
Web Application Security
Web Application Security
sudip pudasaini
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
Relayware
Web Application Security
Web Application Security
Abdul Wahid
sumnevaSERT Presentation
sumnevaSERT Presentation
Scott Spendolini
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check Point
Nextel S.A.
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
Security_Bootcamp_Intro
Security_Bootcamp_Intro
sudip pudasaini
Secure coding guidelines
Secure coding guidelines
Zakaria SMAHI
Similar to The waf book intro attack elements v1.0 lior rotkovitch
(20)
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network Attack
F5 Web Application Security
F5 Web Application Security
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
mobsf.pdf
mobsf.pdf
Get Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
Web Application Security
Web Application Security
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
Web Application Security
Web Application Security
sumnevaSERT Presentation
sumnevaSERT Presentation
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Detección y mitigación de amenazas con Check Point
Detección y mitigación de amenazas con Check Point
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Security_Bootcamp_Intro
Security_Bootcamp_Intro
Secure coding guidelines
Secure coding guidelines
More from Lior Rotkovitch
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Lior Rotkovitch
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Lior Rotkovitch
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
Lior Rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
Lior Rotkovitch
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Lior Rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
Html cors- lior rotkovitch
Html cors- lior rotkovitch
Lior Rotkovitch
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
Lior Rotkovitch
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
Lior Rotkovitch
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
More from Lior Rotkovitch
(19)
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Html cors- lior rotkovitch
Html cors- lior rotkovitch
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Recently uploaded
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
VICTOR MAESTRE RAMIREZ
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
Tier1 app
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Christina Lin
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Power Karaoke
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Ahmed Mohamed
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
kotipi9215
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
Philip Schwarz
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
nada99848
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
Dinusha Kumarasiri
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
soniya singh
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
OnePlan Solutions
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Asset Management Software - Infographic
Asset Management Software - Infographic
Hr365.us smith
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Vinodh Ram
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
StefanoLambiase
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
Wave PLM
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
Hanief Utama
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
umasea
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
stazi3110
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
Christina Lin
Recently uploaded
(20)
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Asset Management Software - Infographic
Asset Management Software - Infographic
Professional Resume Template for Software Developers
Professional Resume Template for Software Developers
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
The waf book intro attack elements v1.0 lior rotkovitch
1.
Practical Defensive Security for
Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
2.
70295 https://SIRT.club ©
3.
Vulnerabilities - Software
bugs Bugs = glitch – “unexpected condition in software” LR -> Security bug – bug that can be used to assist with attack goals. -> Vulnerability – software bugs with security ramifications NF Application Servers Web Servers WEB ISP bugs bugs CLOUD’S Web Application Database Servers https://SIRT.club 70295 ©
4.
Vulnerabilities – security
design bugs NF Application Servers Web Servers WEB ISP CLOUD’S Web Application Database Servers ▪ Design bugs– insecure implementations ▪ Misconfiguration bugs– wrong, defaults https://SIRT.club 70295 ©
5.
Aggregated 21.21k 23.57
36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Expected traffic footprint https://SIRT.club app can’t detect nor enforce ©
6.
Attacking the Web
App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s 0 50 1 2 3 4 5 6 7 8 9 101112131415161718192021 IP’S IP1 IP2 IP3 IP4 IP5 Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k Hacking goals: ▪ Service ▪ App Data ▪ Computing power Web Application https://SIRT.club 70295 ©
7.
Attack status brief Type: •
Fun • Random • Targeted Motivation • Fun and Profit • Fame • Just because they can Execution: • Vulnerability hunting • DDoS • Brute force • Malware • BotNet • Automation • More… CLIENTS THE WEB https://SIRT.club 70295 ©
8.
Hackers wants your
assets ! your infra your data your users https://SIRT.club 70295 ©
9.
Attack Elements HTTP Web Application Attacks
occur when a vulnerable software meets the exploit that was sent by the attack agent in the attack surface Database App Servers Web Servers https://SIRT.club 70295 ©
10.
Web Application HTTP Application/s Request handler/s Database/s Vulnerability Vulnerability
– is a software condition (bug) with security implication that create a risk to the application assets Vulnerability examples: • Code • Configuration • Design • No ATF enforcement Vulnerability: root cause security bug Main reasons: • Validation • Functionality • Limitations https://SIRT.club 70295 ©
11.
HTTP Application/s Request handler/s Database/s Attack Surface Attack
surface examples: 1. Code – Function, library, URL, Parameter 2. Infrastructure – OS, servers, virtualization, keys, 3. System – hardware, network, devices Vulnerability location Attack surface – the place where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Web Application https://SIRT.club 70295 ©
12.
HTTP Request handler/s Database/s Attack Agent Operate
from: • Clouds • Mobiles • PC/ tablet • IoT Request generator tool Attack agent – the software vehicle that is used to sends the exploit to the attack surface Software Types: • CLI • Browser automation • Client framework Web Application Application/s https://SIRT.club 70295 ©
13.
HTTP Request handler/s Database/s Exploit Actual code
that activate the vulnerability Exploit – the code / pattern that activate the vulnerability and allow exploitation of the vulnerability. Exploit types: • POC exploit • Exploitation exploit • Weaponizing exploit – RCE Web Application Application/s https://SIRT.club 70295 ©
14.
HTTP Request handler/s Database/s Attack Vector Attack
technique and / or goal Web Application We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal Goals: • Deny service / impact performance – DoS • Extract data from DB – SQLi • Session stealing – XSS • Account take over – brute force Technique: • DoS (floods, load) • SQLi • XSS • Brute force • Etc… Application/s https://SIRT.club 70295 ©
15.
Attack Elements Attack Agent Exploit Attack
Vector Vulnerability Attack Surface A Bug is a software condition in software that wasn’t intended to happen and affect the functionality of the software. Vul is a bug with security implication that create a risk to the application assets i.e. Security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the software vehicle used to send the exploit to the attack surface the contains the vulnerability. Exploit – the code / pattern that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal https://SIRT.club 70295 ©
16.
Threat Landscape -
Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Hacker playground ..;-() Web Application https://SIRT.club 70295 ©
17.
Threat Landscape -
Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Cloud ${{:-}j Internet Cloud https://SIRT.club 70295 ©
18.
Web Application HTTP Attack Automation Attack
agent automation = Bot / Botnet Exploit automation = scanner Bot = AE automation Attack surface automation = scanner Vulnerability automation = Vulnerability hunting AUTO https://SIRT.club 70295 ©
19.
Attack agent automation CLI
browser Full Browser automation Full Human Browser simulators https://SIRT.club Automaton type– simulating browser capabilities 70295 ©
20.
Exploit Automation https://SIRT.club Automaton type–
Multiple exploit (Shifting exploits) Multiple exploit - Shifting exploits ▪ Shifting payloads ▪ Single app ▪ Same site E1 E2 E3 E4 E5 E6 E5 -> AS -> Vul 70295 ©
21.
vul / attack
surface Automation https://SIRT.club ▪ Different Vul ▪ Rotation AS:VUL pairs ▪ Many apps ▪ Many sites Automation – attack agent – shifting AS/Vul Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 Vul1 AS1 Vul2 AS2 Vul3 AS3 Vul4 AS4 70295 ©
22.
https://SIRT.club Site A Site D Site
C Site B Site E FQDN Target (site) Automation Automation – FQDN rotation ▪ Many apps ▪ Many sites 70295 ©
23.
All automations Site C Site
B Site A Site X… Automation { AS / E / AS / Vul } https://SIRT.club 70295 ©
24.
X100 E HTTP Bot Node Botnet enlisting
type: ▪ Purpose build ▪ Hacked ▪ Infected IP Botnet: C&C @ nodes Geo/ ISP/ Clouds AS V Bot Master nodes From Bot to Botnet https://SIRT.club 70295 ©
25.
Attack automation -
Botnet – disturbed Exploit pool Bot MASTER Purpose build Hacked Infected App A App B App C App D App A App B App C App D App D App B App C App A App D App C App B App A Site 3 Site 2 Site 1 https://SIRT.club 70295 ©
26.
• C&C –
1 to many • Shifting Centralized nodes • Autonomous - https://SIRT.club 70295 ©
27.
• SQLi • XSS •
LFI/ RFI • RCE • CSRF Web Exploits • BF • CS • PS ATO • Floods • Loads DDoS BOT/S BOTNET/S Web Application Attack Surface /s Vulnerabilities Exploit Attack Agent ATTACK AUTOMATION AUTO https://SIRT.club Summary 70295 ©
28.
Attack Traffic Footprint 0 500 1000 1500 2000 2500 3000 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 URL / Top URL RPS Avr / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k https://SIRT.club Attack Elements ▪ Vulnerability ▪ Attack Surface ▪ Attack Agent ▪ Exploit ▪ Attack Vector ▪ Attack automation GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 70295 ©
29.
https://SIRT.club By: Lior Rotkovitch “Man’s
biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©
Download now