Downloaded 74 times
![After basic manual analysis, a tool ...
Sucuri Beta pcap traffic parser v0.0.1 (Matched)
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched
regex 's=[dws]+$'
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
Sucuri Beta pcap traffic parser v0.0.1 (Not Matched)
URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex
URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0
didn't match any regex
URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with
parameter(s) ver=20140319 didn't match any regex](https://image.slidesharecdn.com/sector2014-v3-141022165357-conversion-gate02/75/Reversing-Engineering-a-Web-Application-For-fun-behavior-and-detection-21-2048.jpg)
Uploaded byRodrigo Montoro
Reversing Engineering a Web Application - For fun, behavior and detection
This document discusses reverse engineering a web application for web application firewall (WAF) detection. It describes analyzing application traffic and structure, including parameter matching, file structure analysis, and restricting access. Statistical analysis of traffic is also suggested to identify attacks and new trends for the WAF. Challenges include vulnerabilities in code, themes, plugins and handling multiple languages.
More Related Content
Similar to Reversing Engineering a Web Application - For fun, behavior and detection
![Computer Networks 01[1 using all terms].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/computernetworks011-251214040533-327dd9f8-thumbnail.jpg?width=640&height=640&fit=bounds)
Reversing Engineering a Web Application - For fun, behavior and detection
- 1. Sector 2014 Toronto,Ontario Reverse Engineering a Web Application - For Fun, Behavior & WAF Detection Rodrigo “Sp0oKeR” Montoro Sucuri Security
- 2. $ whois @spookerlabs ➢ Senior Security Administrator at Sucuri Security ➢ Author of 2 patent pending technologies ➢ Researcher ➢ Open Source enthusiast ➢ Triathlete ➢ Dad
- 3. About Sucuri Security Over 50 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net
- 4. A Note onthe Examples This talk is based on WordPress / NGINX, but the concepts can apply to any Web Application / CMS.
- 5. Motivations ➢ Tryingdifferent approach than a regular WAF ➢ Protect specific content (CMS) ➢ Malware reinfections ➢ Less rules with better detection = performance ➢ Protected against "new vulnerabilities"
- 6. Agenda ➢ Introduction ➢ Detection steps ○ Reverse Engineering a CMS’s traffic ○ Analyzing Application structure (Files / Directories) ○ Local protection & hardening ○ Statistical Data ➢ Challenges ➢ Conclusions
- 7.
- 8. Reverse Engineering “Reverseengineering is taking apart an object to see how it works in order to duplicate or enhance the object. ”
- 9. 1 "equal" 2 1 "not equal" a Whitelisting
- 10. Our Scope: WAFDetection ➢ Traffic Analysis ○ Requests ○ Responses ➢ Application Structure Analysis ○ Directories ○ Headers ○ Files ➢ Behavior ○ Log correlation ○ Application ○ Honeypots REPEA T
- 11.
- 12.
- 13.
- 14.
- 15. Traffic Analysis ➢Methods ➢ URI ➢ Parameters ➢ Headers
- 16.
- 17.
- 18.
- 19. Oh wait! Geta job from the headers...
- 20.
- 21. After basic manualanalysis, a tool ... Sucuri Beta pcap traffic parser v0.0.1 (Matched) URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$' URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched regex 's=[dws]+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$' Sucuri Beta pcap traffic parser v0.0.1 (Not Matched) URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0 didn't match any regex URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with parameter(s) ver=20140319 didn't match any regex
- 22. Some simple NGINXconfigs if ($http_user_agent !~ <something>) { return <status_code> } if ($query_strings ~ <something>) { return <status_code> } if ($request_uri !~ <something>) { return <status_code> } if ($request_method !~ <something>) { return <status_code> } if ($http_cookie !~ <something>) { return <status_code> }
- 23.
- 24.
- 25. Summary of FlowParsing
- 26.
- 27. Something could gowrong … Counter Intelligence / Statical Data Traffic Analysis Analyzing Application Structure / Local Hardening Monitoring D E T E C T I O N F L O W Bypass rules Credentials stolen Cookie hijack Bad administrator D E T E C T I O N F L O W Analyzing Application Structure / Local Hardening Monitoring
- 28. Analyzing Application Structure (Files / Directories)
- 29. File Structure ➢Files ➢ Directories ➢ Permissions ➢ Monitoring
- 30. WordPress Tarball Lotof files …. index.php wp-activate.php wp-admin/ wp-blog-header.php wp-comments-post.php wp-config.php wp-content/ wp-cron.php wp-includes/ wp-load.php wp-login.php wp-mail.php wp-settings.php wp-trackback.php xmlrpc.php
- 31. The Basic WPStructure ➢ config files & installation files ➢ Administration directories (/wp-admin/) ➢ Core files (/wp-includes/) ➢ Themes, plugins, uploads … (/wp-content/) ➢ xmlrpc.php
- 32. xmlrpc.php ➢ Comments(Spammers) ➢ PingBacks (DDoS Attacks) ➢ User-Auth (wp.GetUsersBlogs) (Brute Force) Some fun, redirect to a honeypot <IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://honeypot/xmlrpc.php </IfModule>
- 33.
- 34.
- 35. Pingback $ curl-D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</metho dName><params><param><value><string>http://victi m.com</string></value></param><param><value><st ring>www.anywordpresssite.com/postchosen</string> </value></param></params></methodCall>'
- 36.
- 37. Restriction Samples /uploads/ Options -Indexes <Files *.php> deny from all </Files> /wp-admin/ <files *> order allow,deny deny from all allow from 1.2.3.4 </files> <files xmlrpc.php> order Deny,Allow deny from all </Files> /wp-includes/ <Files *.php> deny from all </Files> /wp-content/ <Files *.php> deny from all </Files> / <Files *.txt> deny from all </Files> <Files *.log> deny from all </Files> location ~* ^/wp-content/ uploads/.*.(php|pl|py|jsp|asp|htm|html| shtml|sh|cgi)$ { types { } default_type text/plain; } location ~* wp-admin/includes { deny all; } location ~* wp-includes/theme-compat/ { deny all; } location ~* wp-includes/js/tinymce/langs/.*.php { deny all; } location /wp-includes/ { internal; }
- 38. Local protection, monitoring & hardening
- 39.
- 40. Realtime Monitoring w/OSSEC <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> </localfile> <!-- Frequency that syscheck is executed - set to every 4 hours --> <frequency>14400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories realtime="yes" check_all="yes">/bin,/sbin</directories> <directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html/</directories> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files>
- 41. Threshold ideas ➢Too many 404 ➢ GET per time same IP Source ➢ POST per time same IP Source
- 42. Special File Permissions( bit paranoid =) ) spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php spooker@spookerhome:/tmp/wordpress$ cat test.php Malware Content spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ lsattr test.php ----i--------e-- test.php spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php bash: test.php: Permission denied spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php spooker@spookerhome:/tmp/wordpress$ A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
- 43.
- 44. … where falsepositives become good information =) A Unique Place...
- 45. Counter Intelligence ➢Behavior ➢ Alerts ➢ New trends ➢ Honeypots / New Attacks
- 46. Behavior: How youlook at problems User-Agent: Something ABCD WXYZ User-Agent: My UA with ABCD PBC User-Agent: ABCD is a malicious
- 47. GEO IP Block:Top Attack Countries
- 48.
- 49.
- 50. Quick history (SpambotStealrat) Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)
- 51.
- 52. The Challenges ➢Bad codes ➢ Themes ➢ Plugins (33.5K+) ➢ Languages
- 53. Looking to theFuture ➢ Integration with SCAP (Security Content Automation Protocol) checks ➢ Create an OpenSource tool to regex traffic ○ Database of regexes per Application ➢ Build a rule set for CMS (WordPress, Joomla, Drupal, vBulletin, Magento …) under OWASP Projects
- 54. Rodrigo “Sp0oKeR” Montoro rodrigo.montoro@sucuri.net @spookerlabs / @sucuri_security http://blog.sucuri.net http://www.sucuri.net Contact
Editor's Notes
- #10 Regex splunk material
- #17 When crawling remember about simulate a regular user =) Burp to spider and tcpdump saving pcap
- #18 Many thousands ways to modify a variable, why not check if only one way and so drop the rest ? Comment about HTTP version Referer Number of headers
- #19 Pwd as blacklisted most common password POST won't cache info Comment about HTTP version Referer User-Agent (talk about size) Number of headers
- #22 Non match traffic will be drop when deploying but we could deploy after some tune in monitor mode Save a regular traffic to site and TEST against our parser. Customer could send a pcap with traffic so we could previous tune rules for them.
- #23 Comment about if problems Talk about POST methods
- #29 Comment about default bypass, cookie hijack or regular stolen user/pass
- #32 remember to talk about Gregg CMS 101 talk that looks into readme, changelog to detect versions
- #38 Besides protecting some files, those protection will make your directory/files not accessible if infected. Advantage about nginx protection its harder to hack nginx file
- #40 No 100% security What to do if protection fails and attacker has local acccess ?
- #41 Talk about CMS hacking 101 Changing 404.php file using admin interface
- #43 Talk about CMS 101 AppSec hacking
- #47 19 bytes
- #48 Most of ours blocks are made by GEOIP
- #52 Comment about default bypass, cookie hijack or regular stolen user/pass