owasp esapi waf appsec dc 2009
DESCRIPTION
A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.TRANSCRIPT
![Page 1: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/1.jpg)
Title of Presentation
NameTitleCompany Name
![Page 2: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/2.jpg)
OWASP ESAPI WAF
Developed by Arshan Dabirsiaghi (w/ Jeff Williams)A sub-project under the ESAPI umbrellaThe Star Trek: TNG of WAFs
RobustUsableFree
Open SourcePerformantPragmatic
![Page 3: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/3.jpg)
“Yeah, well I hate WAFs”
Perfect! Me too.
WAF criticism Is criticism stupid? Does ESAPI WAF have problem?
WAFs add attack surface Yes Yes
WAFs can create culture problems Maybe (not sure, probably)
WAFs can’t fix business logic vulnerabilities No No
WAFs are way too expensive No No
WAFs complicate networks No No
![Page 4: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/4.jpg)
WAFs were for Federalists (part 1)
WAF
App A
App B
App C
Development Team A
Development Team B
Development Team C
Security Team
![Page 5: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/5.jpg)
WAFs were for Federalists (part 2)
DMZ
App A w/ WAF
App B w/ WAF
App C w/ WAF
Development Team A
Development Team B
Development Team C
![Page 6: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/6.jpg)
Why fix in ESAPI WAF vs. fix in code?
Time of Vulnera
bility Discove
ry
Time when
Vulnerability
Patched
![Page 7: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/7.jpg)
Why fix in ESAPI WAF vs. fix in code?
ESAPI WAF
Patch#1
Patch#2
Patch#3
…Best Prac #1
Best Prac #2
Best Prac #3
![Page 8: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/8.jpg)
Advantages of Application-Layer WAFs
Performance – only your rules are checked, plus state is already managed by the app server
Capability – being closer to the app lets us do more and I can’t wait to tell you about it
Process – rules are closer to application owner, shortening discovery-to-patch time, also fix-to-patch-removal time
![Page 9: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/9.jpg)
Principle: Make common tasks easy, uncommon tasks possible<virtual-patches> <virtual-patch id=“bugtracker-id-1234" path="/vulnerable.do" variable="request.parameters.bar" pattern="[0-9a-zA-Z]*" message="zmg attax" /></virtual-patches>
<bean-shell-rules> <bean-shell-script id=“user-lockout-rule" file=“/enforce_user_lockout.bsh" stage="before-request-body"/></bean-shell-rules>
import org.acme.user.*;User user = session.getAttribute(“u”);If ( user.isLocked() ) action = new RedirectAction();
EASY!
POSSIBLE… STILL EASY!
![Page 10: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/10.jpg)
Fixing Injection Flaws
• Fix with input validation virtual patch (black/white list)• Fix with sanitization (BeanShell script)• Fix with output encoding (egress rule)
XSS
• Fix with input validation virtual patch (black/white list)• Fix with sanitization (BeanShell script)
SQL injection
• Fix with input validation virtual patch (black/white list)• Fix with sanitization (BeanShell script)
Command injection
![Page 11: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/11.jpg)
Business Logic Flaws
Missing Authentication
• YES WE CAN• Presence/value
of session variable
• Presence of appliance-supplied header
• BeanShell script
Missing Functional Access Control
• YES WE CAN• Check roles in
session• Check roles
provided by appliance-supplied header
• BeanShell script
Missing Data Layer Access Control
• YES WE CAN• BeanShell script
/viewAccount?id=1826/admin/shutdown/ws/ImptWebService.rest
![Page 12: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/12.jpg)
Adding “Outbound” Security
Headers
Cookies• Add HttpOnly flag• Add secure flag
Body
• Detect outbound information
• Replace outbound information
• Add anti-clickjacking header• Set uniform content-type
![Page 13: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/13.jpg)
Yes, we know all about early failing
• Do I care about URL?
• What about content-type?
Ok, go on…
• Is IP range private?
• Etc.
Ok, go on… • Perform rule
Worst case scenario
![Page 14: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/14.jpg)
Meet JForum 2.1.8
4 hours of code review/pen testing:10 findings
Awesome, free, fully featuredforum software.
![Page 15: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/15.jpg)
![Page 16: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/16.jpg)
![Page 17: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/17.jpg)
XSS/Unchecked redirect
Add HttpOnly
Add anti-clickjacking header
Privilege escalation
![Page 18: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/18.jpg)
XSS/Unchecked redirect
Add HttpOnly
Add anti-clickjacking header
Privilege escalation
<virtual-patch/>
![Page 19: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/19.jpg)
<virtual-patch/>XSS/Unchecked redirect
Add HttpOnly
Add anti-clickjacking header
Privilege escalation
<add-http-only-flag>
<virtual-patch/>
![Page 20: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/20.jpg)
XSS/Unchecked redirect
Add HttpOnly
Add anti-clickjacking header
Privilege escalation
<virtual-patch/>
<add-http-only-flag>
<add-header/>
![Page 21: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/21.jpg)
XSS/Unchecked redirect
Add HttpOnly
Add anti-clickjacking header
Privilege escalation
<virtual-patch/>
<add-http-only-flag>
<add-header/>
<bean-shell-rule/>
![Page 22: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/22.jpg)
JavaDocs
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc3/index.html
![Page 23: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/23.jpg)
http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20WAF%20Configuration%20Guide.pdf
Policy file specification
![Page 24: OWASP ESAPI WAF AppSec DC 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081413/54708bc3b4af9fae0a8b47a0/html5/thumbnails/24.jpg)
OWASP ESAPI WAF
AVAILABLE NOW!$0
Arshan DabirsiaghiDirector of Research, Aspect Security@nahsra, i8<messiah>.comhttp://www.aspectsecurity.com/