securesphere test drive lab manual - · pdf filesecuresphere waf test drive 3 introduction to...
Post on 06-Mar-2018
227 Views
Preview:
TRANSCRIPT
SecureSphereWebApplicationFirewall
TestDrive
ThepurposeofthisTestDriveistoenablecustomerstorapidlyevaluateSecureSphereWebApplicationFirewall(WAF)features.ThisTestDriveisfocusedondemonstratinghowSecureSphereprotectsagainstadvancedcyberthreatssuchasSQLInjectionandZero-DayAttack
ProtectingapplicationsagainstSQLInjectionandZero-DayAttacks
SecureSphereWAFTestDrive 1
ContentsPreface..........................................................................................................................................................2Requirements............................................................................................................................................2CommonTerms.........................................................................................................................................2IntroductiontoSecureSphereWAF....................................................................................................3KeyCapabilities................................................................................................................................................3
LabObjectives............................................................................................................................................6SecureSphereTestDriveSign-upandLaunch................................................................................7Sign-UpfortheTestDrive................................................................................................................................7LaunchSecureSphereTestDrive......................................................................................................................8
TestDriveEnvironment......................................................................................................................16Lab1:ProtectAgainstSQLInjection...............................................................................................19Overview....................................................................................................................................................19
TestDriveLabProcedure...............................................................................................................................20Lab1Conclusion............................................................................................................................................27CreateyourZero-Dayattack.....................................................................................................................28
Lab2Conclusion............................................................................................................................................33
SecureSphereWAFTestDriveFAQ.................................................................................................34CopyrightNotice....................................................................................................................................35ContactingImperva...............................................................................................................................36
Headquarters..............................................................................................................................................36
SecureSphereWAFTestDrive 2
PrefaceThisTestDriveallowsyoutoquicklyandeasilyexplorethebenefitsofusingImpervaSecureSphereWAFtoprotectyourapplications.ThislabwasdevelopedbyImpervaandisprovidedfreeofchargeforeducationalanddemonstrationpurposes.
Requirements• InternetAccess• RemoteDesktopProtocol(RDP)clientonyourlocalmachine• Accesstoanemailaccounttoreceivelogincredentials• RDPportisopentoAmazon.comtoconnecttothe“Attacker’sWorkstation”• Forabetterbrowserexperience,youcan(optionally)accesstheSecureSpheremanagerover
TCPport8083(ifopenonyournetwork)
CommonTermsThetermsbelowareusedthroughoutthedocument.
Term DefinitionAttacker’sWorkstation AWindowsmachinethatwassetupforthepurposeofsending
attacks,aswellasoptionallyaccessingtheSecureSphereGUI.WebApplicationFirewall(WAF)
AWAFstopsattacksonHTTPservers,preventingamyriadofattacksthatNextGenFirewallsandIPD/IDSproductscannotprotectagainst.
SecureSphere Imperva’scomprehensive,integratedsecurityplatformthatincludesSecureSphereWeb,DatabaseandFileSecurity.
SecureSphereManager(MX)
AwebbasedGUIthatunifiestheadministration,logging,andreportingofmultipleSecureSpheregateways.
SecureSphereGateway Inspectsandpassestraffictothedestinationwebservers.SQLInjection Acodeinjectiontechnique,usedtoattackdata-drivenapplications,in
whichmaliciousSQLstatementsareinsertedintoanentryfieldforexecution(e.g.todumpthedatabasecontentstotheattacker).
SecureSphereWAFTestDrive 3
IntroductiontoSecureSphereWAFYourwebsitereceivesacontinuousbarrageofattacks.Ifhackersuncoveracrackinyourdefenses,theycanstealyourapplicationdata,defraudyourusers,andtakedownyourwebsite.TheSecureSphereWAFstopswebattacksandpreventscostlydatabreachesanddowntime.Combiningmultipledefenses,SecureSphereaccuratelypinpointsandblocksattackswithoutblockingyourcustomers.Itoffersdrop-indeploymentandautomatedmanagement.CertifiedbyICSALabs,SecureSpheresatisfiesPCI6.6complianceandprovidesironcladprotectionagainsttheOWASPTopTen.
KeyCapabilitiesBlockAttackswithLaserPrecision
SecurityaccuracyisjobnumberoneatImperva.Weknowyou’rejustasconcernedaboutblockinglegitimateusersasyouareaboutstoppingattacks.Withthatinmind,we’vedevelopedDynamicProfilingtechnologytoautomaticallybuilda“whitelist”ofacceptableuserbehavior.AndweuseCorrelatedAttackValidationtocorrelateDynamicProfilingviolationswithothersuspiciousactivitytocorrectlyidentifyattackswithoutblockingyourcustomers.
LeverageWorld-RenownedApplicationSecurityResearch
Togetaheadandstayaheadinthecontinuousfightagainstapplicationattacks,youneedyourownsecurityresearchorganization.SecureSphereWAFcustomersgetexactlythatwithregularsignatureandpolicyupdatesfromourdedicatedsecurityresearchteam,theApplicationDefenseCenter(ADC).ADCresearchyieldsthemostup-to-datethreatintelligence,andthemostcompletesetofapplicationsignaturesandpoliciesintheindustry.
SecureSphereWAFTestDrive 4
ShutDownMaliciousSourcesandBots
Canyoudistinguishbetweenrealcustomers,knownattackers,orbots?Canyoutellifwebsitevisitorsareusinganonymousproxiestocloaktheiridentity?ThreatRadarReputationServicesdetectstheseuserswithIPreputationfeedsofmalicioussources,anonymizingservices,phishingURLs,andIPgeolocationdata.ThreatRadardeliversanup-to-dateandautomateddefenseagainstautomatedattacksandattacksourcestohelpyoumaximizeuptimeandprotectyoursensitivedata.
StopApplicationDDoSandBusinessLogicAttacks
Youcankeepyourcustomershappyandyourreputationintactinspiteofthegrowingthreatofbusinesslogicattacks.Businesslogicattacksexploitthenormallogicofyourapplicationstopostcommentspaminforumsandmessageboards,scrapewebcontent,ordisableaccesstoyourwebsite.Allofthiscanreduceyourcompetitiveedge,frustratecustomers,anddamageyourreputation.SecureSpheremitigatestheseconcernsbyidentifyingbots,knownattacksources,andattackbehavior.
InstantlyPatchWebsiteVulnerabilitiesApplicationvulnerabilitiescanleaveyourcompanyexposedtoattackforweeksormonths.SecureSphereintegrateswithapplicationscannersforvirtualpatching,importingassessmentresults,andcreatingcustompoliciestoremediatevulnerabilities.Comparedtomanuallyfixingwebsitevulnerabilities,virtualpatchingreducesthewindowofexposureandcosts.
SecureSphereWAFTestDrive 5
GainForensicsInsightswithCustomizableReportsSpeedupDeploymentwithoutRisk
Youcanquicklyanalyzesecuritythreatsandmeetcompliancerequirementswithgraphicalreports.SecureSphereprovidesbothpre-definedandfully-customizablereports.Reportscanbeviewedondemandoremailedonadaily,weekly,ormonthlybasis.Areal-timedashboardprovidesyouwithahighlevelviewofsystemstatusandsecurityevents.Nowyoucanprotectyourapplicationswithoutimpactingperformanceandwithoutrequiringextensivenetworkchanges.SecureSphereoffersflexibleinline,non-inline,andproxydeploymentoptionsthatmeetyourorganizations’diverserequirements.SecureSphere’sunique,transparentbridgemodesavestimeandlaborwithdrop-indeploymentthatrequiresnochangestoexistingapplicationsornetworkdevices.SecureSpherealsodeliversmulti-Gigabitthroughputwhilemaintainingsub-millisecondlatency.
DataCenterSecurityLeaderWefillthegapsintraditionalsecuritybydirectlyprotectinghigh-valueapplicationsanddataassetsinphysicalandvirtualdatacenters.
SecureSphereWAFTestDrive 6
LabObjectivesTheobjectivesoftheselabsaretodemonstratethecapabilityofSecureSpheretoprotectagainstSQLInjectionandZero-DayAttacks.Participantswillunderstand:
• WhattypeofdamageasuccessfulSQLInjectionattackcancause
• ThechallengesofprotectingagainstaZero-Dayattack
• HowSecureSphereviewstheattacks
• HowSecureSpherecanprotectagainsttheattacks
Additionally,TestDriversarewelcometobrowsetheGUI,generatedifferenttypesofattacksagainstthetargetserver,orevaluateafeature.
SecureSphereWAFTestDrive 7
SecureSphereTestDriveSign-upandLaunch
Sign-UpfortheTestDrive1. GotoAmazon’sSecurityTestDrivepage:
http://aws.amazon.com/testdrive/security/
2. ClickontheSecureSphere“Tryitnowfree”button. 3. Completetheregistrationform
4.
5. ClickonContinue
6. ClickonTestDrives
ClickonSignup
SecureSphereWAFTestDrive 8
7. ClickontheEnterbutton
8. Youhavetheopportunitytowatchourvideo,downloadthePDFGuide,andlaunchtheTestDrivecloud.Werecommendstartingwiththevideo,reviewingtheTestDriveLabManual,andthenlaunchingtheTestDrive.
LaunchSecureSphereTestDrive
9. ClickontheLaunchTestDrivebutton 10. Waitforthelaunchtocomplete.Onceit’scompleted,theprogressbarwillshow‘In
Progress’
SecureSphereWAFTestDrive 9
Onceyousee‘InProgress’turnGreen,youcanproceedtothenextstep.
11. CheckyouremailforthelinktotheManagementServer(MX).Alternatively,youcancopy&
pastethelinkfromthebottomright-handquadrantoftheTestDriveGUI,inthe‘Environment’window.Forexample:
YourEmailwilllooksimilartotheonebelow:
SecureSphereonAWSTestDrive 10
*Note:Pleasewaitfor~5-8minutesbeforeaccessingtheURLsassomeresourcesmaytakeafewextraminutestobecomeavailable,dependingonAWSresourceavailability.
Thelogininstructionsarepresentedatthebottomoftheemail.There,youwillfindyourlinktologintotheMX,andtheIPaddressoftheAttacker’sWorkstation.
YourURLtotheMXwilllooksimilartothis:https://ec2-54-183-14-120.us-west-1.compute.amazonaws.com:8083
Hello Edgard,
Your SecureSphere Test Drive has been created and is ready for you to use. Please remember that after 3 hours the environment will no longer be available. The information you need to login and use your TestDrive is available below.
From your location, you will need access to the Amazon Cloud. At a minimum, RDP protocol and (optionally) TCP Port 8083 must be allowed outbound to AWS.
You can use Remote Desktop client to RDP to the IP address of Windows Attacker Machine, and login using these credentials below You can access the SecureSphere Manager (MX) using a web browser on port 8083(like HTTPS://ip_address:8083 ) If you dont have access to port 8083, the Windows Attacker Machine is able to login to the MX
Login for Windows Machine: User: TestDrive Password: Imperva1
Login for SecureSphere Manager: User: admin Password: aws_is_cool1
Your IP address is below:
The Imperva Management Server IP and Username: admin and password aws_is_cool1.: https://ec2-54-183-14-120.us-west-1.compute.amazonaws.com:8083
You can RDP to the IP address of Windows Attacker Machine using Username: TestDrive and Password Imperva1 . The IP Address is : 54.183.118.43
Use the Windows Attacker machine to attack this URL of the Web-Server : http://OrbiteraT-elbExter-15HHA3RDXNMCI-1823771081.us-west- 1.elb.amazonaws.com
SecureSphereonAWSTestDrive 11
TIP: If you are unable to access the link provided in the email, proceed to Step 16 (accessing the Attacker’s Workstation using RDP), then return to this step after you’ve accessed the desktop of the Attacker’s Workstation. The Attacker’s Workstation can access the MX GUI, so accessing it directly is optional, but preferred.
Alternatively,oncetheTestDrivehasfinishedlaunchingyoucanobtainthenecessarylogininformationfromthe‘Environment’window.
SecureSphereonAWSTestDrive 12
12. AccepttheuntrustedHTTPSconnectionusingyourbrowsersstandardprocess.(WedonotgeneratetrustedcertificatesforTestDrivesincetheyareonlyliveforafewhours):
13. LogintotheGUIusingtheusernameandpasswordprovidedintheemailorintheEnvironmentwindowoftheTestDrivesignupportal.
SecureSphereonAWSTestDrive 13
14. Youmayhavetowaitafewminutesfortheservertocompleteitsinitialload:
15. YouarenowintheSecureSphereGUI.Ifyouareunabletoconnect,youmighthaveablockedport.Ifyoususpectyourportisblocked,youcantestithere:http://portquiz.net:8083/
Ifyouareunabletoaccessawebpageatthataddress,askyoursystemadministratortoopenoutboundTCPport8083.Youwillalsowanttocheckyourlocalfirewalltomakesureit’snotblockedonyourworkstation.
Youcanproceedtothenextstep,andaccesstheManagementServer(MX)fromtheAttacker’sWorkstation.
16. Fromyourlocalworkstation,accesstheAttacker’sWorkstationusingRemoteDesktop
Protocol(RDP).InWindows,youcanaccomplishthisbygoingtothecommandprompt,typingmstsc,andpressingenter.
SecureSphereonAWSTestDrive 14
17. EntertheIPaddressoftheAttacker’sWorkstationthatwasprovidedinyouremail,orfromtheOUTPUTwindowoftheTestDrivesignupportal.
18. Onceprompted,enteryourcredentialstoaccesstheAttacker’sWorkstation.
SecureSphereonAWSTestDrive 15
19. ClickYEStoaccepttheRDPsessioncertificate.
20. YouarenowconnectedtotheAttacker’sWorkstation.Fromthisworkstation,youcan
accesstheSecureSphereManagementServer(MX)andgenerateattackstothedemowebserver(SuperVeda).
SecureSphereonAWSTestDrive 16
TestDriveEnvironment
4
RDP
WebGUI(Alternate) Attacker
HTTP
1
WebGUIManage
SecureSphereAdmin
2 3SecureSphereGateways
HTTP
SuperVedaWebserver
1 SecureSphereAdmin Thisisyourrole,thepersonthatusesawebbrowsertoconnect
totheMX,usingHTTPSonport8083.YouwillalsouseRemoteDesktopfromyourmachinetotheWindowsmachinewe’vecreatedforyouinAWStoattackSuperVeda.ThesamemachinecanactasbothSecureSphereAdminandAttacker,incaseyourbrowsercannotaccessport8083totheMX.
2 SecureSphereMX TheMXcontrolsthesecuritypolicies,profiles,configurations,alerts,andotherfunctionality.TheMXpushestheappropriateconfigurationtotheGatewaysaftereachchange.
3 SecureSphereGateways
TheGatewaysprovideproxyfunctionalityforthetraffic.Onlytrafficthat’sloadbalanced(inthiscaseHTTP/HTTPS)ispassedontothewebserver–allothertrafficisdropped.AfterinspectingtheHTTPtrafficagainstthepoliciesandinspectionengines,thetrafficisproxiedtotheSuperVedawebserver.
4 Attacker’sWorkstation
ThisistheWindowsmachinethatyouareRDP’dto,andcanalsoaccesstheMX.
5 SuperVeda Thevulnerabletargetthatwewillbeattacking,thensubsequentlyprotecting.
SecureSphereonAWSTestDrive 17
WithinAWS,we’vecreatedallofthenecessarycomponentstoprovideenoughinfrastructuretocompletethisTestDrive.ThisisnotnecessarilythewayImpervarecommendsdeploymentofSecureSphere,thisdesignissolelyforthepurposeofthisTestDrive.TheAWSArchitectureisrepresentedbelow:
SuperVedaForthepurposesofthisTestDrive,wewillbeusingawebsitethat’sbeencreatedspecificallytodemonstratevulnerabilitiesinwebapplications.Thevulnerablewebsiteisforaphonyonlinestorewe’vedeveloped,calledSuperVeda.WewillbegeneratingattacksagainsttheSuperVedawebsitewithinyourownAWSprivatecloud.NoattackswillleaveAWSoraffectanyrealcompany,aslongastheseinstructionsarefollowedandallattacksaretargetingtheSuperVedaapplication.Inthisregard,it’sveryimportanttodoublecheckyourworktoensureyou’renotaccidentallyattackingthewrongtargets.ThetestingsiteSuperVedaisopentomanytypesofattacks,feelfreetosendafewifyouknowsomeoffthetopofyourhead.
SecureSphereonAWSTestDrive 19
Lab1:ProtectAgainstSQLInjectionOverviewInthislab,wewillsendaSQLInjectionattackagainstthetargetwebserver,viewstolendata,andthenenableprotectionagainstSQLInjectionattacks.InordertodemonstratethedamagethataSQLInjectionattackcando,wewillturnoffSecureSphere’s‘BlockMode’sotheattackcanpasstothewebserver.Atahighlevel,wewillfollowthisprocess:
1. Ensurethesecurityisdisabled2. GenerateSQLInjectionattacks3. Viewthealerts4. TurnonBlockingModetostoptheattacks5. Viewtheresults6. Summary
SecureSphereonAWSTestDrive 20
TestDriveLabProcedure
Disablethesecurity1. First,makesureyou’reloggedintotheManagerGUIandtheAttacker’sWorkstation,asdescribedin
theprevioussection.2. Makesurethatthesecurityisdisabledsoyoucanexperiencetheresultsofasuccessfulattack.In
theGUI,wewillsetthesystemto‘SimulationMode’,asshownbelow:
GenerateSQLInjectionAttacks3. OpenawebbrowserandnavigatetotheSuperVedaWebsite(thewebserver)fromtheAttacker’s
Workstation.Asyoucanseebelow,wehaveanopenRDPSessiontotheAttacker’sWorkstation
1. ClickonMain2. ClickonSetup3. ClickonWeb-ServerGroupwithintheleftpane4. ClickonSimulationwithintherightpane5. ClickonSave
SecureSphereonAWSTestDrive 21
withanopenweb-browser,usingtheURLthatwereceivedintheemail.
4. AttheendoftheURL,pastethisSQLInjectioncodeandGO:
/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusers
So,yourURLmightlooklikethis(withyourIPinsteadofthissample):
http://OrbiteraT-elbExter-15KRX3MQUMOFB-2144608398.us-west-1.elb.amazonaws.com/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusers
Theresultisawebpagethatshowstheusernamesofthepeoplethathaveregistered,asshownbelow.
SecureSphereonAWSTestDrive 22
5. Sinceusernameshavelimitedvalue,wecanmodifythestringtostealpasswords,aswellascredit
cardinformation.Todothis,simplychangethefieldyouwanttostealfromthetable,asshownbelow:
Tostealpasswords:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,Password,1,1,'1','1','1'FROMusers
TostealCreditCards:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,CCNumber,1,1,'1','1','1'FROMusers
Successfullyattackingtheserverandstealingthecreditcardsresultsinaweb-pagewiththecreditcardnumberslistedbeforetheproducts:
SecureSphereonAWSTestDrive 23
ViewtheAlerts6. IntheSecureSphereGUI,takeamomenttoviewtheAlertsgeneratedbytheattacksyou’ve
generated.
1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu
SecureSphereonAWSTestDrive 24
3. ClickonanAlertwithinthecenterpanethatwasgeneratedduringyoursession4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts5. Returntostep3
7. NoticethatthereareseveraltypesofAlertsgeneratedduringyourattack.ProtectAgainstSQLInjectionNow,it’stimetoprotecttheSuperVedawebserveragainstattack.Todothis,wewillreversewhatwedidinour1ststep,whichwastomoveto‘SimulationMode’.Now,wewillmoveto‘ActiveMode’whereattackswillbeblockedinsteadofsolelyalertedupon.8. TomoveSecureSphereintoBlockingMode,followthestepsbelow:
1. ClickonSetup2. ClickonWeb-ServerGroupwithintheleftpane3. ClickonActivefortheModeselectionwithintherightpane4. ClickonSave
SecureSphereonAWSTestDrive 25
9. OpenthebrowsertoSuperVedawebserverandgeneratesomeattacksagain,asyoudidinprevioussteps.Trytostealusernames,passwords,andcreditcards.
YoushouldreceiveaBlockpagewhichlookslikethis:
Tostealusernames:/showproducts.jsp?CatID=1UNIONSELECT1,Username,1,1,'1','1','1'FROMusersTostealpasswords:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,Password,1,1,'1','1','1'FROMusersTostealcreditcards:http://<SERVER-IP>/showproducts.jsp?CatID=1UNIONSELECT1,CCNumber,1,1,'1','1','1'FROMusers
SecureSphereonAWSTestDrive 26
10. ChecktheAlertintheSecureSphereconsole,aspreviouslydescribed.
1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu3. ClickonanAlertwithinthecenterpanethatwasgeneratedduringyoursession,itwillhavethe
Blocksymbol )inthe2ndcolumn.4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts.5. Returntostep3andviewadditionalAlerts
SecureSphereonAWSTestDrive 27
Lab1ConclusionInthislab,youwereabletoexperiencefirst-handhowaSQLinjectionattackcaneasilystealcriticalinformationfromunprotectedwebapplications.Attackersexploitapplicationswiththegoalofstealingsensitivedatadirectlyfromthedatacenter.Byconstructingasimpletextstring,we’reabletoquicklybypasscommonfirewallsandstealusernames,passwords,andcreditcards.
Nextgenerationfirewallsandintrusionpreventionsystems(IPS)arenotequippedtostopapplicationattacksbecausetheydonotprovidetheaccuracy,thegranularity,orthebreadthofprotectiontothwartWeb-basedthreats.Whilethesesolutionsprotectnetworksandusers,theyareill-equippedtostopattacksthattargetcustomers’ownwebsites.Whilenextgenfirewallsare“applicationaware”—meaningthattheycanpreventusersfromvisitingphishingsitesortunnelingapplicationsinHTTP—theyarenotdesignedfromthegrounduptoprotectWebapplications.Asaresult,theyleaveholesintheirapplicationdefenses—defensesthatareonlyaddressedbydedicatedWAFs.
OnceBlockModewasinitiatedinSecureSphere,wewereabletostoptheattacksacrosstheentirewebsite.Becausewebapplicationfirewallsbuildabaselineofexpectedinput,theycanaccuratelystopattackslikeSQLinjectionandcross-sitescripting.ByprofilingWebapplicationbehavior,forinstance,awebapplicationfirewallcandeterminewhichusersshouldnotaddbrackets,braces,andsemi-colonsintoazipcodefieldonaregistrationpage,butcanenterthesesamecharactersintoacommentfield.Validatinginputprovidesthecontextneededtodifferentiatebetweenattacksandlegitimaterequests.
SecureSphereonAWSTestDrive 28
Lab2:ProtectagainstaZero-DayattackusingtheProfileOverviewInthislab,wewillcreateourownZero-Dayattack,andattempttosendittotheSuperVedawebserver.WewilldemonstratehowSecureSphereallowslegitimatetrafficthrough,whileblockingattemptstohacktheapplication.
• CreateaZero-Dayattack• Sendzero-DayattacktoSuperVeda• ViewAlert• ViewProfile
CreateyourZero-DayattackMostattacksfollowastructureofsomesort.Forthepurposeoftestinginthelab,wedon’tactuallyneedtheZero-Daytowork,wejustneedtocreatesomethingthat’sneverbeen‘inthewild’before.Thistechniqueensuresthatitwillbypassmostsignaturebaseddetectionmethods.
First,wewillchoosethestructurewewanttouse,whichincludestheinjection,thepayload,andthepadding.Next,wewillinjectthatattackintoapageparameter.
Forthisexercise,useatexteditoronyourlocalmachineorontheAttacker’sWorkstationtocrafttheattack.
NormalusageofanHTTPparameterisusuallyintheformatofname=data.Takeforexampleanonlinestorethatsellsbooks:itmightuseanHTTPparameterthatlookslike:
BookName=SecurityHandbook2014
Or
Author=Dr.SeussSecureSpherestudiesandrecordsgoodtransactions,addingthemtotheapplication’s“Profile”.ByblockingonProfileViolations,theWAFwillpasslegitimaterequeststotheSuperVedawebserver,whilebadrequestsareblocked.SecureSpheredoesn’thavetorelyonsignaturesforattacks,astheyarenotareliableprotectionagainstzero-Dayattacks.
SecureSphereonAWSTestDrive 29
WewillfollowthisprocesstocreateourZero-Dayattack:
• Chooseyourattackformat• ChooseyourInjection• CreatethePayload• CreatethePadding• Assembletheattack
TheInjectionisusedtobreakthecodeand‘openthedoor’toourPayload.ThePayloadwillcontainthedestructivecodewewanttoexecute.ThePaddingisusedtoevadeISD/IPS,orpushthecodeintothecorrectpositiontoexecuteproperly.Then,weaddtheZero-DayattacktoaParameter,soitmightlooklike:
BookName=Zero-DayAttackSinceParameterscoulduseavarietyofcharacters,IDS/IPSandNextGenFirewallscannotprotectagainstthistypeofattack.
1. ChoosewhichformatyouwanttouseforyourZero-Dayattack:
2. ChooseyourInjection
Choosefromoneofthefollowingexampleinjections:
Choice Injection PotentialPurpose1 ‘) BreakswebservercodeandstartsaSQLstatement2 && MakesanANDlist3 >`/. OutputRedirection4 <script> Startsascript5 || MakesanORlist
1
2
3
4
Injection Payload Padding
Padding Injection Payload
Injection Padding Payload
Injection Payload
SecureSphereonAWSTestDrive 30
3. CreatethePayload
Tocreateyourpayload,choose2-3randomwordsandputthemtogether.Thiswillsimulatesomeunforeseen,unknownattack.Someexamplesarebelow,butfeelfreetocreateyourownPayload.
Example Payload PotentialPurpose1 quickbrownfox Disableskeyboard2 boomboom Shutsdownserver3 Gimmedata Stealsthedatabase4 Executecommand Runsthecommandtogetalistofprocesses5 PingImperva.com TriestopingImperva.com
4. CreatethePadding
TocreatePadding,chooseanycharacter,andrepeatitseveraltimes.ThreeexamplePaddingscouldbe:
000WWWWWWWW%%%%%%
5. AssembletheAttack
Assembletheattackbyreferringtotheattackformatyouchoseinstep1.Forexample,ifIchoseFormat1,Injection2,quickbrownfox,and‘WWWWW’asPadding,myZero-Dayattackwouldlikethis:
Theresultwouldlooklikethis:&&quickbrownfox%%%%%%
Injection&&
Payload
Padding%%%%%%
SecureSphereonAWSTestDrive 31
6. Clickon‘CreateanAccount’withintheSuperVedawebsite.Then,copy&pastetheattackintothe‘FirstName’field.
7. YoushouldreceiveaBlockPage,suchasthis,whichshowsthattheWAFblockedyourZero-Day
attack:
SecureSphereonAWSTestDrive 32
8. IntheSecureSphereGUI,takealookattheAlertsthatweregeneratedfromyourattack,eventhoughnosignaturecouldhavedetectedit.
1. ClickonMonitoronthetopmenu2. ClickonAlertsonthesub-menu3. ViewthemostrecentAlert,locatedatthetopofthecenterpane.TheywillhaveBlocksymbol
( )inthe2ndcolumn.4. Clickonthe+signwithintherightpanetoviewthedetailsoftheAlerts.5. Returntostep3andviewadditionalAlerts
SecureSphereonAWSTestDrive 33
Lab2ConclusionDespitethebesteffortsofapplicationdevelopersandITsecurityteams,mostapplicationshavevulnerabilities.Inthislab,youwereabletocreateanattackthathadneverbeenperformed,sendittoawebserver,andobservetheWAFprotectingtheapplicationfromattack.Next-generationfirewallsandIDS/IPSsolutionslackthecapabilitytoenforcegoodbehaviorbecausetheyrelyonsignaturesofknownattackstoprotectservers.Zero-dayattacks,APTs,andtargetedmalwareeasilybypassthosesolutions,leavingapplicationsopentoattack.
ThroughdefensessuchaspatentedDynamicProfilingtechnology,SQLinjectionandXSScorrelationengines,anddetectionofHTTPprotocolviolations,SecureSphereidentifieszero-dayattemptstoexploitwebapplicationvulnerabilities.Inaddition,onceanewvulnerabilityispublished,theImpervaApplicationDefenseCenter(ADC)quicklydevelopsasignatureorasetofpoliciestovirtuallypatchthevulnerability.Throughautomaticsecurityupdates,allSecureSphereappliancesreceivethelatestsecuritycontentandareprotectedagainstnewlypublishedvulnerabilities.UsingSecureSphere,anorganizationcanensuretheirwebserversareprotectedagainstattacks,evenbeforetheattackisconceived,developed,andexecuted.
SecureSphereonAWSTestDrive 34
SecureSphereWAFTestDriveFAQ
Q:IfIdon’thaveRDPaccessfrommynetwork,howcanItryaTestDrive?
A:YoucanlaunchafreeWindowsworkstationwithyourownAWSaccount.Alternatively,youcantrytheTestDrivefromadifferentinternetconnectionifyouaren’tabletoaccessRDP.Also,checkyourlocalfirewalltomakesureyou’reallowedtouseRDPProtocol.
Q:IfIdidn’tfinishtheTestDrive,canItryitagain?A:Yes,youcantryaTestDriveupto3times.
Q:IfIdon’tport8083frommynetwork,canIaccesstheManager(MX)?
A:Yes,youcanusetheAttacker’sWorkstationtoaccesstheMX.
Q:WherecanIlearnmore?
A:Forthelatestresearchandthoughtleadership,visittheWhitePapers&eBookspageonImperva.com.
SecureSphereonAWSTestDrive 35
CopyrightNotice
©2014Imperva,Inc.AllRightsReserved.FollowthislinktoseetheSecureSpherecopyrightnoticesandcertainopensourcelicenseterms:https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/SecureSphere-License-and-Copyright-Information.Thisdocumentisforinformationalpurposesonly.Imperva,Inc.makesnowarranties,expressedorimplied.
Nopartofthisdocumentmaybeused,disclosed,reproduced,transmitted,transcribed,storedinaretrievalsystem,ortranslatedintoanylanguageinanyformorbyanymeanswithoutthewrittenpermissionofImperva,Inc.Toobtainthispermission,writetotheattentionoftheImpervaLegalDepartmentat:3400BridgeParkway,Suite200,RedwoodShores,CA94065.
InformationinthisdocumentissubjecttochangewithoutnoticeanddoesnotrepresentacommitmentonthepartofImperva,Inc.Thesoftwaredescribedinthisdocumentisfurnishedunderalicenseagreement.Thesoftwaremaybeusedonlyinaccordancewiththetermsofthisagreement.ThisdocumentcontainsproprietaryandconfidentialinformationofImperva,Inc.ThisdocumentissolelyfortheuseofauthorizedImpervacustomers.Theinformationfurnishedinthisdocumentisbelievedtobeaccurateandreliable.However,noresponsibilityisassumedbyImperva,Inc.fortheuseofthismaterial.
TRADEMARKATTRIBUTIONSImpervaandSecureSpherearetrademarksofImperva,Inc.Allotherbrandandproductnamesaretrademarksorregisteredtrademarksoftheirrespectiveowners.PATENTINFORMATIONThesoftwaredescribedbythisdocumentiscoveredbyoneormoreofthefollowingpatents:USPatentNos.7,752,662,7,743,420,7,640,235,8,024,804,8,051,484,8,056,141,8,135,498and8,181,246.ImpervaInc.3400BridgeParkway,Suite200RedwoodShores,CA94065UnitedStatesTel:+1(650)345-9000Fax:+1(650)345-9004Website:http://www.imperva.com
GeneralInformation:info@imperva.com
Sales:sales@imperva.com
ProfessionalServices:consulting@imperva.comTechnicalSupport:support@imperva.com
SecureSphereonAWSTestDrive 36
ContactingImperva
Headquarters
3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 United States
Tel: +1 (650) 345-9000 Fax: +1 (650) 345-9004
General Information: info@imperva.com
Sales: sales@imperva.com
Professional Services: consulting@imperva.com
Technical Support: support@imperva.com
Partners: partners@imperva.com
Media Relations: media@imperva.com
Investor Relations: ir@imperva.com
Imperva Sales: (866)926-4678(USOnly)
Technical Support: (877)467-3780(650)345-9000,option2.
ForquestionsrelatingtotheTestDrive,pleaseemailtm-aws-testdrive@imperva.com
top related