SlideShare a Scribd company logo

Web Application Firewall intro

Download as PPTX, PDF
Rich Helton
Rich Helton
SoftwareTechnology
1 of 110
Introduction to Web Application Firewalls From Rich Helton’s October 2010 Web Application Firewall classes
WAF ( A quick fix)  Instead of rewriting code, some potentially quicker methods is to put an application to intercept the HTTP traffic ahead of the HTTP server known as a Web Application Firewall (WAF).  The WAF takes configurations like a normal firewall on what traffic to pass and reject. The difference is that it is responding specifically to an HTTP server like Apache or IIS.  For Apache, the most popular approach is to use its Open Source plugin called mod_security. http://www.modsecurity.org/  For IIS, WebKnight from AQTronix, http://aqtronix.com/?PageID=99 is the most popular Open Source solution.  Not everything can be covered by a WAF, especially session hijacking flaws, but XSS and SQL Injection can be mitigated. http://www.owasp.org/index.php/Category:OWASP_Best_Practices: _Use_of_Web_Application_Firewalls
WAF ( Not just a server fix)  WAFs are filters that sit in front of the Web Application.  Depending on their configuration, they will deny, or log, validated information from the Internet into the Application.  They are a good source in auditing the information that is hitting the Web site and the scans that are constantly taking place.
Pro’s and Con’s  Pro’s:  Installing a WAF is quicker, in most cases, than changing code and re- deploying a Web Application.  WAF’s may find issues, by using its rule sets, that the code may not be prepared to find. This is because WAFs have thousands of rules generated by industry experts.  Con’s: WAFs are limited by the rules that are installed in them. Therefore, if the rule is not there, it cannot protect against it. Validation is a better protection, because form level validation will use white-listing on what input is allowed, versus black-listing on the input that is denied.
ModSecurity/Apache Labs
Lab1 (Applying Tomcat)
Tomcat will need Apache  Starting Apache:  If there is an error, run the “StartApache.bat” in the lab and observe the error. Likely Apache may already be started.  Check Apache by IE http://localhost/ and it returns:
Tomcat will need Apache  To link Tomcat and Apache, the mod_jk module will need to be installed, see http://tomcat.apache.org/connectors-doc/ . Also known as the Tomcat Connector. Note: Tomcat can also use Microsoft’s IIS, instead of Apache, utilizing the Microsoft ISAPI plugin.  The easiest way to install the mod_jk connector is to have Tomcat generate “conf/auto/mod_jk.conf” from its Container and have Apache reference it from its “conf/httpd.conf” file:  LoadModule jk_module modules/mod_jk.so  Include C:/Apache2/apache-tomcat-6.0.28/conf/auto/mod_jk.conf  See http://www.johnturner.com/howto/apache2-tomcat4129-jk- winxp-howto.html
Tomcat will need Apache
Tomcat will need Apache  Start in “C:LabsLab_Mod_JK”. Run the “TestApacheConfig.bat”  The Apache directory is pre-installed in “C:Apache2”.  Tomcat will be pre-installed in “C:Apache2apache-tomcat- 6.0.28”
Tomcat will need Apache  You might receive the following screen from the generated mod_jk.conf:  The mod_jk.conf is generated from Tomcat and is running an old version of Tomcat. This file can be edited and copied to a new location and referenced, such as “C:Apache2apache-tomcat- 6.0.28conf” .
Installing mod_jk  mod_jk is the module that Tomcat and Apache will use to communicate. The C:Apache2apache-tomcat- 6.0.28confautomod_jk.conf file is generated from Tomcat at startup to tell Apache which files are available.  The Apache httpd.conf is configured to find the mod_jk.so module and configuration files by adding the following lines:  This is both in the Lab1 directory and already modified.
Installing mod_jk  Notice that the mod_jk.log will log the communications from Apache to Tomcat.  A workers.properties also has to be created in the $tomcat/conf to describe the ajp13 (mod_jk protocol) threads across port 8009.  Tomcat’s server.xml also has to be modified to listen with the mod_jk.so file:
Starting Tomcat/Apache  After a successful Start in Apache, and running C:Apache2apache-tomcat-6.0.28binstartup.bat . You can see it is successful by looking at the logs for an exceptions (look for the keyword exception in the files) and a successful start:
Port 8009  Port 8009 was used in the configuration workers.properties and server.xml to communicate between Apache and Tomcat. Using a product like fport.exe from Foundstone, the port should appear to be open and listening from java starting it, notice port 8009:
Now Try a Struts XSS Sample  Calling http://localhost/mandiant-struts-form- vulnerable/index.jsp
Now Try a Struts XSS Sample  Typing in the XSS “<script>alert(123)</script>”, XSS appears:
Lab2 (Adding ModSecurity)
Apache mod_security  The mod_security module information can be found at http://www.modsecurity.org/  Load the mod_security and unique id modules (this example is XP) in conf/httpd.conf:  LoadModule security2_module modules/mod_security2.so  LoadModule unique_id_module modules/mod_unique_id.so  Add the base configuration and some of the base rules:  Include conf/mod_security.conf  Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf  Include conf/base_rules/modsecurity_crs_23_request_limits.conf  Include conf/base_rules/modsecurity_crs_35_bad_robots.conf  Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf  Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Apache mod_unique_id  The modules/mod_unique_id.so has to be installed for mod_security to work.  To check to see which modules are currently being used by Apache, run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
Apache mod_unique_id  Ensuring that the field is set in Apache2/httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
Apache mod_security2  Copying the libxml2.dll, mod_security2.so, and pcre.dll to Apache2/modules, and adding the following to httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory to see security2_module:
mod_security2 minimal configuration  Changing the modsecurity.conf-minimal to modsecurity.conf, the httpd.conf needs to call it:  Setting the rules to “500 Internal Server Error”, the XSS now returns an error code of 500:
Testing which rules may apply  http://www.modsecurity.org/demo/phpids has a smoketest to verify which rules may apply
ModSecurity Template for Building Rules
Lab3 (Manipulating Rules)
Apache mod_security logs  The mod_security logs show what the mod_security blocked.  If the minimal configuration was used with mod_security, it will send which rule that it blocked on to the “Apache2/logs/mod_audit.log.”  The log will match a rule that will define, usually through a Regex expression, the blocking sequence.  To log, the location of the logs need to be defined, as well as their level of logging. SecAuditEngine On Enables audit logging for all transactions. SecAuditEngine RelevantOnly Enables audit logging only for transactions that match a rule, or that have a status code that matches the regular expression configured via SecAuditLo- gRelevantStatus. SecAuditEngine Off Disables audit logging.
Defining logging (modsecurity.conf)
What do the mod_audit log say?  It blocked the mandiant page for the following reasons:
What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
A simple test  Let’s see what happens when we remove the 41_phids_filters.conf  I am going to leave Tomcat running, it is not processing the rules, only Apache.  I am going to stop Apache, delete the 41_phids_filters.conf file, test the configuration, and start Apache.  The Apache configuration tested good, always test with changes…
This time it didn’t block, but triggered an audit rule  In the modsecurity_crs_41_xss_attacks.conf, it says pass and audit:
Conclusion  Adding the file 41_phids_filters.conf back in will start the process to block again.  Another alternative is to set the xss_attacks.conf rule to block by changing the rule from changing “pass” to “deny”.  There are many, many rules, and more than likely, they overlap in some manner.  This exercise was to show how to manipulate the rules just in case some of them block normal business activities.
Lab4 (Logging Only)
Startup  Ensure that Apache is set to block XSS with phids rules as before.  In this exercise, we will simply log and not block.  By default, modsecurity only logs, so we need to simply commit out the deny statement in the httpd.conf, after stopping Apache, check the config, and restart Apache.
XSS passes through  This time XSS passes through
The XSS alerts are logged  In the audit log we see the phpids alerts for XSS, along with the other rules as well. This is because it was not blocked by the phpids alert and kept going:
Lets test some tools (scanning with Netsparker)
It found XSS (scanning with Netsparker)
ModSecurity audit logs  When Netsparker scanned the site, the audit logs went from 32 KB to 732 KB. This is because it was capturing the NetSparker attacks.
Turning on “deny” again (XSS went away)
Conclusions  The most interesting part of this exercise is that we have the ability to capture an audit log , without blocking anything, and understand what attacks are hitting the web site.
Lab5 (FingerPrinting)
Startup  Ensure that Apache is set to block XSS with phids rules as before.  By knowing the Web Server type, and patches, it provides hackers a roadmap of what attacks to perform.  ModSecurity can fake the signature.  Changing the httpd.conf:
HttpPrint scans our type (Apache)
Let’s pretend to be an IIS machine  Changing the httpd.conf:  And the mod_security.conf:
Now we are Apache appearing as IIS 5.0
WebKnight/IIS Labs
Lab1 (Starting IIS/Hacme Bank)
WebKnight  WebKnight is an Open Source Web Application Firewall from AQTronix, http://aqtronix.com/?PageID=99  IIS 5.1 and SQL Server 2008 be installed from (Need ISO/Disk for XP while Installing) Web Platform Installer http://www.microsoft.com/web/downloads/platform.aspx  What also will prove useful is the Web Visual Studio 2010 Express, http://www.microsoft.com/web/downloads/platform.aspx  The version of HacmeBank is an updated version of HacmeBank to work on the modern .NET frameworks, it may work with versions 2.0 – 4.0. It was updated from the older versions found at http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/U sing_O2_on:_HacmeBank
Ensure IIS is started and HacmeBank installed (Control Panel-> Administrative Tools->Internet Information Services)
Webknight  HacmeBank has 3 main pieces:  The Hacme_Bank_V2_WS – Hacme Bank Web Service that will provide the Login web service to the Database, has .asmx files.  The Hacme_Bank_V2_Website – provides the asp files for the pages and forms.  The FoundStone_Bank Database will have to be installed.
FoundStone_Bank DB (SQL Server Management Studio)
Installing FoundStone_Bank DB  With the newer source code, there is a both a sql script and installer for the Database:
Visual Studio Web Express  Most of the management can be done by Visual Studio:
.NET Version  Be very aware of which .NET version is set for the Web Site, it will change many things.
Test the Hacme Web Service  http://localhost/HacmeBank_v2_WS/WebServices/UserManagement.asmx
Test the Hacme Web Service  Login Service, user “jv”, password “jv789”.
Test the Hacme Web Service  Return of “0001” means that it found it in the database.
Test the Hacme Web Site  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, UserName “jv”, Password “jv789”.
Test the Hacme Web Site  Joe Vilella will Login OK.
Lab2 (SQL Injection Test)
Intro to SQL Injection…  Many web pages communicate directly to a backend database for processing.  For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.  Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.  Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.  SQL may return errors in the web page that even lists the correct tables to query so that the hacker may make more accurate attempts to get data.
SQL Injection  SQL Injection is the ability to inject malicious SQL commands into the backend code.  For example: SELECT * FROM users WHERE username = ‘USRTEXT ' AND password = ‘PASSTEXT’  Passing ' OR 1=1-- in the USRTEXT field generates: SELECT * FROM users WHERE username = ‘’ OR 1=1 -- ' AND password = ‘PASSTEXT’  The OR 1=1 returns true and the rest is commented out
Common attack strings ‘ or 27(hex) – delineates SQL string values. “ or 22 (hex) – also delineates SQL string values. ; or 3B (hex) - terminates statements. # or 23(hex) - also terminates a statement. (Access DB) /* or 2F2A (hex) - comment delimiter. -- or 2D2D (hex) – also comment delimiter. ( or 28 (hex) or ) or 29 (hex) – logical sub clauses. { or 7B (hex) or } or 7D (hex) – terminates a question. exec – used to call MS-SQL stored procedures. union – a SQL command very common to SQL injection.
SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
SQL Injection  Joe Vilella will Login OK without a Username and Password.
Common Code fixes to SQL Injection…  Validate the form field to only accept specific input for the fields.  For example, for login name use ^[0-9a-zA-Z]*$, which is Regular expressions for an alpha-numerical field.  For Apache Struts, use the org.apache.struts.validator.ValidatorPlugin, http://www.owasp.org/index.php/Data_Validation_(Code_Review) .  For JSPs/Servlets, validate in the Servlet using the with the “java.utile.regex” framework in a similar manner.  Don’t use SQL  Use Prepared Statements, or Hibernate, to call the database. http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Jav a
Lab3 (XSS)
XSS in a form http://localhost/HacmeBank_v2_Website/aspx/main.aspx?function =PostMessageForm , type “<script>alert(document.cookie);</script>”
XSS  The cookie script will execute
Lab4 (Install WebKnight)
WebKnight  A copy will be in MyDocuments:
WebKnight  The WebKnight page is http://aqtronix.com/?PageID=99  How to install can be found at http://aqtronix.com/?PageID=99#Install  The WebKnight FAQ can be found at http://aqtronix.com/?PageID=114 and troubleshooting http://aqtronix.com/?PageID=114#trouble
WebKnight  Starting the Install:
WebKnight  Hit Typical:
WebKnight  Already done:
SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
SQL Injection  Out of the Box, it blocked SQL Injection.
Lab5 (WebKnight)
WebKnight  The Webknight product has a Loaded .xml that shows what is currently loaded, a WebKnight.xml on what needs to be loaded next and a Robots.xml dedicated to Bots.  If you ever get into trouble, you can delete the WebKnight.XML and the default will be created.  WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).  Once every minute, the Loaded.xml will replace itself with the WebKnight.xml.
WebKnight  The Webknight product has editors for looking at the logs and xml:  That are read from the AQTRONIX directory in Program Files:
WebKnight  You can even edit the WebKnight.XML directly if desired:
WebKnight  We don’t really know what was blocked. Looking at Log Anaylsis, part of the block was a shadow file:
WebKnight Loaded XML  WebKnight has several sections to configure sections of the configuration file.
WebKnight  By default, file uploads, Frontpage Extensions, WebDAV, ASP.NET and many protocols are turned off…..
WebKnight Logging  What to log can be specified
WebKnight Authentication  We can deny blank passwords, Admin passwords, common passwords , etc.
WebKnight Robots  We can deny Bots of various kinds.
WebKnight Robots.xml  Webknight aggressively attacks Bots, http://www.aqtronix.com/?PageID=114
WebKnight Robots.xml  Webknight has a Robots.xml just to configure for this effort:
Lab6 (Config WebKnight)
Configuring WebKnight  Configuring WebKnight is mostly a combination of going between testing the site for desired results, looking at WebKnight’s Log Analysis to validate if the desired results match perceived results,a and using the WebKnight Configuration tool to change the results until they meet the desired outcome.  Always stop/start IIS after the changes.  WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
WebKnight  Looking back at WebKnight, the shadow.txtbox.gif appears as a shadow file and was blocked.
WebKnight  We set WebKnight to temporarily allow all files as test and Soap calls. Wait a minute for it to load as a Loaded.XML.
WebKnight  Now we can log in.
WebKnight  And SQL Injection is blocked.
WebKnight  Logging Only, instead of blocking, set the Incident Response section to “Response Log Only”.
SQL Injection  Joe Vilella will Login OK without a Username and Password.
SQL Injection  Joe Vilella will Login OK without a Username and Password.
Lab7 (NetSparker)
Configuring WebKnight  Ensure that WebKnight is in Logging Only mode from the last exercise.  Ensure that Netsparker is installed, if not install it from the “My Documents” directory. It will require the .NET 3.5 framework.
Start scanning with Netsparker
If you are in Logging Only mode  If in Logging Only Mode, Netsparker will report many issues with the Hacme site.  The WebKnight logs will have many alerts in it from NetSparker attacking IIS.
Turn off the Logging Only mode  Double check by both checking the Loaded.xml and test the site for SQLInjection.
Rescan with the Logging Only mode off
The scan is cleaner  If there is time, we can go through the WebKnight.xml, change some settings, test, and continue to reconfigure WebKnight to get the optimal results.
Final Thoughts
Final Thoughts  Are there any Questions?  Feel free to contact me at rich.helton@state.co.us  Also, always only try these tools with your own test site or with permission of the system owner.

Recommended

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Firewall
FirewallFirewall
Firewalltrilokchandra prakash
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

Recommended

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
FIREWALL
FIREWALL FIREWALL
FIREWALL Akash R
 
Firewall
FirewallFirewall
Firewalltrilokchandra prakash
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & VflowCamilo Fandiño Gómez
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptxHamzaJamil41
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall美兰 曾
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
IBM Security QFlow & Vflow
IBM Security QFlow & VflowIBM Security QFlow & Vflow
IBM Security QFlow & Vflow
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
FortiWeb
FortiWebFortiWeb
FortiWeb
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
 

Viewers also liked

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesBrian A. McHenry
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

Viewers also liked (11)

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Evolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About VulnerabilitiesEvolution of WAF - Stop Worrying About Vulnerabilities
Evolution of WAF - Stop Worrying About Vulnerabilities
 
Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...
Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...
Valtion yhteinen tietoliikenneratkaisu - VY-verkko yhdistää turvalli-sesti kä...
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 

Similar to Web Application Firewall intro

Integrating tomcat with apache
Integrating tomcat with apacheIntegrating tomcat with apache
Integrating tomcat with apachegovindraj8787
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..webhostingguy
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Niels de Bruijn
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-serverHARRY CHAN PUTRA
 
Apache Tomcat 8 Application Server
Apache Tomcat 8 Application ServerApache Tomcat 8 Application Server
Apache Tomcat 8 Application Servermohamedmoharam
 
ubantu mod security
ubantu mod securityubantu mod security
ubantu mod securityKunal gupta
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web SitesRavi Raj
 
C sharp and asp.net interview questions
C sharp and asp.net interview questionsC sharp and asp.net interview questions
C sharp and asp.net interview questionsAkhil Mittal
 
Tomcat Configuration (1)
Tomcat Configuration (1)Tomcat Configuration (1)
Tomcat Configuration (1)nazeer pasha
 

Similar to Web Application Firewall intro (20)

Integrating tomcat with apache
Integrating tomcat with apacheIntegrating tomcat with apache
Integrating tomcat with apache
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Apache - Quick reference guide
Apache - Quick reference guideApache - Quick reference guide
Apache - Quick reference guide
 
Download It
Download ItDownload It
Download It
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 
apresentacao_apache2..
apresentacao_apache2..apresentacao_apache2..
apresentacao_apache2..
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-server
 
Apache Tomcat 8 Application Server
Apache Tomcat 8 Application ServerApache Tomcat 8 Application Server
Apache Tomcat 8 Application Server
 
ubantu mod security
ubantu mod securityubantu mod security
ubantu mod security
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web Sites
 
C sharp and asp.net interview questions
C sharp and asp.net interview questionsC sharp and asp.net interview questions
C sharp and asp.net interview questions
 
Jakarta struts
Jakarta strutsJakarta struts
Jakarta struts
 
bjhbj
bjhbjbjhbj
bjhbj
 
Caching By Nyros Developer
Caching By Nyros DeveloperCaching By Nyros Developer
Caching By Nyros Developer
 
PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}security
 
Tomcat 6: Evolving our server
Tomcat 6: Evolving our serverTomcat 6: Evolving our server
Tomcat 6: Evolving our server
 
Apache ppt
Apache pptApache ppt
Apache ppt
 
Tomcat Configuration (1)
Tomcat Configuration (1)Tomcat Configuration (1)
Tomcat Configuration (1)
 

More from Rich Helton

Java for Mainframers
Java for MainframersJava for Mainframers
Java for MainframersRich Helton
 
I pad uicatalog_lesson02
I pad uicatalog_lesson02I pad uicatalog_lesson02
I pad uicatalog_lesson02Rich Helton
 
Mongo db rev001.
Mongo db rev001.Mongo db rev001.
Mongo db rev001.Rich Helton
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
AspMVC4 start101
AspMVC4 start101AspMVC4 start101
AspMVC4 start101Rich Helton
 
Entity frameworks101
Entity frameworks101Entity frameworks101
Entity frameworks101Rich Helton
 
Tumbleweed intro
Tumbleweed introTumbleweed intro
Tumbleweed introRich Helton
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce IntroRich Helton
 
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1Rich Helton
 
Learning C# iPad Programming
Learning C# iPad ProgrammingLearning C# iPad Programming
Learning C# iPad ProgrammingRich Helton
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Rich Helton
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 

More from Rich Helton (20)

Java for Mainframers
Java for MainframersJava for Mainframers
Java for Mainframers
 
I pad uicatalog_lesson02
I pad uicatalog_lesson02I pad uicatalog_lesson02
I pad uicatalog_lesson02
 
Mongo db rev001.
Mongo db rev001.Mongo db rev001.
Mongo db rev001.
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
AspMVC4 start101
AspMVC4 start101AspMVC4 start101
AspMVC4 start101
 
Entity frameworks101
Entity frameworks101Entity frameworks101
Entity frameworks101
 
Tumbleweed intro
Tumbleweed introTumbleweed intro
Tumbleweed intro
 
Azure rev002
Azure rev002Azure rev002
Azure rev002
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce Intro
 
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
LEARNING  iPAD STORYBOARDS IN OBJ-­‐C LESSON 1
 
Learning C# iPad Programming
Learning C# iPad ProgrammingLearning C# iPad Programming
Learning C# iPad Programming
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
NServiceBus
NServiceBusNServiceBus
NServiceBus
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Python Final
Python FinalPython Final
Python Final
 
Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4Overview of CSharp MVC3 and EF4
Overview of CSharp MVC3 and EF4
 
Adobe Flex4
Adobe Flex4 Adobe Flex4
Adobe Flex4
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Jira Rev002
Jira Rev002Jira Rev002
Jira Rev002
 

Recently uploaded

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 

Recently uploaded (20)

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

Web Application Firewall intro

  • 1. Introduction to Web Application Firewalls From Rich Helton’s October 2010 Web Application Firewall classes
  • 2. WAF ( A quick fix)  Instead of rewriting code, some potentially quicker methods is to put an application to intercept the HTTP traffic ahead of the HTTP server known as a Web Application Firewall (WAF).  The WAF takes configurations like a normal firewall on what traffic to pass and reject. The difference is that it is responding specifically to an HTTP server like Apache or IIS.  For Apache, the most popular approach is to use its Open Source plugin called mod_security. http://www.modsecurity.org/  For IIS, WebKnight from AQTronix, http://aqtronix.com/?PageID=99 is the most popular Open Source solution.  Not everything can be covered by a WAF, especially session hijacking flaws, but XSS and SQL Injection can be mitigated. http://www.owasp.org/index.php/Category:OWASP_Best_Practices: _Use_of_Web_Application_Firewalls
  • 3. WAF ( Not just a server fix)  WAFs are filters that sit in front of the Web Application.  Depending on their configuration, they will deny, or log, validated information from the Internet into the Application.  They are a good source in auditing the information that is hitting the Web site and the scans that are constantly taking place.
  • 4. Pro’s and Con’s  Pro’s:  Installing a WAF is quicker, in most cases, than changing code and re- deploying a Web Application.  WAF’s may find issues, by using its rule sets, that the code may not be prepared to find. This is because WAFs have thousands of rules generated by industry experts.  Con’s: WAFs are limited by the rules that are installed in them. Therefore, if the rule is not there, it cannot protect against it. Validation is a better protection, because form level validation will use white-listing on what input is allowed, versus black-listing on the input that is denied.
  • 7. Tomcat will need Apache  Starting Apache:  If there is an error, run the “StartApache.bat” in the lab and observe the error. Likely Apache may already be started.  Check Apache by IE http://localhost/ and it returns:
  • 8. Tomcat will need Apache  To link Tomcat and Apache, the mod_jk module will need to be installed, see http://tomcat.apache.org/connectors-doc/ . Also known as the Tomcat Connector. Note: Tomcat can also use Microsoft’s IIS, instead of Apache, utilizing the Microsoft ISAPI plugin.  The easiest way to install the mod_jk connector is to have Tomcat generate “conf/auto/mod_jk.conf” from its Container and have Apache reference it from its “conf/httpd.conf” file:  LoadModule jk_module modules/mod_jk.so  Include C:/Apache2/apache-tomcat-6.0.28/conf/auto/mod_jk.conf  See http://www.johnturner.com/howto/apache2-tomcat4129-jk- winxp-howto.html
  • 10. Tomcat will need Apache  Start in “C:LabsLab_Mod_JK”. Run the “TestApacheConfig.bat”  The Apache directory is pre-installed in “C:Apache2”.  Tomcat will be pre-installed in “C:Apache2apache-tomcat- 6.0.28”
  • 11. Tomcat will need Apache  You might receive the following screen from the generated mod_jk.conf:  The mod_jk.conf is generated from Tomcat and is running an old version of Tomcat. This file can be edited and copied to a new location and referenced, such as “C:Apache2apache-tomcat- 6.0.28conf” .
  • 12. Installing mod_jk  mod_jk is the module that Tomcat and Apache will use to communicate. The C:Apache2apache-tomcat- 6.0.28confautomod_jk.conf file is generated from Tomcat at startup to tell Apache which files are available.  The Apache httpd.conf is configured to find the mod_jk.so module and configuration files by adding the following lines:  This is both in the Lab1 directory and already modified.
  • 13. Installing mod_jk  Notice that the mod_jk.log will log the communications from Apache to Tomcat.  A workers.properties also has to be created in the $tomcat/conf to describe the ajp13 (mod_jk protocol) threads across port 8009.  Tomcat’s server.xml also has to be modified to listen with the mod_jk.so file:
  • 14. Starting Tomcat/Apache  After a successful Start in Apache, and running C:Apache2apache-tomcat-6.0.28binstartup.bat . You can see it is successful by looking at the logs for an exceptions (look for the keyword exception in the files) and a successful start:
  • 15. Port 8009  Port 8009 was used in the configuration workers.properties and server.xml to communicate between Apache and Tomcat. Using a product like fport.exe from Foundstone, the port should appear to be open and listening from java starting it, notice port 8009:
  • 16. Now Try a Struts XSS Sample  Calling http://localhost/mandiant-struts-form- vulnerable/index.jsp
  • 17. Now Try a Struts XSS Sample  Typing in the XSS “<script>alert(123)</script>”, XSS appears:
  • 19. Apache mod_security  The mod_security module information can be found at http://www.modsecurity.org/  Load the mod_security and unique id modules (this example is XP) in conf/httpd.conf:  LoadModule security2_module modules/mod_security2.so  LoadModule unique_id_module modules/mod_unique_id.so  Add the base configuration and some of the base rules:  Include conf/mod_security.conf  Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf  Include conf/base_rules/modsecurity_crs_23_request_limits.conf  Include conf/base_rules/modsecurity_crs_35_bad_robots.conf  Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf  Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
  • 20. Apache mod_unique_id  The modules/mod_unique_id.so has to be installed for mod_security to work.  To check to see which modules are currently being used by Apache, run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
  • 21. Apache mod_unique_id  Ensuring that the field is set in Apache2/httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory:
  • 22. Apache mod_security2  Copying the libxml2.dll, mod_security2.so, and pcre.dll to Apache2/modules, and adding the following to httpd.conf :  Now run httpd –t –D DUMP_MODULES from the Apache2/bin directory to see security2_module:
  • 23. mod_security2 minimal configuration  Changing the modsecurity.conf-minimal to modsecurity.conf, the httpd.conf needs to call it:  Setting the rules to “500 Internal Server Error”, the XSS now returns an error code of 500:
  • 24. Testing which rules may apply  http://www.modsecurity.org/demo/phpids has a smoketest to verify which rules may apply
  • 27. Apache mod_security logs  The mod_security logs show what the mod_security blocked.  If the minimal configuration was used with mod_security, it will send which rule that it blocked on to the “Apache2/logs/mod_audit.log.”  The log will match a rule that will define, usually through a Regex expression, the blocking sequence.  To log, the location of the logs need to be defined, as well as their level of logging. SecAuditEngine On Enables audit logging for all transactions. SecAuditEngine RelevantOnly Enables audit logging only for transactions that match a rule, or that have a status code that matches the regular expression configured via SecAuditLo- gRelevantStatus. SecAuditEngine Off Disables audit logging.
  • 29. What do the mod_audit log say?  It blocked the mandiant page for the following reasons:
  • 30. What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
  • 31. What do the mod_audit log say?  Looking closer,  It appears that the phids filter identified “<scri” as XSS.
  • 32. A simple test  Let’s see what happens when we remove the 41_phids_filters.conf  I am going to leave Tomcat running, it is not processing the rules, only Apache.  I am going to stop Apache, delete the 41_phids_filters.conf file, test the configuration, and start Apache.  The Apache configuration tested good, always test with changes…
  • 33. This time it didn’t block, but triggered an audit rule  In the modsecurity_crs_41_xss_attacks.conf, it says pass and audit:
  • 34. Conclusion  Adding the file 41_phids_filters.conf back in will start the process to block again.  Another alternative is to set the xss_attacks.conf rule to block by changing the rule from changing “pass” to “deny”.  There are many, many rules, and more than likely, they overlap in some manner.  This exercise was to show how to manipulate the rules just in case some of them block normal business activities.
  • 36. Startup  Ensure that Apache is set to block XSS with phids rules as before.  In this exercise, we will simply log and not block.  By default, modsecurity only logs, so we need to simply commit out the deny statement in the httpd.conf, after stopping Apache, check the config, and restart Apache.
  • 37. XSS passes through  This time XSS passes through
  • 38. The XSS alerts are logged  In the audit log we see the phpids alerts for XSS, along with the other rules as well. This is because it was not blocked by the phpids alert and kept going:
  • 39. Lets test some tools (scanning with Netsparker)
  • 40. It found XSS (scanning with Netsparker)
  • 41. ModSecurity audit logs  When Netsparker scanned the site, the audit logs went from 32 KB to 732 KB. This is because it was capturing the NetSparker attacks.
  • 42. Turning on “deny” again (XSS went away)
  • 43. Conclusions  The most interesting part of this exercise is that we have the ability to capture an audit log , without blocking anything, and understand what attacks are hitting the web site.
  • 45. Startup  Ensure that Apache is set to block XSS with phids rules as before.  By knowing the Web Server type, and patches, it provides hackers a roadmap of what attacks to perform.  ModSecurity can fake the signature.  Changing the httpd.conf:
  • 46. HttpPrint scans our type (Apache)
  • 47. Let’s pretend to be an IIS machine  Changing the httpd.conf:  And the mod_security.conf:
  • 48. Now we are Apache appearing as IIS 5.0
  • 51. WebKnight  WebKnight is an Open Source Web Application Firewall from AQTronix, http://aqtronix.com/?PageID=99  IIS 5.1 and SQL Server 2008 be installed from (Need ISO/Disk for XP while Installing) Web Platform Installer http://www.microsoft.com/web/downloads/platform.aspx  What also will prove useful is the Web Visual Studio 2010 Express, http://www.microsoft.com/web/downloads/platform.aspx  The version of HacmeBank is an updated version of HacmeBank to work on the modern .NET frameworks, it may work with versions 2.0 – 4.0. It was updated from the older versions found at http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/U sing_O2_on:_HacmeBank
  • 52. Ensure IIS is started and HacmeBank installed (Control Panel-> Administrative Tools->Internet Information Services)
  • 53. Webknight  HacmeBank has 3 main pieces:  The Hacme_Bank_V2_WS – Hacme Bank Web Service that will provide the Login web service to the Database, has .asmx files.  The Hacme_Bank_V2_Website – provides the asp files for the pages and forms.  The FoundStone_Bank Database will have to be installed.
  • 54. FoundStone_Bank DB (SQL Server Management Studio)
  • 55. Installing FoundStone_Bank DB  With the newer source code, there is a both a sql script and installer for the Database:
  • 56. Visual Studio Web Express  Most of the management can be done by Visual Studio:
  • 57. .NET Version  Be very aware of which .NET version is set for the Web Site, it will change many things.
  • 58. Test the Hacme Web Service  http://localhost/HacmeBank_v2_WS/WebServices/UserManagement.asmx
  • 59. Test the Hacme Web Service  Login Service, user “jv”, password “jv789”.
  • 60. Test the Hacme Web Service  Return of “0001” means that it found it in the database.
  • 61. Test the Hacme Web Site  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, UserName “jv”, Password “jv789”.
  • 62. Test the Hacme Web Site  Joe Vilella will Login OK.
  • 64. Intro to SQL Injection…  Many web pages communicate directly to a backend database for processing.  For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.  Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.  Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.  SQL may return errors in the web page that even lists the correct tables to query so that the hacker may make more accurate attempts to get data.
  • 65. SQL Injection  SQL Injection is the ability to inject malicious SQL commands into the backend code.  For example: SELECT * FROM users WHERE username = ‘USRTEXT ' AND password = ‘PASSTEXT’  Passing ' OR 1=1-- in the USRTEXT field generates: SELECT * FROM users WHERE username = ‘’ OR 1=1 -- ' AND password = ‘PASSTEXT’  The OR 1=1 returns true and the rest is commented out
  • 66. Common attack strings ‘ or 27(hex) – delineates SQL string values. “ or 22 (hex) – also delineates SQL string values. ; or 3B (hex) - terminates statements. # or 23(hex) - also terminates a statement. (Access DB) /* or 2F2A (hex) - comment delimiter. -- or 2D2D (hex) – also comment delimiter. ( or 28 (hex) or ) or 29 (hex) – logical sub clauses. { or 7B (hex) or } or 7D (hex) – terminates a question. exec – used to call MS-SQL stored procedures. union – a SQL command very common to SQL injection.
  • 67. SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
  • 68. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  • 69. Common Code fixes to SQL Injection…  Validate the form field to only accept specific input for the fields.  For example, for login name use ^[0-9a-zA-Z]*$, which is Regular expressions for an alpha-numerical field.  For Apache Struts, use the org.apache.struts.validator.ValidatorPlugin, http://www.owasp.org/index.php/Data_Validation_(Code_Review) .  For JSPs/Servlets, validate in the Servlet using the with the “java.utile.regex” framework in a similar manner.  Don’t use SQL  Use Prepared Statements, or Hibernate, to call the database. http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Jav a
  • 71. XSS in a form http://localhost/HacmeBank_v2_Website/aspx/main.aspx?function =PostMessageForm , type “<script>alert(document.cookie);</script>”
  • 72. XSS  The cookie script will execute
  • 74. WebKnight  A copy will be in MyDocuments:
  • 75. WebKnight  The WebKnight page is http://aqtronix.com/?PageID=99  How to install can be found at http://aqtronix.com/?PageID=99#Install  The WebKnight FAQ can be found at http://aqtronix.com/?PageID=114 and troubleshooting http://aqtronix.com/?PageID=114#trouble
  • 79. SQL Injection  http://localhost/HacmeBank_v2_Website/aspx/Login.aspx, use “' OR 1=1–” as the UserName and “Submit”.
  • 80. SQL Injection  Out of the Box, it blocked SQL Injection.
  • 82. WebKnight  The Webknight product has a Loaded .xml that shows what is currently loaded, a WebKnight.xml on what needs to be loaded next and a Robots.xml dedicated to Bots.  If you ever get into trouble, you can delete the WebKnight.XML and the default will be created.  WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).  Once every minute, the Loaded.xml will replace itself with the WebKnight.xml.
  • 83. WebKnight  The Webknight product has editors for looking at the logs and xml:  That are read from the AQTRONIX directory in Program Files:
  • 84. WebKnight  You can even edit the WebKnight.XML directly if desired:
  • 85. WebKnight  We don’t really know what was blocked. Looking at Log Anaylsis, part of the block was a shadow file:
  • 86. WebKnight Loaded XML  WebKnight has several sections to configure sections of the configuration file.
  • 87. WebKnight  By default, file uploads, Frontpage Extensions, WebDAV, ASP.NET and many protocols are turned off…..
  • 88. WebKnight Logging  What to log can be specified
  • 89. WebKnight Authentication  We can deny blank passwords, Admin passwords, common passwords , etc.
  • 90. WebKnight Robots  We can deny Bots of various kinds.
  • 91. WebKnight Robots.xml  Webknight aggressively attacks Bots, http://www.aqtronix.com/?PageID=114
  • 92. WebKnight Robots.xml  Webknight has a Robots.xml just to configure for this effort:
  • 94. Configuring WebKnight  Configuring WebKnight is mostly a combination of going between testing the site for desired results, looking at WebKnight’s Log Analysis to validate if the desired results match perceived results,a and using the WebKnight Configuration tool to change the results until they meet the desired outcome.  Always stop/start IIS after the changes.  WebKnight has preview settings to look at online http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml  Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
  • 95. WebKnight  Looking back at WebKnight, the shadow.txtbox.gif appears as a shadow file and was blocked.
  • 96. WebKnight  We set WebKnight to temporarily allow all files as test and Soap calls. Wait a minute for it to load as a Loaded.XML.
  • 97. WebKnight  Now we can log in.
  • 98. WebKnight  And SQL Injection is blocked.
  • 99. WebKnight  Logging Only, instead of blocking, set the Incident Response section to “Response Log Only”.
  • 100. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  • 101. SQL Injection  Joe Vilella will Login OK without a Username and Password.
  • 103. Configuring WebKnight  Ensure that WebKnight is in Logging Only mode from the last exercise.  Ensure that Netsparker is installed, if not install it from the “My Documents” directory. It will require the .NET 3.5 framework.
  • 104. Start scanning with Netsparker
  • 105. If you are in Logging Only mode  If in Logging Only Mode, Netsparker will report many issues with the Hacme site.  The WebKnight logs will have many alerts in it from NetSparker attacking IIS.
  • 106. Turn off the Logging Only mode  Double check by both checking the Loaded.xml and test the site for SQLInjection.
  • 107. Rescan with the Logging Only mode off
  • 108. The scan is cleaner  If there is time, we can go through the WebKnight.xml, change some settings, test, and continue to reconfigure WebKnight to get the optimal results.
  • 110. Final Thoughts  Are there any Questions?  Feel free to contact me at rich.helton@state.co.us  Also, always only try these tools with your own test site or with permission of the system owner.