websecurity-3/3

Web Application Security

Deploying Web Application FirewallAdzmely Mansor

adzmely@gmail.com

Facts in a Nutshell

Facts in a Nutshell

published on March 2012 by security vendor Cenzic - most common application vulnerabilties:

XSS - 37%

SQL Injection - 16%

Path Disclosure - 5%

Denial of Service - 5%

Facts in a Nutshell

Code Execution - 4%

Memory Corruption - 4%

Cross Site Request Forgery (CSRF) - 4%

Information Disclosure - 3%

Arbitrary File - 3%

Facts in a Nutshell

Local File Inclusion - 2%

Remote File Inclusion - 1%

Overflow - 1%

Other - 15%

Facts in a Nutshell

some web applications coded/deployed badly with unaware exploitable vulnerabilities

SQL Injections

Cross Site Scripting - XSS

LFI / 00% - Null byte exploit

via File Upload, WSIWYG editor, etc

Facts in a Nutshell

Developers they should look at their code

code review

defensive programming - write better code

schedule for security assessment before deployment

etc

Facts in a Nutshell

NULL / VOID / Nobody

Nobody is doing it

(most of the time)

Facts in a Nutshell

Even if everybody, every single deployed web apps, with pre deployment code review, security assessment, etc

there might be some slips / un-noticeable exploitable vulnerable mistakes

present

future - new modules / enhancements

Facts in a Nutshell

WebClient

WebServer

Application

Application

DatabaseServer

Firewall

Port 80HTTP Traffic

Facts in a Nutshell

WAF to the Rescue

an important additional preventive layer to every HTTP/HTTPS Network

Blind Spot

HTTP Traffic Logging

web server - well equipped to log traffic

but most not able to log request bodies

making attacks via POST request - undetectable

Blind Spot

HTTP Traffic Logging

Possible to log POST data in apache using dumpio module

big log file / consume space

images/binary files are logs/stored too

not practical in long run

Blind Spot

HTTP Traffic Logging

Possible to log POST data in apache using dumpio module

actual facts - mostly nobody ever heard of it or even knows bout the module

as debugging tools for developers

Core Components of a WAF

Open Source Approach via Apache/ModSecurity

Apache 2.x

One of the most used open source product

Available on many platforms

Free, fast, stable and reliable

Expertise widely available

mod_proxy - use as reverse proxy module for WAF building block with integrated LB

Mod Security

Add WAF functionality to Apache

Free, open source, commercially supported

Implement most WAF features

Popular and very widely used

Fast, reliable and predictable

Mod Security

Intrusion Detection / Prevention for Web Applications

Operate as Apache Module

Open Source and GPL

increase web application security by protecting know and unknown attacks (0day exploits)

Mod Security : use case

legacy applications - can’t modify / encoded (ioncube / zend encoder / byte code / etc)

temporary protection for newly discovered vulnerabilities

0 day exploits - un-notice/unknown

etc

OWASP CRS

in order for ModSecurity become useful:

must be configured with rules

rules for various different type of attacks

SQL Injection / XSS / LFI / RMI / etc

OWASP CRS

OWASP community has developed and maintain a set of rules called OWASP CRS

CRS provides generic protection from unknown vulnerabilities often found in web applications

Type of Deployments

Type of Deployment

Network-level device

Reverse Proxy

Embedded in web server

Type of Deployment

Network-level device

Reverse Proxy

Embedded in web server

Type of Deployment

Reverse-Proxy

a potential bottleneck

SPOF

some minor changes to network/DNS/etc

SSL/443 - termination required

Type of Deployment

Embedded in web server

Easy to add

Not a point of failure

use same web server resources

Reverse Proxy Deployment

Reverse Proxy

Building Block

Main entrance to all backend servers

all http requests forced to go through the proxy

centralization - ease management

access control / logging / monitoring

Reverse Proxy

Building block

possibilities of combining multiple backend web servers into one

hide the internals

Reverse Proxy

Building block

performance by providing transparent caching

CSS/JS/Images/etc - static contents can easily cached

response compression

Reverse Proxy

Building block

SSL termination

HTTPS/Encrypted session between client/browser and reverse proxy

HTTP/Un-encrypted session between reverse proxy and backend servers

Reverse Proxy

Building block

Scalability / High Availability

Load Balance - multiple reverse proxies

Active - Passive cluster providing HA

Reverse Proxy

Building block compressed into a single solution

Centralize Cluster

Integration

Performance

High Scalability / Availability

Reverse Proxy Model

WebClient ModSecurity

Apache

Nginx

IIS

www.acme.com

email.acme.com

dev.acme.com

Reverse Proxy Model

WebClient ModSecurity

Apache

Apache

Apache

192.168.1.111

192.168.1.112

192.168.1.113

LoadBalancewww.acme.com

Reverse Proxy Model

WebClient ModSecurity

Apache

Apache

Apache

/images => http://192.168.1.111/images

/exam => http://192.168.1.111/exam

/tutorial => http://192.168.1.112

Integration Mappingwww.acme.com

Central Logging with WAF-FLE and mlogc

ModSec Logging

http://www.waf-fle.org

PHP/MySQL web based application

current latest version 0.6.0 final (ly)

ModSec Logging