Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Application Firewall intro


Published on

Published in: Software, Technology
  • Be the first to comment

Web Application Firewall intro

  1. 1. Introduction to Web Application Firewalls From Rich Helton’s October 2010 Web Application Firewall classes
  2. 2. WAF ( A quick fix)  Instead of rewriting code, some potentially quicker methods is to put an application to intercept the HTTP traffic ahead of the HTTP server known as a Web Application Firewall (WAF).  The WAF takes configurations like a normal firewall on what traffic to pass and reject. The difference is that it is responding specifically to an HTTP server like Apache or IIS.  For Apache, the most popular approach is to use its Open Source plugin called mod_security.  For IIS, WebKnight from AQTronix, is the most popular Open Source solution.  Not everything can be covered by a WAF, especially session hijacking flaws, but XSS and SQL Injection can be mitigated. _Use_of_Web_Application_Firewalls
  3. 3. WAF ( Not just a server fix)  WAFs are filters that sit in front of the Web Application.  Depending on their configuration, they will deny, or log, validated information from the Internet into the Application.  They are a good source in auditing the information that is hitting the Web site and the scans that are constantly taking place.
  4. 4. Pro’s and Con’s  Pro’s:  Installing a WAF is quicker, in most cases, than changing code and re- deploying a Web Application.  WAF’s may find issues, by using its rule sets, that the code may not be prepared to find. This is because WAFs have thousands of rules generated by industry experts.  Con’s: WAFs are limited by the rules that are installed in them. Therefore, if the rule is not there, it cannot protect against it. Validation is a better protection, because form level validation will use white-listing on what input is allowed, versus black-listing on the input that is denied.
  5. 5. ModSecurity/Apache Labs
  6. 6. Lab1 (Applying Tomcat)
  7. 7. Tomcat will need Apache  Starting Apache:  If there is an error, run the “StartApache.bat” in the lab and observe the error. Likely Apache may already be started.  Check Apache by IE http://localhost/ and it returns:
  8. 8. Tomcat will need Apache  To link Tomcat and Apache, the mod_jk module will need to be installed, see . Also known as the Tomcat Connector. Note: Tomcat can also use Microsoft’s IIS, instead of Apache, utilizing the Microsoft ISAPI plugin.  The easiest way to install the mod_jk connector is to have Tomcat generate “conf/auto/mod_jk.conf” from its Container and have Apache reference it from its “conf/httpd.conf” file:  LoadModule jk_module modules/  Include C:/Apache2/apache-tomcat-6.0.28/conf/auto/mod_jk.conf  See winxp-howto.html
  9. 9. Tomcat will need Apache
  10. 10. Tomcat will need Apache  Start in “C:LabsLab_Mod_JK”. Run the “TestApacheConfig.bat”  The Apache directory is pre-installed in “C:Apache2”.  Tomcat will be pre-installed in “C:Apache2apache-tomcat- 6.0.28”
  11. 11. Tomcat will need Apache  You might receive the following screen from the generated mod_jk.conf:  The mod_jk.conf is generated from Tomcat and is running an old version of Tomcat. This file can be edited and copied to a new location and referenced, such as “C:Apache2apache-tomcat- 6.0.28conf” .
  12. 12. Installing mod_jk  mod_jk is the module that Tomcat and Apache will use to communicate. The C:Apache2apache-tomcat- 6.0.28confautomod_jk.conf file is generated from Tomcat at startup to tell Apache which files are available.  The Apache httpd.conf is configured to find the module and configuration files by adding the following lines:  This is both in the Lab1 directory and already modified.
  13. 13. Installing mod_jk  Notice that the mod_jk.log will log the communications from Apache to Tomcat.  A also has to be created in the $tomcat/conf to describe the ajp13 (mod_jk protocol) threads across port 8009.  Tomcat’s server.xml also has to be modified to listen with the file:
  14. 14. Starting Tomcat/Apache  After a successful Start in Apache, and running C:Apache2apache-tomcat-6.0.28binstartup.bat . You can see it is successful by looking at the logs for an exceptions (look for the keyword exception in the files) and a successful start:
  15. 15. Port 8009  Port 8009 was used in the configuration and server.xml to communicate between Apache and Tomcat. Using a product like fport.exe from Foundstone, the port should appear to be open and listening from java starting it, notice port 8009:
  16. 16. Now Try a Struts XSS Sample  Calling http://localhost/mandiant-struts-form- vulnerable/index.jsp
  17. 17. Now Try a Struts XSS Sample  Typing in the XSS “<script>alert(123)</script>”, XSS appears:
  18. 18. Lab2 (Adding ModSecurity)
  19. 19. Apache mod_security  The mod_security module information can be found at  Load the mod_security and unique id modules (this example is XP) in conf/httpd.conf:  LoadModule security2_module modules/  LoadModule unique_id_module modules/  Add the base configuration and some of the base rules:  Include conf/mod_security.conf  Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf  Include conf/base_rules/modsecurity_crs_23_request_limits.conf  Include conf/base_rules/modsecurity_crs_35_bad_robots.conf  Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf  Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
  20. 20. Apache mod_unique_id  The modules/ has to be installed for mod_security to work.  To check to see which modules are currently being used by Apache, run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
  21. 21. Apache mod_unique_id  Ensuring that the field is set in Apache2/httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
  22. 22. Apache mod_security2  Copying the libxml2.dll,, and pcre.dll to Apache2/modules, and adding the following to httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory to see security2_module:
  23. 23. mod_security2 minimal configuration  Changing the modsecurity.conf-minimal to modsecurity.conf, the httpd.conf needs to call it:  Setting the rules to “500 Internal Server Error”, the XSS now returns an error code of 500:
  24. 24. Testing which rules may apply  has a smoketest to verify which rules may apply
  25. 25. ModSecurity Template for Building Rules
  26. 26. Lab3 (Manipulating Rules)
  27. 27. Apache mod_security logs  The mod_security logs show what the mod_security blocked.  If the minimal configuration was used with mod_security, it will send which rule that it blocked on to the “Apache2/logs/mod_audit.log.”  The log will match a rule that will define, usually through a Regex expression, the blocking sequence.  To log, the location of the logs need to be defined, as well as their level of logging. SecAuditEngine On Enables audit logging for all transactions. SecAuditEngine RelevantOnly Enables audit logging only for transactions that match a rule, or that have a status code that matches the regular expression configured via SecAuditLo- gRelevantStatus. SecAuditEngine Off Disables audit logging.
  28. 28. Defining logging (modsecurity.conf)
  29. 29. What do the mod_audit log say?  It blocked the mandiant page for the following reasons:
  30. 30. What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
  31. 31. What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
  32. 32. A simple test  Let’s see what happens when we remove the 41_phids_filters.conf  I am going to leave Tomcat running, it is not processing the rules, only Apache.  I am going to stop Apache, delete the 41_phids_filters.conf file, test the configuration, and start Apache.  The Apache configuration tested good, always test with changes…
  33. 33. This time it didn’t block, but triggered an audit rule  In the modsecurity_crs_41_xss_attacks.conf, it says pass and audit:
  34. 34. Conclusion  Adding the file 41_phids_filters.conf back in will start the process to block again.  Another alternative is to set the xss_attacks.conf rule to block by changing the rule from changing “pass” to “deny”.  There are many, many rules, and more than likely, they overlap in some manner.  This exercise was to show how to manipulate the rules just in case some of them block normal business activities.
  35. 35. Lab4 (Logging Only)
  36. 36. Startup  Ensure that Apache is set to block XSS with phids rules as before.  In this exercise, we will simply log and not block.  By default, modsecurity only logs, so we need to simply commit out the deny statement in the httpd.conf, after stopping Apache, check the config, and restart Apache.
  37. 37. XSS passes through  This time XSS passes through
  38. 38. The XSS alerts are logged  In the audit log we see the phpids alerts for XSS, along with the other rules as well. This is because it was not blocked by the phpids alert and kept going:
  39. 39. Lets test some tools (scanning with Netsparker)
  40. 40. It found XSS (scanning with Netsparker)
  41. 41. ModSecurity audit logs  When Netsparker scanned the site, the audit logs went from 32 KB to 732 KB. This is because it was capturing the NetSparker attacks.
  42. 42. Turning on “deny” again (XSS went away)
  43. 43. Conclusions  The most interesting part of this exercise is that we have the ability to capture an audit log , without blocking anything, and understand what attacks are hitting the web site.
  44. 44. Lab5 (FingerPrinting)
  45. 45. Startup  Ensure that Apache is set to block XSS with phids rules as before.  By knowing the Web Server type, and patches, it provides hackers a roadmap of what attacks to perform.  ModSecurity can fake the signature.  Changing the httpd.conf:
  46. 46. HttpPrint scans our type (Apache)
  47. 47. Let’s pretend to be an IIS machine  Changing the httpd.conf:  And the mod_security.conf:
  48. 48. Now we are Apache appearing as IIS 5.0
  49. 49. WebKnight/IIS Labs
  50. 50. Lab1 (Starting IIS/Hacme Bank)
  51. 51. WebKnight  WebKnight is an Open Source Web Application Firewall from AQTronix,  IIS 5.1 and SQL Server 2008 be installed from (Need ISO/Disk for XP while Installing) Web Platform Installer  What also will prove useful is the Web Visual Studio 2010 Express,  The version of HacmeBank is an updated version of HacmeBank to work on the modern .NET frameworks, it may work with versions 2.0 – 4.0. It was updated from the older versions found at sing_O2_on:_HacmeBank
  52. 52. Ensure IIS is started and HacmeBank installed (Control Panel-> Administrative Tools->Internet Information Services)
  53. 53. Webknight  HacmeBank has 3 main pieces:  The Hacme_Bank_V2_WS – Hacme Bank Web Service that will provide the Login web service to the Database, has .asmx files.  The Hacme_Bank_V2_Website – provides the asp files for the pages and forms.  The FoundStone_Bank Database will have to be installed.
  54. 54. FoundStone_Bank DB (SQL Server Management Studio)
  55. 55. Installing FoundStone_Bank DB  With the newer source code, there is a both a sql script and installer for the Database:
  56. 56. Visual Studio Web Express  Most of the management can be done by Visual Studio:
  57. 57. .NET Version  Be very aware of which .NET version is set for the Web Site, it will change many things.
  58. 58. Test the Hacme Web Service  http://localhost/HacmeBank_v2_WS/WebServices/UserManagement.asmx
  59. 59. Test the Hacme Web Service  Login Service, user “jv”, password “jv789”.
  60. 60. Test the Hacme Web Service  Return of “0001” means that it found it in the database.
  61. 61. Test the Hacme Web Site  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, UserName “jv”, Password “jv789”.
  62. 62. Test the Hacme Web Site  Joe Vilella will Login OK.
  63. 63. Lab2 (SQL Injection Test)
  64. 64. Intro to SQL Injection…  Many web pages communicate directly to a backend database for processing.  For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.  Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.  Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.  SQL may return errors in the web page that even lists the correct tables to query so that the hacker may make more accurate attempts to get data.
  65. 65. SQL Injection  SQL Injection is the ability to inject malicious SQL commands into the backend code.  For example: SELECT * FROM users WHERE username = ‘USRTEXT ' AND password = ‘PASSTEXT’  Passing ' OR 1=1-- in the USRTEXT field generates: SELECT * FROM users WHERE username = ‘’ OR 1=1 -- ' AND password = ‘PASSTEXT’  The OR 1=1 returns true and the rest is commented out
  66. 66. Common attack strings ‘ or 27(hex) – delineates SQL string values. “ or 22 (hex) – also delineates SQL string values. ; or 3B (hex) - terminates statements. # or 23(hex) - also terminates a statement. (Access DB) /* or 2F2A (hex) - comment delimiter. -- or 2D2D (hex) – also comment delimiter. ( or 28 (hex) or ) or 29 (hex) – logical sub clauses. { or 7B (hex) or } or 7D (hex) – terminates a question. exec – used to call MS-SQL stored procedures. union – a SQL command very common to SQL injection.
  67. 67. SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
  68. 68. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  69. 69. Common Code fixes to SQL Injection…  Validate the form field to only accept specific input for the fields.  For example, for login name use ^[0-9a-zA-Z]*$, which is Regular expressions for an alpha-numerical field.  For Apache Struts, use the org.apache.struts.validator.ValidatorPlugin, .  For JSPs/Servlets, validate in the Servlet using the with the “java.utile.regex” framework in a similar manner.  Don’t use SQL  Use Prepared Statements, or Hibernate, to call the database. a
  70. 70. Lab3 (XSS)
  71. 71. XSS in a form http://localhost/HacmeBank_v2_Website/aspx/main.aspx?function =PostMessageForm , type “<script>alert(document.cookie);</script>”
  72. 72. XSS  The cookie script will execute
  73. 73. Lab4 (Install WebKnight)
  74. 74. WebKnight  A copy will be in MyDocuments:
  75. 75. WebKnight  The WebKnight page is  How to install can be found at  The WebKnight FAQ can be found at and troubleshooting
  76. 76. WebKnight  Starting the Install:
  77. 77. WebKnight  Hit Typical:
  78. 78. WebKnight  Already done:
  79. 79. SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
  80. 80. SQL Injection  Out of the Box, it blocked SQL Injection.
  81. 81. Lab5 (WebKnight)
  82. 82. WebKnight  The Webknight product has a Loaded .xml that shows what is currently loaded, a WebKnight.xml on what needs to be loaded next and a Robots.xml dedicated to Bots.  If you ever get into trouble, you can delete the WebKnight.XML and the default will be created.  WebKnight has preview settings to look at online  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).  Once every minute, the Loaded.xml will replace itself with the WebKnight.xml.
  83. 83. WebKnight  The Webknight product has editors for looking at the logs and xml:  That are read from the AQTRONIX directory in Program Files:
  84. 84. WebKnight  You can even edit the WebKnight.XML directly if desired:
  85. 85. WebKnight  We don’t really know what was blocked. Looking at Log Anaylsis, part of the block was a shadow file:
  86. 86. WebKnight Loaded XML  WebKnight has several sections to configure sections of the configuration file.
  87. 87. WebKnight  By default, file uploads, Frontpage Extensions, WebDAV, ASP.NET and many protocols are turned off…..
  88. 88. WebKnight Logging  What to log can be specified
  89. 89. WebKnight Authentication  We can deny blank passwords, Admin passwords, common passwords , etc.
  90. 90. WebKnight Robots  We can deny Bots of various kinds.
  91. 91. WebKnight Robots.xml  Webknight aggressively attacks Bots,
  92. 92. WebKnight Robots.xml  Webknight has a Robots.xml just to configure for this effort:
  93. 93. Lab6 (Config WebKnight)
  94. 94. Configuring WebKnight  Configuring WebKnight is mostly a combination of going between testing the site for desired results, looking at WebKnight’s Log Analysis to validate if the desired results match perceived results,a and using the WebKnight Configuration tool to change the results until they meet the desired outcome.  Always stop/start IIS after the changes.  WebKnight has preview settings to look at online  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
  95. 95. WebKnight  Looking back at WebKnight, the shadow.txtbox.gif appears as a shadow file and was blocked.
  96. 96. WebKnight  We set WebKnight to temporarily allow all files as test and Soap calls. Wait a minute for it to load as a Loaded.XML.
  97. 97. WebKnight  Now we can log in.
  98. 98. WebKnight  And SQL Injection is blocked.
  99. 99. WebKnight  Logging Only, instead of blocking, set the Incident Response section to “Response Log Only”.
  100. 100. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  101. 101. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  102. 102. Lab7 (NetSparker)
  103. 103. Configuring WebKnight  Ensure that WebKnight is in Logging Only mode from the last exercise.  Ensure that Netsparker is installed, if not install it from the “My Documents” directory. It will require the .NET 3.5 framework.
  104. 104. Start scanning with Netsparker
  105. 105. If you are in Logging Only mode  If in Logging Only Mode, Netsparker will report many issues with the Hacme site.  The WebKnight logs will have many alerts in it from NetSparker attacking IIS.
  106. 106. Turn off the Logging Only mode  Double check by both checking the Loaded.xml and test the site for SQLInjection.
  107. 107. Rescan with the Logging Only mode off
  108. 108. The scan is cleaner  If there is time, we can go through the WebKnight.xml, change some settings, test, and continue to reconfigure WebKnight to get the optimal results.
  109. 109. Final Thoughts
  110. 110. Final Thoughts  Are there any Questions?  Feel free to contact me at  Also, always only try these tools with your own test site or with permission of the system owner.