naxsi, an open source waf for nginx
DESCRIPTION
TRANSCRIPT
1 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com 1
Naxsi, an open source WAF
for Nginx
©NBS System Sécurité – Hébergement - Infogérance
www.nbs-system.com
2 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com 2
3 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
A bit of background
(Seems webapp security is a good starter to talk about WAFs)
3 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
4 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
• Low technical skill needed to exploit
most vulnerabilities (SQLi)
• Most actors did not reach a good
awarness level yet
Overall security level of web applications evolves slowly , or at least not fast enough
(Nb of annual defaces, source: zone-h)
Because of these factors, number of attacks is dramatically growing
5 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Just for May 2012 :
� Govs or affiliated :
� France
� Bahrain
� US
� Thailand
� Canada
� Israel
� …
� More than 300k accounts dumped each month
In Russia files includes you …
6 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Web apps Classic IT
7 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
• Best mitigation : Patch
Not always possible : � Very complex or critical webapp � Lack of skill, knowledge lost
Your webapp security level can only be known once you performed an (expensive ?) security test on it.
8 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
• When code patching is not an option: Web Application Firewalls
� Commercial WAFs :
� Not very affordable for small companies
or big infrastructures
� Extremely unequal quality
� Open source WAFs :
� Performance issues
� Maybe not « corporate » enough for most
users ?
� Maintenance time
9 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� As a pentester :
� Web sites are still one of the most vulnerable
entry points on a network
� And one of the most exposed as well !
� As a hoster :
� WebSite owners, even when web is their core
business, lack security awareness … and get
owned
� As a security consultant :
� CISO / Administrators are still frighten of
WAF’s side effects
� And the one using WAFs will only go for big,
expensive, corporate solutions (Hi Imperva!)
WHY U NO PROTECT ?
10 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Enough teasing !
(and enough jokes)
10 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
11 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� When studying the idea of offering hardened web hosting for some of our clients,
we came accros several problems :
� Commercial WAF are way too expensive for big infrastructures (especially with
a lot of small/medium clients)
� Open Source WAFs (mod_security) are not fast enough (means: filtering POST
requests only if you don’t want to damage user experience)
� Both kinds requires a huge investment to keep security signatures up-to-date
12 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� (Apr 2011) Naxsi project idea was born :
� Hoster compliant WAF :
� Performances / Scalability
� Production grade WAF
� A WAF that doesn’t require signatures / updates
� Only when your site code base change
� And because defense is for once funnier than attack
13 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi’s design is closer to a sateless firewall than an anti-virus
� Most WAFs are more web anti-viruses than firewalls
� Relies on a big, heavy, frequently updated base of signatures
� On the other hand, Naxsi does rely on signatures, but not in the way you might think
14 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi relies on ~35 rules, targetting : SQLi, XSS, RFI/LFI, file uploads …
� A rule is defined as :
� A pattern (most of the time, one character, here : ‘ )
� Scores (indicating the kind of threat it’s linked to, here both SQL and XSS)
� Match Zones
� And a unique ID
MainRuleMainRuleMainRuleMainRule """"strstrstrstr:'" ":'" ":'" ":'" "msg:simplemsg:simplemsg:simplemsg:simple quotequotequotequote" " " " """"mz:ARGS|BODY|URLmz:ARGS|BODY|URLmz:ARGS|BODY|URLmz:ARGS|BODY|URL|$|$|$|$HEADERS_VAR:CookieHEADERS_VAR:CookieHEADERS_VAR:CookieHEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013;
� When a request reaches a « limit » score, an action si taken upon the request :
CheckRule "$SQL >= 8" BLOCK;
� Leaves a lot of room for fine-tuning
15 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� This naive approach has several advantages :
� Fast : No massive, expensive regex set to process
� Naive design : Naxsi doesn’t try to understand incoming requests. No need for
complex/costly transformation functions
� Predictability : Not relying on « real » signatures makes bypass less likely to
happen
� Small & Auditable code : <4K LOC
� But comes with a price :
� Whitelist configuration !
16 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi, a tweakable WAF
16 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
17 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi offers two « main » modes :
� Normal mode : « Blocked » requests are redirected to a specific location
� Learning mode : « To-be-blocked » requests are simply « copied » to a specific
location, and the original request is processed transparently
� Redirecting requests rather than « blocking » them offers various possibilities for
blocked requests :
� Return a specific error code to the user (HTTP 418: I'm a teapot)
� Return a static page
� Redirect user to a dynamic page (with captcha) to report false positives
� Anything LUA/PHP/<language> allows you to do
� Redirected requests contains both original request arguments, as well as « naxsi
signature » (in HTTP headers) :
ip=x.x.x.x&server=xx.ru&uri=/&total_processed=1&total_blocked=1&zone0=HEADER
S&id0=1308&var_name0=cookie&zone1=HEADERS&id1=1309&var_name1=cookie
18 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi in test bed
« Reliability of naxsi model versus obfuscated patterns »
18 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
19 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
0 div 1 union#foo*/*bar select#foo 1,2,current_user
0 div 1 union select 1,2,current_user
mod_sec : Transformation on comments leading to a bypass.
Naxsi : 2 SQL keywords, 4 SQL comments, blocked early
20 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
hUserId=22768&FromDate=a1%27+or&ToDate=%3C%3Eamount+and%27
mod_sec : Victim of fragmentation (attack splitted accross several parameters)
Naxsi : Evaluates the whole request, sees multiple quotes, brackets, parenthesis
hUserId=22768&FromDate=a1'+or&ToDate=<>amount+and'')
21 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi in test bed
« Performances of the naxsi model »
21 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
22 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Req
uest
s P
er S
econ
d
Concurrent connections
0
1000
2000
3000
4000
5000
6000
100 300 500 1000
NGINX
NGINX+NAXSI
APACHE
APACHE+MODSEC
Plateform: my laptop
23 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� With apache-bench (1k concurrent requests, 10k total requests, long URL with
arguments) :
Nginx Nginx+Naxsi Diff (%)
Total time 1.151 s 1.271 s 9,4%
RPS 8687.21 7866.73 9,4%
TPR (mean) 0.115 0.127 9,4%
Transfert Rate 1220.48 1198.45 1,8%
24 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi usage
« Hands on »
24 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
25 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Learning Daemon
(nx_intercept)
WebSite Naxsi
User(s)
MySQL/Sqlite
26 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
MySQL/Sqlite
BasicRule wl:1100 "mz:$BODY_VAR:redirect_to"; BasicRule wl:1005 "mz:$HEADERS_VAR:cookie" ; BasicRule wl:1010 "mz:$HEADERS_VAR:cookie" ;
Learning Daemon
(nx_extract)
Naxsinaxsi configuration
27 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� I won’t cover Ngnix setup, so let’s assume our setup is the following :
� Nginx+Naxsi is used as a reverse proxy to an existing website
� Naxsi setup is as :
SecRulesEnabled;
DeniedUrl "/RequestDenied";
LearningMode;
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 10" BLOCK;
$ python nx_intercept.py -c ./naxsi-ui.conf
…
Pointing to nx_intercept :
server {
…
location / {
include "naxsi.conf";
proxy_pass http://x.x.x.x;
}
location /RequestDenied {
proxy_pass http://x.x.y.z:8080;
}
…
}
28 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi’s learning daemons :
� Nx_intercept : http requests interception daemon, feeds the database
� Nx_extract : whitelist & statistics generation, fed from the database
[nx_extract]
username = naxsi_web
password = test
port = 8081
rules_path = /etc/nginx/core.rules
[nx_intercept]
port = 8080
[mysql]
username = naxsi
password = trivialpasswordormaybenot
hostname = 127.0.0.1
dbname = naxsi_sig
29 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
While the user is browsing, exceptions are generated by Naxsi, and HTTP requests are forwarded to nx_intercept. Nx_intercept extracts signatures from forwarded HTTP requests, and put them into the database.
30 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� After browsing a bit (here two different pages), we can fire nx_extract, the whitelist
generation daemon :
31 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Clicking on whitelist generation will get you there :
########### Rules Before Optimisation ################## #1 hits on rule 1005 (mysql keyword (|)) on url / from 1 different peers #BasicRule wl:1005 "mz:$URL:/|$HEADERS_VAR:cookie"; …. #BasicRule wl:1010 "mz:$URL:/test_securite_web|$HEADERS_VAR:cookie"; #1 hits on rule 1011 (parenthesis, probable sql/xss) on url /test_securite_web from 1 different peers ########### End Of Rules Before Optimisation ########### # (mysql keyword (|)) BasicRule wl:1005 "mz:$HEADERS_VAR:cookie"; # open parenthesis BasicRule wl:1010 "mz:$HEADERS_VAR:cookie"; # close parenthesis BasicRule wl:1011 "mz:$HEADERS_VAR:cookie"; BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";
32 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi usage
« Hands on : User forms »
32 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
33 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� But the real deal, with learning mode, is user forms !
� Cookies, URL and so on will be detected in one browsing session, but what about
user forms ? You need to fill them, with all « authorized » characters, which can be
boring.
� Thanks to Naxsi naive architecture, you can easilly fool him to reach your goal.
� Let’s add a rule or two in our naxsi’s location configuration :
BasicRule id:0 "str:123FREETEXT" "s:BLOCK" "mz:ARGS|BODY|URL";
BasicRule id:42 "str:123EMAIL" "s:BLOCK" "mz:ARGS|BODY|URL";
34 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� This two rules will allow us, whenever we will type « 123FREETEXT » or « 123EMAIL »
within a field (GET/POST) to trigger naxsi, and output whitelist for :
� Id:0 (which means *all* rules) whenever you input « 123FREETEXT »
� Id:42 (which doesn’t exist) whenever you input « 123EMAIL »
The idea here is to be able to simply tell naxsi « whitelist everything » in this field, in a
convenient way.
And regarding id:42, replacing it by the Ids you want to whitelist is left as an exercice to
the audience (mainly because it’s not supported by nx_extract yet ;p)
35 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Using the pattern « 123FREETEXT » in the website will thus generate a whitelist for
« all » rules, on specific element :
BasicRule wl:0 "mz:$URL:/|$ARGS_VAR:s";
36 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi usage
« Hands on : User forms – another approach »
36 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
37 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi is parsing both variable names and content
� And most frameworks (magento, drupal etc.) provide « default » names, for several
kind of fields !
� Do you see my point ? Not yet maybe …
38 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� In the case of magento, form fields use hardcoded name depending on type of field,
such as :
� Firstname
� Lastname
� Password
� …
� As a specific example, « search » field will always be passed as « q » :
BasicRule id:9002 "rx:^q$" "s:BLOCK" "mz:ARGS|BODY|URL";
� And name fields are always named « firstname » in HTML forms :
BasicRule id:9003 "rx:^firstname$" "s:BLOCK" "mz:ARGS|BODY|URL";
39 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
BasicRule wl:9002 "mz:$URL:/catalogsearch/result/|$ARGS_VAR:q|NAME";
BasicRule wl:9003
"mz:$URL:/customer/account/createpost/|$BODY_VAR:firstname|NAME";
� Thus, browsing the website, and using the forms, even without specific patterns, will
trigger the rules, and you will see in whitelist generation :
� This allows you to perform « passive » learning. Let users use the website (in learning
mode), let them write your whitelist rules ;)
40 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi usage
« Reporting, because bosses love reporting »
40 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
41 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
ip=x.x.x.&server=xxx.ro&uri=/wp-
cron.php&total_processed=8140&total_blocked=1954&
� Nx_intercept can as well be fed by logfiles, nginx logfiles.
� As Naxsi writes its signatures into Nginx’s error log :
� It means two things :
� You can use LearningMode, even without nx_intercept
� You can get cool & nice reporting on the period you want (just inject Nginx’s log
files for this period !)
42 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
43 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
44 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Naxsi usage
« More ! More ! »
44 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
45 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Naxsi simplicity and naive design allows you to simply write rules for whatever you
want :
� Blocking robots ?
BasicRule id:X ‘str:BOT_USER_AGENT’ ‘mz:$HEADERS_VAR:user-agent’ ‘s:BLOCK’;
� People looking for PhpMyAdmin ?
Basicrule id:X ‘rx:*phpmy*’ ‘mz:URL’ ‘s:BLOCK’;
� As Naxsi writes signatures of attacks to Nginx’s error log, it’s fail2ban-friendly ;)
� Why not let the learning mode on, and simply rely on fail2ban to push away insisting
attackers ?
46 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
Back to reality
46 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
47 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� November 2011 : « Charlie Hebdo » a french satiric newpaper, gets heavily targeted
by muslim hacktivists after an edition – representing Muhammad– was published.
� Their office was burned, and …
48 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Their website gets targeted and is defaced twice within 24h of time
49 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� Then Dos and Ddos follows …
� Their actual hoster decides to shut down the website, by fear of retaliation
� Migration was planned, but it became much more urgent
50 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� A small hardened infrastructure was setup within 8 hours :
� Two RP NGINX + NAXSI (for redundancy)
� A LAMP server
� And here we go for first « fire experience » of naxsi !
� At the time we migrated the website, we were already aware of some vulnerabilities
that were not possible to patch within such short delay, so all our hope was within
naxsi ☺
51 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com
� D+1 : Architecture is ready, dns migration ongoing
� As stated earlier, we knew some vulnerabilities were present. Attackers did
know as well (as they already defaced the website twice)
� D+1,5 : DNS migration is over
� A small analysis of Naxsi’s logs on the first week
� Over 32 000 HTTP requests blocked
� Over 200 IP blacklisted
� And the cool thing is that we didn’t get any false positives, and the website
remained safe.
Thanks for the bench !
52 ©NBS System
Sécurité – Hébergement - Infogérance www.nbs-system.com 52
©NBS System Sécurité – Hébergement - Infogérance
www.nbs-system.com Document confidentiel