websecurity-3/3
DESCRIPTION
my old training slides - basic web application security - 3/3TRANSCRIPT
Facts in a Nutshell
Facts in a Nutshell
published on March 2012 by security vendor Cenzic - most common application vulnerabilties:
XSS - 37%
SQL Injection - 16%
Path Disclosure - 5%
Denial of Service - 5%
Facts in a Nutshell
Code Execution - 4%
Memory Corruption - 4%
Cross Site Request Forgery (CSRF) - 4%
Information Disclosure - 3%
Arbitrary File - 3%
Facts in a Nutshell
Local File Inclusion - 2%
Remote File Inclusion - 1%
Overflow - 1%
Other - 15%
Facts in a Nutshell
some web applications coded/deployed badly with unaware exploitable vulnerabilities
SQL Injections
Cross Site Scripting - XSS
LFI / 00% - Null byte exploit
via File Upload, WSIWYG editor, etc
Facts in a Nutshell
Developers they should look at their code
code review
defensive programming - write better code
schedule for security assessment before deployment
etc
Facts in a Nutshell
NULL / VOID / Nobody
Nobody is doing it
(most of the time)
Facts in a Nutshell
Even if everybody, every single deployed web apps, with pre deployment code review, security assessment, etc
there might be some slips / un-noticeable exploitable vulnerable mistakes
present
future - new modules / enhancements
Facts in a Nutshell
WebClient
WebServer
Application
Application
DatabaseServer
Firewall
Port 80HTTP Traffic
Facts in a Nutshell
WAF to the Rescue
an important additional preventive layer to every HTTP/HTTPS Network
Blind Spot
HTTP Traffic Logging
web server - well equipped to log traffic
but most not able to log request bodies
making attacks via POST request - undetectable
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
big log file / consume space
images/binary files are logs/stored too
not practical in long run
Blind Spot
HTTP Traffic Logging
Possible to log POST data in apache using dumpio module
actual facts - mostly nobody ever heard of it or even knows bout the module
as debugging tools for developers
Core Components of a WAF
Open Source Approach via Apache/ModSecurity
Apache 2.x
One of the most used open source product
Available on many platforms
Free, fast, stable and reliable
Expertise widely available
mod_proxy - use as reverse proxy module for WAF building block with integrated LB
Mod Security
Add WAF functionality to Apache
Free, open source, commercially supported
Implement most WAF features
Popular and very widely used
Fast, reliable and predictable
Mod Security
Intrusion Detection / Prevention for Web Applications
Operate as Apache Module
Open Source and GPL
increase web application security by protecting know and unknown attacks (0day exploits)
Mod Security : use case
legacy applications - can’t modify / encoded (ioncube / zend encoder / byte code / etc)
temporary protection for newly discovered vulnerabilities
0 day exploits - un-notice/unknown
etc
OWASP CRS
in order for ModSecurity become useful:
must be configured with rules
rules for various different type of attacks
SQL Injection / XSS / LFI / RMI / etc
OWASP CRS
OWASP community has developed and maintain a set of rules called OWASP CRS
CRS provides generic protection from unknown vulnerabilities often found in web applications
Type of Deployments
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Network-level device
Reverse Proxy
Embedded in web server
Type of Deployment
Reverse-Proxy
a potential bottleneck
SPOF
some minor changes to network/DNS/etc
SSL/443 - termination required
Type of Deployment
Embedded in web server
Easy to add
Not a point of failure
use same web server resources
Reverse Proxy Deployment
Reverse Proxy
Building Block
Main entrance to all backend servers
all http requests forced to go through the proxy
centralization - ease management
access control / logging / monitoring
Reverse Proxy
Building block
possibilities of combining multiple backend web servers into one
hide the internals
Reverse Proxy
Building block
performance by providing transparent caching
CSS/JS/Images/etc - static contents can easily cached
response compression
Reverse Proxy
Building block
SSL termination
HTTPS/Encrypted session between client/browser and reverse proxy
HTTP/Un-encrypted session between reverse proxy and backend servers
Reverse Proxy
Building block
Scalability / High Availability
Load Balance - multiple reverse proxies
Active - Passive cluster providing HA
Reverse Proxy
Building block compressed into a single solution
Centralize Cluster
Integration
Performance
High Scalability / Availability
Reverse Proxy Model
WebClient ModSecurity
Apache
Nginx
IIS
www.acme.com
email.acme.com
dev.acme.com
Reverse Proxy Model
WebClient ModSecurity
Apache
Apache
Apache
192.168.1.111
192.168.1.112
192.168.1.113
LoadBalancewww.acme.com
Reverse Proxy Model
WebClient ModSecurity
Apache
Apache
Apache
/images => http://192.168.1.111/images
/exam => http://192.168.1.111/exam
/tutorial => http://192.168.1.112
Integration Mappingwww.acme.com
Central Logging with WAF-FLE and mlogc
ModSec Logging
http://www.waf-fle.org
PHP/MySQL web based application
current latest version 0.6.0 final (ly)
ModSec Logging