Slide 1

Slide 1 text

Hands-On ModSecurity and Logging Philipp Krenn̴ ̴̴̴@xeraa

Slide 2

Slide 2 text

Let's talk about security... ̴̴@xeraa

Slide 3

Slide 3 text

̴̴@xeraa

Slide 4

Slide 4 text

A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

Slide 5

Slide 5 text

̴̴@xeraa

Slide 6

Slide 6 text

A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

Slide 7

Slide 7 text

̴̴@xeraa

Slide 8

Slide 8 text

Developer ̴̴@xeraa

Slide 9

Slide 9 text

Disclaimer I build highly monitored Hello World apps ̴̴@xeraa

Slide 10

Slide 10 text

Hello World of SQL Injection: https://xeraa.wtf ̴̴@xeraa

Slide 11

Slide 11 text

https://xeraa.wtf/read.php?id=1 ̴̴@xeraa

Slide 12

Slide 12 text

̴̴@xeraa

Slide 13

Slide 13 text

python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" -- purge ̴̴@xeraa

Slide 14

Slide 14 text

Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,'new','employee',10000) ̴̴@xeraa

Slide 15

Slide 15 text

No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,'alert("hello")','evil',0) ̴̴@xeraa

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

̴̴@xeraa

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

̴̴@xeraa

Slide 21

Slide 21 text

̴̴@xeraa

Slide 22

Slide 22 text

̴̴@xeraa

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

What's going on in our app? ̴̴@xeraa

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

DELETE or DROP ? ̴̴@xeraa

Slide 27

Slide 27 text

̴̴@xeraa

Slide 28

Slide 28 text

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. ̴̴@xeraa

Slide 29

Slide 29 text

OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding ̴̴@xeraa

Slide 30

Slide 30 text

Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection ̴̴@xeraa

Slide 31

Slide 31 text

Run sqlmap again python sqlmap.py --url "https://xeraa.wtf/read.php:8080? id=1" --purge ̴̴@xeraa

Slide 32

Slide 32 text

Custom Rule SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" SecRule REQUEST_METHOD "POST" chain SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" ̴̴@xeraa

Slide 33

Slide 33 text

̴̴@xeraa

Slide 34

Slide 34 text

Conclusion̴̴ ̴̴@xeraa

Slide 35

Slide 35 text

Examples https://github.com/xeraa/mod_security-log ̴̴@xeraa

Slide 36

Slide 36 text

Code Logging ModSecurity ̴̴@xeraa

Slide 37

Slide 37 text

Questions?̴̴ Philipp Krenn̴̴̴̴̴@xeraa ̴̴@xeraa