2. What is Web Application Firewall (WAF)???
• Protects a web application by adding a security layer
• present between a user and a web server
• Understands HTTP traffic better than traditional firewalls
• Checks for malicious traffic and blocks it
User requests web application
Ex: proxyserver.com WAF identifies and block malicious
requests
Ex: using ModSecurity
Web
Application
Servers
3. ModSecurity is a toolkit for real-time web
application monitoring, logging, and access control
4. What ModSecurity Can do ???
• Real-time application security monitoring and access control
• Virtual patching
• Full HTTP traffic logging
• Continuous passive security assessment
• Web application hardening
5. What ModSecurity Can do ???
• HTTP Protection - detecting violations of the HTTP protocol and a
locally defined usage policy.
• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
• HTTP Denial of Service Protections - defense against HTTP Flooding
and Slow HTTP DoS Attacks.
• Common Web Attacks Protection - detecting common web
application security attack.
• Automation Detection - Detecting bots, crawlers, scanners and
other surface malicious activity.
6. What ModSecurity Can do ???
• Integration with AV Scanning for File Uploads - detects malicious
files uploaded through the web application.
• Trojan Protection - Detecting access to Trojans horses.
• Identification of Application Defects - alerts on application
misconfigurations.
• Error Detection and Hiding - Disguising error messages sent by the
server.
8. ModSecurity’ s Rules Language Syntax
SecRule TARGETS OPERATOR [ACTIONS]
Tells ModSecurity where to look
(such as ARGS, ARGS_NAMES or
COOKIES).
Tells ModSecurity how to
process data
Tells ModSecurity what to do if
a rule matches (such as deny,
exec or setvar).
SecRule ARGS
"(?i)(<script[^>]*>[sS]*?</script[^>]*>|<script[^>]*>[sS]*?</script[[sS]]*[sS]|<script[^
>]*>[sS]*?</script[s]*[s]|<script[^>]*>[sS]*?</script|<script[^>]*>[sS]*?)"
"id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeU
ni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag
Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-
22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data:
%{TX.0} found within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_an
omaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-
OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
10. Ok I understand .. But how can I deploy it ???
ModSecurity supports two deployment options:
• Embedded
ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded
option is a great choice for those who already have their architecture laid out and don't want to change it.
• Reverse proxy deployment
When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a
network web application firewall, which you can use to protect any number of web servers on
the same network. Many security practitioners prefer having a separate security layer. With it
you get complete isolation from the systems you are protection
11. Core Rule Set (CRS) ..???
OWASP community has developed and maintain a
set of rules called OWASP CRS
CRS provides generic protection from unknown
vulnerabilities often found in web applications
12. Core Rules …
HTTP protocol protection
• RFCs
• Defined policy
Common Web Attack Protections
• XSS, SQLi, CSRF, HTTP Response Splitting
Automation Detection
• Bots, web crawlers, web scanners.
Trojan Protection
Server Error Hiding / DLP
• Mask errors sent by the server
• Data Loss Prevention
13. Core Rule Set (CRS) run modes ..???
The CRS can run in two modes:
traditional and anomaly scoring.
Traditional mode:- the first rule that matches will block
the request
Anomaly scoring mode:- the rules increment counters
that "enumerate badness", and if the rule exceeds a
threshold then the request is blocked.
14. Enough …. Give me a scenario !!
x.y.z.a
ModSecurity configured
with Apache serving as
reverse proxy
1.2.3.4
DVWA deployed on web
server
--- AWS Environment for Testing purpose ---