a web application firewall for nginx - appsec · thibault koechlin (nbs-system) why naxsi web...
TRANSCRIPT
![Page 1: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/1.jpg)
A web application firewall for nginx
Thibault Koechlin (nbs-system)
![Page 2: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/2.jpg)
Why Naxsi
Web application Classical IT
![Page 3: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/3.jpg)
Why naxsiBest mitigation : patch
Not always possible :• Lack of skill• Application is too « critical »
![Page 4: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/4.jpg)
Why naxsi
Fallback : WAFs ? (back in 2011 \o/)
Commercial Wafs :• Very uneaven• Not really affordable for small companies with
big infrastructures
Opensource WAFs :• No waf at that time for nginx• Not found of complex signatures:)
![Page 5: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/5.jpg)
Why naxsiAs a pentester :• Web application still the most vulnerable and
exposed part of the perimeterAs a hoster :• Website owners, even when web is at the core
of business, lacks awareness … and get owned
As a security « consultant » :• CISO/Admin still frightened of side effects• Open-source WAFs only seen in very « tech
savy » companies
Why u no protect ?!
![Page 6: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/6.jpg)
Introducing naxsi
![Page 7: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/7.jpg)
Naxsi – yet another WAF ?• Rather than detecting « complex » signatures, will focus on « tokens » :
– <>()[];='#...
• Tokens presence leads to score increase → action
• Small code base :
– core (~4k) C
– learning tools (~1.3k) python
Integrates libinjection as well !
![Page 8: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/8.jpg)
Workflow• Generated logs are
pushed into ES• Data is relevant for
monitoring and trafic inspection
• Nxapi helps the admin generate whitelists
![Page 9: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/9.jpg)
Strengths & Weaknesses
Strength WeaknessesGood resilience against
unknown/obfuscated attacksInitial learning is needed
Good performances (low mem footprint, minimal runtime processing)
Fast evolving apps requires coordination with releases
No need for updates of « attack » signatures
No « intelligence », unsuitable for some specific cases
Learning process strongly assisted
Json + x-www-form-urlencoded + multipart/form-data
![Page 10: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/10.jpg)
What does it actually looks like
• Detection rule :
• CheckRule :
• Whitelist :ARGSURLHEADERSBODY / FILE_EXT|NAME
MainRule "str:(" "mz:ARGS|URL|BODY|$HEADERS_VAR:cookie" "s:$SQL:4,$XSS:8" id:1010;
CheckRule "$SQL >= 8" BLOCK; #(DROP|LOG)
BasicRule wl:1010 "mz:$HEADERS_VAR:cookie|$URL:/x" ;
![Page 11: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/11.jpg)
Learning & tools
![Page 12: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/12.jpg)
Learning process
• Relying on (ES) injected logs• Suggests whitelists (nxapi) :
– Based on templates (application specific)– Statistics (number of occurrences, number of peers …)
• Associated events are then « tagged » into database
![Page 13: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/13.jpg)
Learning process
• Naxsi relies on two main modes of operation « learning » / « blocking »– During learning phases, exceptions are
loggued but not blocked– Once learning is over, naxsi can be set to
blocking mode (bad trafic is dropped)
![Page 14: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/14.jpg)
More into learning
Learning is the biggest downside, however :
• When it comes to « market » apps, whitelists are very predictable (templates!)
• For home-made apps, several options :– Relying on statistics– Relying on « trusted » trafic
![Page 15: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/15.jpg)
More into learning
{ "_msg" : "Magento checkout page (BODY|NAME)", "?uri" : "/checkout/onepage/.*", "zone" : "BODY|NAME", "id" : "1310 OR 1311"}
BasicRule wl:1310,1311 "mz:$URL_X:^/checkout/onepage/savebilling/$|BODY|NAME";
Nxtool templates (dnyamic)
Naxsi templates (static)
![Page 16: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/16.jpg)
More into reporting/visualisation
• <insert cool kibana dashboard cap here>
![Page 17: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/17.jpg)
Tips & Tricks
![Page 18: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/18.jpg)
Tweaks around learningCombined with nginx scripting :
• Learning only for some specifics URI(s)• Learning only from some IP(s)• Learning if the visitor fits some critetria
Naxsi on/offLearning on/offpost_action on/offextensive_log on/offLibinjection (sql|xss) on/off
if ($remote_addr = "1.2.3.4") { set $naxsi_flag_learning 0; set $naxsi_libinjection_sql 1 ; }
![Page 19: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/19.jpg)
Tweaks around learning
Naxsi can be instructed to drop requests despite learning mode :• Libinjection
CheckRule "$LIBINJECTION_XSS >= 8" DROP;
CheckRule "$LIBINJECTION_SQL >= 8" DROP;
• Doxi-rules http://spike.nginx-goodies.com/rules/
CheckRule "$UWA >= 8" DROP;
![Page 20: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/20.jpg)
Feedback from real life :
• Rules syntax stay very simple :– Lowers the risk of breach while playing
around rules– Lowers the needed skill to manage the rules
• Naxsi itself is very simple :– Low ressources– Specific cases might become problematic :
content legitimately passed in base64
![Page 21: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/21.jpg)
Achievements• As been tested in several occasions :
– Real life (a lot)– Audited by 3rd parties– Challenges
• Used to protect some website under « persistent » attacks
• Used to protect at least one very large website (1Tb+)
![Page 22: A web application firewall for nginx - AppSec · Thibault Koechlin (nbs-system) Why Naxsi Web application Classical IT. Why naxsi Best mitigation : patch Not always possible : •](https://reader031.vdocuments.mx/reader031/viewer/2022030919/5b779d1a7f8b9a8f698d418d/html5/thumbnails/22.jpg)
What's next,Q&A
Thanks for your attention !