Rahul Choudhary @r3dinf0

What is Web Application Firewall (WAF)???

• Protects a web application by adding a security layer • present between a user and a web server • Understands HTTP traffic better than traditional firewalls • Checks for malicious traffic and blocks it

User requests web application Ex: proxyserver.com WAF identifies and block malicious

requests Ex: using ModSecurity

Web

Application Servers

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control

What ModSecurity Can do ???

• Real-time application security monitoring and access control • Virtual patching • Full HTTP traffic logging • Continuous passive security assessment • Web application hardening

What ModSecurity Can do ???

• HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.

• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation

• HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks.

• Common Web Attacks Protection - detecting common web application security attack.

• Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.

What ModSecurity Can do ???

• Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application.

• Trojan Protection - Detecting access to Trojans horses.

• Identification of Application Defects - alerts on application misconfigurations.

• Error Detection and Hiding - Disguising error messages sent by the server.

ModSecurity Processing Phases ..

• Request Headers • Request Body • Response Headers • Response Body • Logging / Action

ModSecurity’ s Rules Language Syntax

SecRule TARGETS OPERATOR [ACTIONS]

Tells ModSecurity where to look

(such as ARGS, ARGS_NAMES or

COOKIES).

Tells ModSecurity how to

process data

Tells ModSecurity what to do if

a rule matches (such as deny,

exec or setvar).

SecRule ARGS "(?i)(<script[^>]*>[\s\S]*?<\/script[^>]*>|<script[^>]*>[\s\S]*?<\/script[[\s\S]]*[\s\S]|<script[^>]*>[\s\S]*?<\/script[\s]*[\s]|<script[^>]*>[\s\S]*?<\/script|<script[^>]*>[\s\S]*?)" "id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

ModSecurity Transformations ..

• SQLi • URL Encode / Decode • Hex Encode / Decode • JavaScript Decode • HTML Entity Decode • Uppercase / Lowercase • MD5 / SHA1 • Normalize Paths

Ok I understand .. But how can I deploy it ???

ModSecurity supports two deployment options: • Embedded ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded option is a great choice for those who already have their architecture laid out and don't want to change it.

• Reverse proxy deployment

When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protection

Core Rule Set (CRS) ..???

OWASP community has developed and maintain a set of rules called OWASP CRS CRS provides generic protection from unknown vulnerabilities often found in web applications

Core Rules …

HTTP protocol protection • RFCs • Defined policy Common Web Attack Protections • XSS, SQLi, CSRF, HTTP Response Splitting Automation Detection • Bots, web crawlers, web scanners. Trojan Protection Server Error Hiding / DLP • Mask errors sent by the server • Data Loss Prevention

Core Rule Set (CRS) run modes ..???

The CRS can run in two modes: traditional and anomaly scoring. Traditional mode:- the first rule that matches will block the request Anomaly scoring mode:- the rules increment counters that "enumerate badness", and if the rule exceeds a threshold then the request is blocked.

Enough …. Give me a scenario !!

x.y.z.a

ModSecurity configured with Apache serving as

reverse proxy

1.2.3.4 DVWA deployed on web

server

--- AWS Environment for Testing purpose ---

Apache configured as Reverse Proxy …

Access Vulnerable DVWA host on cloud

DVWA SQL Test

MODSECURITY : OFF

MODSECURITY : OFF

DVWA SQL Test

MODSECURITY : ON

MODSECURITY : ON

DVWA XSS Test MODSECURITY : ON

DVWA File Inclusion Test MODSECURITY : OFF

ModSecurity Audit Log during Attack MODSECURITY : ON

MODSECURITY ATTACK LOGS !!

Sample commands to Track & Block...

Track ip addresses : curl ipinfo.io/49.44.51.20 |cut -d " " -f3,4 Rotate ModSecurity logs : while true;do cat modsec_audit.log| grep -e HTTP/1.1 -e 000;sleep 10;clear;done or tail –f modsec_audit.log Block ip : iptables -A INPUT -s xx.xx.xx.xx -j DROP

How to install ???

Refer : https://modsecurity.org/download.html

Play online with MODSECURITY !!!

Relevant Talks …

https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ] https://www.youtube.com/watch?v=208bFToRJqo&nohtml5=False [BlackHat] https://www.youtube.com/watch?v=pKGdIxArlKU&nohtml5=False

Must to attend !! …