Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Naxsi, an open source WAF for Nginx

6,854 views

Published on

Published in: Technology

Naxsi, an open source WAF for Nginx

  1. 1. Naxsi, an open source WAF for Nginx ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 1
  2. 2. ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 2
  3. 3. A bit of background(Seems webapp security is a good starter to talk about WAFs) ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 3
  4. 4. Overall security level of web applications evolves slowly , or at least not fast enough • Low technical skill needed to exploit most vulnerabilities (SQLi) • Most actors did not reach a good awarness level yet(Nb of annual defaces, source: zone-h)Because of these factors, number of attacks is dramatically growing ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 4
  5. 5. Just for May 2012 : Govs or affiliated : France Bahrain US Thailand Canada Israel … In Russia files includes you … More than 300k accounts dumped each month ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 5
  6. 6. Web apps Classic IT ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 6
  7. 7. • Best mitigation : Patch Not always possible : Very complex or critical webapp Lack of skill, knowledge lost Your webapp security level can only be known once you performed an (expensive ?) security test on it. ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 7
  8. 8. • When code patching is not an option: Web Application Firewalls Commercial WAFs : Not very affordable for small companies or big infrastructures Extremely unequal quality Open source WAFs : Performance issues Maybe not « corporate » enough for most users ? Maintenance time ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 8
  9. 9. As a pentester : Web sites are still one of the most vulnerable entry points on a network And one of the most exposed as well ! As a hoster : WebSite owners, even when web is their core business, lack security awareness … and get owned As a security consultant : CISO / Administrators are still frighten ofWHY U NO PROTECT ? WAF’s side effects And the one using WAFs will only go for big, expensive, corporate solutions (Hi Imperva!) ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 9
  10. 10. Enough teasing !(and enough jokes) ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 10
  11. 11. When studying the idea of offering hardened web hosting for some of our clients,we came accros several problems : Commercial WAF are way too expensive for big infrastructures (especially with a lot of small/medium clients) Open Source WAFs (mod_security) are not fast enough (means: filtering POST requests only if you don’t want to damage user experience) Both kinds requires a huge investment to keep security signatures up-to-date ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 11
  12. 12. (Apr 2011) Naxsi project idea was born : Hoster compliant WAF : Performances / Scalability Production grade WAF A WAF that doesn’t require signatures / updates Only when your site code base change And because defense is for once funnier than attack ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 12
  13. 13. Naxsi’s design is closer to a sateless firewall than an anti-virusMost WAFs are more web anti-viruses than firewalls Relies on a big, heavy, frequently updated base of signaturesOn the other hand, Naxsi does rely on signatures, but not in the way you might think ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 13
  14. 14. Naxsi relies on ~35 rules, targetting : SQLi, XSS, RFI/LFI, file uploads … A rule is defined as : A pattern (most of the time, one character, here : ‘ ) Scores (indicating the kind of threat it’s linked to, here both SQL and XSS) Match Zones And a unique ID str:" "msg:simple quote"MainRule "str:" "msg:simple quote" mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" |$HEADERS_VAR:Cookie id:1013;"mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013 When a request reaches a « limit » score, an action si taken upon the request :CheckRule "$SQL >= 8" BLOCK; Leaves a lot of room for fine-tuning ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 14
  15. 15. This naive approach has several advantages : Fast : No massive, expensive regex set to process Naive design : Naxsi doesn’t try to understand incoming requests. No need for complex/costly transformation functions Predictability : Not relying on « real » signatures makes bypass less likely to happen Small & Auditable code : <4K LOCBut comes with a price : Whitelist configuration ! ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 15
  16. 16. Naxsi, a tweakable WAF ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 16
  17. 17. Naxsi offers two « main » modes : Normal mode : « Blocked » requests are redirected to a specific location Learning mode : « To-be-blocked » requests are simply « copied » to a specific location, and the original request is processed transparently Redirecting requests rather than « blocking » them offers various possibilities for blocked requests : Return a specific error code to the user (HTTP 418: Im a teapot) Return a static page Redirect user to a dynamic page (with captcha) to report false positives Anything LUA/PHP/<language> allows you to do Redirected requests contains both original request arguments, as well as « naxsi signature » (in HTTP headers) :ip=x.x.x.x&server=xx.ru&uri=/&total_processed=1&total_blocked=1&zone0=HEADERS&id0=1308&var_name0=cookie&zone1=HEADERS&id1=1309&var_name1=cookie ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 17
  18. 18. Naxsi in test bed « Reliability of naxsi modelversus obfuscated patterns » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 18
  19. 19. 0 div 1 union#foo*/*barselect#foo 0 div 1 union select 1,2,current_user1,2,current_user mod_sec : Transformation on comments leading to a bypass. Naxsi : 2 SQL keywords, 4 SQL comments, blocked early ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 19
  20. 20. hUserId=22768&From hUserId=22768&FromDate=a1%27+or&ToDa Date=a1+or&ToDate=<te=%3C%3Eamount+a >amount+and)nd%27 mod_sec : Victim of fragmentation (attack splitted accross several parameters) Naxsi : Evaluates the whole request, sees multiple quotes, brackets, parenthesis ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 20
  21. 21. Naxsi in test bed« Performances of the naxsi model » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 21
  22. 22. Requests Per Second 6000 5000 4000 NGINX 3000 NGINX+NAXSI APACHE 2000 APACHE+MODSEC 1000 0 100 300 500 1000 Plateform: Concurrent connections my laptop ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 22
  23. 23. With apache-bench (1k concurrent requests, 10k total requests, long URL witharguments) : Nginx Nginx+Naxsi Diff (%) Total time 1.151 s 1.271 s 9,4% RPS 8687.21 7866.73 9,4% TPR (mean) 0.115 0.127 9,4% Transfert Rate 1220.48 1198.45 1,8% ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 23
  24. 24. Naxsi usage « Hands on » ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 24
  25. 25. Learning Daemon MySQL/Sqlite (nx_intercept)User(s) Naxsi WebSite ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 25
  26. 26. Learning Daemon(nx_extract)MySQL/Sqlite BasicRule wl:1100 "mz:$BODY_VAR:redirect_to"; BasicRule wl:1005 "mz:$HEADERS_VAR:cookie" ; BasicRule wl:1010 "mz:$HEADERS_VAR:cookie" ; Naxsinaxsi configuration ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 26
  27. 27. I won’t cover Ngnix setup, so let’s assume our setup is the following : Nginx+Naxsi is used as a reverse proxy to an existing website Naxsi setup is as :SecRulesEnabled;DeniedUrl "/RequestDenied"; server {LearningMode; …CheckRule "$SQL >= 8" BLOCK; location / {CheckRule "$RFI >= 8" BLOCK; include "naxsi.conf";CheckRule "$TRAVERSAL >= 5" BLOCK; proxy_pass http://x.x.x.x;CheckRule "$UPLOAD >= 5" BLOCK; }CheckRule "$XSS >= 10" BLOCK; location /RequestDenied { proxy_pass http://x.x.y.z:8080; } … } Pointing to nx_intercept : $ python nx_intercept.py -c ./naxsi-ui.conf … ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 27
  28. 28. Naxsi’s learning daemons : Nx_intercept : http requests interception daemon, feeds the database Nx_extract : whitelist & statistics generation, fed from the database [nx_extract] username = naxsi_web password = test port = 8081 rules_path = /etc/nginx/core.rules [nx_intercept] port = 8080 [mysql] username = naxsi password = trivialpasswordormaybenot hostname = 127.0.0.1 dbname = naxsi_sig ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 28
  29. 29. While the user is browsing, exceptions are generated by Naxsi, and HTTP requests are forwarded to nx_intercept. Nx_intercept extracts signatures from forwarded HTTP requests, and put them into the database. ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 29
  30. 30. After browsing a bit (here two different pages), we can fire nx_extract, the whitelistgeneration daemon : ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 30
  31. 31. Clicking on whitelist generation will get you there :########### Rules Before Optimisation ###################1 hits on rule 1005 (mysql keyword (|)) on url / from 1 different peers#BasicRule wl:1005 "mz:$URL:/|$HEADERS_VAR:cookie";….#BasicRule wl:1010 "mz:$URL:/test_securite_web|$HEADERS_VAR:cookie";#1 hits on rule 1011 (parenthesis, probable sql/xss) on url /test_securite_web from 1different peers########### End Of Rules Before Optimisation ############ (mysql keyword (|))BasicRule wl:1005 "mz:$HEADERS_VAR:cookie";# open parenthesisBasicRule wl:1010 "mz:$HEADERS_VAR:cookie";# close parenthesisBasicRule wl:1011 "mz:$HEADERS_VAR:cookie";BasicRule wl:1315 "mz:$HEADERS_VAR:cookie"; ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 31
  32. 32. Naxsi usage« Hands on : User forms » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 32
  33. 33. But the real deal, with learning mode, is user forms ! Cookies, URL and so on will be detected in one browsing session, but what about user forms ? You need to fill them, with all « authorized » characters, which can be boring. Thanks to Naxsi naive architecture, you can easilly fool him to reach your goal. Let’s add a rule or two in our naxsi’s location configuration :BasicRule id:0 "str:123FREETEXT" "s:BLOCK" "mz:ARGS|BODY|URL";BasicRule id:42 "str:123EMAIL" "s:BLOCK" "mz:ARGS|BODY|URL"; ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 33
  34. 34. This two rules will allow us, whenever we will type « 123FREETEXT » or « 123EMAIL » within a field (GET/POST) to trigger naxsi, and output whitelist for : Id:0 (which means *all* rules) whenever you input « 123FREETEXT » Id:42 (which doesn’t exist) whenever you input « 123EMAIL »The idea here is to be able to simply tell naxsi « whitelist everything » in this field, in aconvenient way.And regarding id:42, replacing it by the Ids you want to whitelist is left as an exercice tothe audience (mainly because it’s not supported by nx_extract yet ;p) ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 34
  35. 35. Using the pattern « 123FREETEXT » in the website will thus generate a whitelist for « all » rules, on specific element :BasicRule wl:0 "mz:$URL:/|$ARGS_VAR:s"; ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 35
  36. 36. Naxsi usage« Hands on : User forms – another approach » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 36
  37. 37. Naxsi is parsing both variable names and contentAnd most frameworks (magento, drupal etc.) provide « default » names, for severalkind of fields !Do you see my point ? Not yet maybe … ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 37
  38. 38. In the case of magento, form fields use hardcoded name depending on type of field, such as : Firstname Lastname Email Password … As a specific example, « search » field will always be passed as « q » :BasicRule id:9002 "rx:^q$" "s:BLOCK" "mz:ARGS|BODY|URL"; And name fields are always named « firstname » in HTML forms :BasicRule id:9003 "rx:^firstname$" "s:BLOCK" "mz:ARGS|BODY|URL"; ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 38
  39. 39. Thus, browsing the website, and using the forms, even without specific patterns, will trigger the rules, and you will see in whitelist generation :BasicRule wl:9002 "mz:$URL:/catalogsearch/result/|$ARGS_VAR:q|NAME";BasicRule wl:9003"mz:$URL:/customer/account/createpost/|$BODY_VAR:firstname|NAME"; This allows you to perform « passive » learning. Let users use the website (in learning mode), let them write your whitelist rules ;) ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 39
  40. 40. Naxsi usage« Reporting, because bosses love reporting » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 40
  41. 41. Nx_intercept can as well be fed by logfiles, nginx logfiles.As Naxsi writes its signatures into Nginx’s error log : ip=x.x.x.&server=xxx.ro&uri=/wp- cron.php&total_processed=8140&total_blocked=1954&It means two things : You can use LearningMode, even without nx_intercept You can get cool & nice reporting on the period you want (just inject Nginx’s log files for this period !) ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 41
  42. 42. ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 42
  43. 43. ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 43
  44. 44. Naxsi usage« More ! More ! » ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 44
  45. 45. Naxsi simplicity and naive design allows you to simply write rules for whatever you want : Blocking robots ?BasicRule id:X ‘str:BOT_USER_AGENT’ ‘mz:$HEADERS_VAR:user-agent’ ‘s:BLOCK’; People looking for PhpMyAdmin ?Basicrule id:X ‘rx:*phpmy*’ ‘mz:URL’ ‘s:BLOCK’; As Naxsi writes signatures of attacks to Nginx’s error log, it’s fail2ban-friendly ;) Why not let the learning mode on, and simply rely on fail2ban to push away insisting attackers ? ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 45
  46. 46. Back to reality ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com 46
  47. 47. November 2011 : « Charlie Hebdo » a french satiric newpaper, gets heavily targetedby muslim hacktivists after an edition – representing Muhammad– was published. Their office was burned, and … ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 47
  48. 48. Their website gets targeted and is defaced twice within 24h of time ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 48
  49. 49. Then Dos and Ddos follows …Their actual hoster decides to shut down the website, by fear of retaliationMigration was planned, but it became much more urgent ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 49
  50. 50. A small hardened infrastructure was setup within 8 hours : Two RP NGINX + NAXSI (for redundancy) A LAMP serverAnd here we go for first « fire experience » of naxsi !At the time we migrated the website, we were already aware of some vulnerabilitiesthat were not possible to patch within such short delay, so all our hope was withinnaxsi ☺ ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 50
  51. 51. D+1 : Architecture is ready, dns migration ongoing As stated earlier, we knew some vulnerabilities were present. Attackers did know as well (as they already defaced the website twice) D+1,5 : DNS migration is over A small analysis of Naxsi’s logs on the first week Over 32 000 HTTP requests blocked Over 200 IP blacklisted And the cool thing is that we didn’t get any false positives, and the website remained safe.Thanks for the bench ! ©NBS System Sécurité – Hébergement - Infogérance www.nbs-system.com 51
  52. 52. ©NBS SystemSécurité – Hébergement - Infogérance www.nbs-system.com Document confidentiel 52

×