Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hands-On ModSecurity and Logging

Philipp Krenn
April 06, 2019
Programming
2
110

Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Philipp Krenn

April 06, 2019
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.8k
360° Monitoring of Your Microservices
xeraa
7
2.9k
Scale Your Metrics with Elasticsearch
xeraa
4
110
YAML Considered Harmful
xeraa
0
1.8k
Scale Your Elasticsearch Cluster
xeraa
1
240
Centralized Logging Patterns
xeraa
1
860
Dashboards for Your Management with Kibana Canvas
xeraa
1
410
Make Your Data FABulous
xeraa
3
700
Real Integration Tests with TestContainers
xeraa
2
330

Other Decks in Programming

See All in Programming
Learning PHP with PHP Parser
inouehi
1
190
Babylon.js書籍出版の裏側。ツイートから始まった奇跡の1年を振り返る
iwaken71
0
100
gomicollector ガベコレ自作で辿る自作の森
speed1313
1
480
thin film interference BSDF and Bismuth Growing Algorithm
kinakomoti321
0
110
Android端末のNFCを無効化しようとしてダメだった話
mitchan
1
2.8k
DevRel/Japan 2023 - 1つの事業部だけで行う DevRel とは
hcrane
0
330
Money Forward XでのGo利用事例について
keitaro1020
3
320
#phperkaigi 名著「パーフェクトPHP」のPart3に出てきたフレームワークを令和5年に書き直したらどんな感じですかね?
o0h
PRO
1
670
Deep in 国際化ドメイン名
kageshiron
0
340
防衛的 PHP: 多様性を生き抜くための PHP 入門 / Defensive PHP
siketyan
1
210
Famm Android改善記
akatsuki174
0
130
SQLite en production ? Et si vous réévaluiez vos options ?
guikingone
1
160

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
499
110k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
It's Worth the Effort
3n
177
26k
Typedesign – Prime Four
hannesfritz
34
1.6k
Raft: Consensus for Rubyists
vanstee
130
5.8k
The Cult of Friendly URLs
andyhume
70
5.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Optimizing for Happiness
mojombo
366
65k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.6k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
8
4.9k
Navigating Team Friction
lara
177
12k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k

Transcript

  1. Hands-On
    ModSecurity and Logging
    Philipp Krenn̴ ̴̴̴@xeraa

    View Slide

  2. Let's talk about security...
    ̴̴@xeraa

    View Slide

  3. ̴̴@xeraa

    View Slide

  4. A1:2017-Injection
    https://www.owasp.org/index.php/
    Top_10-2017_Top_10
    ̴̴@xeraa

    View Slide

  5. ̴̴@xeraa

    View Slide

  6. A10:2017-Insufficient Logging &
    Monitoring
    https://www.owasp.org/index.php/
    Top_10-2017_Top_10
    ̴̴@xeraa

    View Slide

  7. ̴̴@xeraa

    View Slide

  8. Developer
    ̴̴@xeraa

    View Slide

  9. Disclaimer
    I build highly monitored Hello World
    apps
    ̴̴@xeraa

    View Slide

  10. Hello World of SQL Injection:
    https://xeraa.wtf
    ̴̴@xeraa

    View Slide

  11. https://xeraa.wtf/read.php?id=1
    ̴̴@xeraa

    View Slide

  12. ̴̴@xeraa

    View Slide

  13. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" --
    purge
    ̴̴@xeraa

    View Slide

  14. Injection
    ;INSERT INTO employees (id,name,city,salary) VALUES
    (4,'new','employee',10000)
    ̴̴@xeraa

    View Slide

  15. No Escaping Either
    ;INSERT INTO employees (id,name,city,salary) VALUES
    (5,'alert("hello")','evil',0)
    ̴̴@xeraa

    View Slide

  16. View Slide

  17. View Slide

  18. ̴̴@xeraa

    View Slide

  19. View Slide

  20. ̴̴@xeraa

    View Slide

  21. ̴̴@xeraa

    View Slide

  22. ̴̴@xeraa

    View Slide

  23. View Slide

  24. What's going on in our app?
    ̴̴@xeraa

    View Slide

  25. View Slide

  26. DELETE
    or
    DROP
    ?
    ̴̴@xeraa

    View Slide

  27. ̴̴@xeraa

    View Slide

  28. ModSecurity is an open source, cross-platform web application
    firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs,
    it enables web application defenders to gain visibility into HTTP(S)
    traffic and provides a power rules language and API to implement
    advanced protections.
    ̴̴@xeraa

    View Slide

  29. OWASP ModSecurity Core Rule Set (CRS) Version 3
    • HTTP Protocol Protection
    • Real-time Blacklist Lookups
    • HTTP Denial of Service Protections
    • Generic Web Attack Protection
    • Error Detection and Hiding
    ̴̴@xeraa

    View Slide

  30. Commercial Rules from Trustwave SpiderLabs
    • Virtual Patching
    • IP Reputation
    • Web-based Malware Detection
    • Webshell / Backdoor Detection
    • Botnet Attack Detection
    • HTTP Denial of Service (DoS) Attack Detection
    ̴̴@xeraa

    View Slide

  31. Run sqlmap again
    python sqlmap.py --url "https://xeraa.wtf/read.php:8080?
    id=1" --purge
    ̴̴@xeraa

    View Slide

  32. Custom Rule
    SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"
    SecRule REQUEST_METHOD "POST" chain
    SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"
    ̴̴@xeraa

    View Slide

  33. ̴̴@xeraa

    View Slide

  34. Conclusion̴̴
    ̴̴@xeraa

    View Slide

  35. Examples
    https://github.com/xeraa/mod_security-log
    ̴̴@xeraa

    View Slide

  36. Code
    Logging
    ModSecurity
    ̴̴@xeraa

    View Slide

  37. Questions?̴̴
    Philipp Krenn̴̴̴̴̴@xeraa
    ̴̴@xeraa

    View Slide