Download - WebSecurity-3/3
![Page 2: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/2.jpg)
Facts in a Nutshell
![Page 3: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/3.jpg)
Facts in a Nutshell
published on March 2012 by security vendor Cenzic - most common application vulnerabilties:
XSS - 37%
SQL Injection - 16%
Path Disclosure - 5%
Denial of Service - 5%
![Page 4: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/4.jpg)
Facts in a Nutshell
Code Execution - 4%
Memory Corruption - 4%
Cross Site Request Forgery (CSRF) - 4%
Information Disclosure - 3%
Arbitrary File - 3%
![Page 5: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/5.jpg)
Facts in a Nutshell
Local File Inclusion - 2%
Remote File Inclusion - 1%
Overflow - 1%
Other - 15%
![Page 6: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/6.jpg)
Facts in a Nutshell
some web applications coded/deployed badly with unaware exploitable vulnerabilities
SQL Injections
Cross Site Scripting - XSS
LFI / 00% - Null byte exploit
via File Upload, WSIWYG editor, etc
![Page 7: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/7.jpg)
Facts in a Nutshell
Developers they should look at their code
code review
defensive programming - write better code
schedule for security assessment before deployment
etc
![Page 8: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/8.jpg)
Facts in a Nutshell
NULL / VOID / Nobody
Nobody is doing it
(most of the time)
![Page 9: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/9.jpg)
Facts in a Nutshell
Even if everybody, every single deployed web apps, with pre deployment code review, security assessment, etc
there might be some slips / un-noticeable exploitable vulnerable mistakes
present
future - new modules / enhancements
![Page 10: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/10.jpg)
Facts in a Nutshell
WebClient
WebServer
Application
Application
DatabaseServer
Firewall
Port 80HTTP Traffic
![Page 11: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/11.jpg)
Facts in a Nutshell
WAF to the Rescue
an important additional preventive layer to every HTTP/HTTPS Network
![Page 12: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/12.jpg)
Blind Spot
HTTP Traffic Logging
web server - well equipped to log traffic
but most not able to log request bodies
making attacks via POST request - undetectable
![Page 13: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/13.jpg)
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
big log file / consume space
images/binary files are logs/stored too
not practical in long run
![Page 14: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/14.jpg)
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
actual facts - mostly nobody ever heard of it or even knows bout the module
as debugging tools for developers
![Page 15: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/15.jpg)
Core Components of a WAF
![Page 16: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/16.jpg)
Open Source Approach via Apache/ModSecurity
![Page 17: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/17.jpg)
Apache 2.x
One of the most used open source product
Available on many platforms
Free, fast, stable and reliable
Expertise widely available
mod_proxy - use as reverse proxy module for WAF building block with integrated LB
![Page 18: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/18.jpg)
Mod Security
Add WAF functionality to Apache
Free, open source, commercially supported
Implement most WAF features
Popular and very widely used
Fast, reliable and predictable
![Page 19: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/19.jpg)
Mod Security
Intrusion Detection / Prevention for Web Applications
Operate as Apache Module
Open Source and GPL
increase web application security by protecting know and unknown attacks (0day exploits)
![Page 20: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/20.jpg)
Mod Security : use case
legacy applications - can’t modify / encoded (ioncube / zend encoder / byte code / etc)
temporary protection for newly discovered vulnerabilities
0 day exploits - un-notice/unknown
etc
![Page 21: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/21.jpg)
OWASP CRS
in order for ModSecurity become useful:
must be configured with rules
rules for various different type of attacks
SQL Injection / XSS / LFI / RMI / etc
![Page 22: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/22.jpg)
OWASP CRS
OWASP community has developed and maintain a set of rules called OWASP CRS
CRS provides generic protection from unknown vulnerabilities often found in web applications
![Page 23: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/23.jpg)
Type of Deployments
![Page 24: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/24.jpg)
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
![Page 25: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/25.jpg)
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
![Page 26: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/26.jpg)
Type of Deployment
Reverse-Proxy
a potential bottleneck
SPOF
some minor changes to network/DNS/etc
SSL/443 - termination required
![Page 27: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/27.jpg)
Type of Deployment
Embedded in web server
Easy to add
Not a point of failure
use same web server resources
![Page 28: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/28.jpg)
Reverse Proxy Deployment
![Page 29: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/29.jpg)
Reverse Proxy
Building Block
Main entrance to all backend servers
all http requests forced to go through the proxy
centralization - ease management
access control / logging / monitoring
![Page 30: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/30.jpg)
Reverse Proxy
Building block
possibilities of combining multiple backend web servers into one
hide the internals
![Page 31: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/31.jpg)
Reverse Proxy
Building block
performance by providing transparent caching
CSS/JS/Images/etc - static contents can easily cached
response compression
![Page 32: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/32.jpg)
Reverse Proxy
Building block
SSL termination
HTTPS/Encrypted session between client/browser and reverse proxy
HTTP/Un-encrypted session between reverse proxy and backend servers
![Page 33: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/33.jpg)
Reverse Proxy
Building block
Scalability / High Availability
Load Balance - multiple reverse proxies
Active - Passive cluster providing HA
![Page 34: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/34.jpg)
Reverse Proxy
Building block compressed into a single solution
Centralize Cluster
Integration
Performance
High Scalability / Availability
![Page 35: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/35.jpg)
Reverse Proxy Model
WebClient ModSecurity
Apache
Nginx
IIS
www.acme.com
email.acme.com
dev.acme.com
![Page 36: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/36.jpg)
Reverse Proxy Model
WebClient ModSecurity
Apache
Apache
Apache
192.168.1.111
192.168.1.112
192.168.1.113
LoadBalancewww.acme.com
![Page 37: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/37.jpg)
Reverse Proxy Model
WebClient ModSecurity
Apache
Apache
Apache
/images => http://192.168.1.111/images
/exam => http://192.168.1.111/exam
/tutorial => http://192.168.1.112
Integration Mappingwww.acme.com
![Page 38: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/38.jpg)
Central Logging with WAF-FLE and mlogc
![Page 39: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/39.jpg)
ModSec Logging
![Page 40: WebSecurity-3/3](https://reader034.vdocuments.us/reader034/viewer/2022042615/563dbb2b550346aa9aaad74f/html5/thumbnails/40.jpg)
http://www.waf-fle.org
PHP/MySQL web based application
current latest version 0.6.0 final (ly)
ModSec Logging