Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hands-On ModSecurity and Logging

Philipp Krenn
April 06, 2019
Programming
2
180

Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Philipp Krenn

April 06, 2019
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
2.1k
360° Monitoring of Your Microservices
xeraa
7
3.4k
Scale Your Metrics with Elasticsearch
xeraa
4
140
YAML Considered Harmful
xeraa
0
2.1k
Scale Your Elasticsearch Cluster
xeraa
1
300
Centralized Logging Patterns
xeraa
1
1.1k
Dashboards for Your Management with Kibana Canvas
xeraa
1
470
Make Your Data FABulous
xeraa
3
860
Real Integration Tests with TestContainers
xeraa
2
500

Other Decks in Programming

See All in Programming
gen_statem - OTP's Unsung Hero
whatyouhide
1
210
Optimizing JRuby 10
headius
0
350
小田原でみんなで一句詠みたいな #phpcon_odawara
stefafafan
0
340
Contribute to Comunities | React Tokyo Meetup #4 LT
sasagar
0
500
リアルタイムレイトレーシング + ニューラルレンダリング簡単紹介 / Real-Time Ray Tracing & Neural Rendering: A Quick Introduction (2025)
shocker_0x15
1
310
Empowering Developers with HTML-Aware ERB Tooling @ RubyKaigi 2025, Matsuyama, Ehime
marcoroth
2
740
一緒に働きたくなるプログラマの思想 #QiitaConference
mu_zaru
45
11k
Compose Hot Reload is here, stop re-launching your apps! (Android Makers 2025)
zsmb
1
520
On-the-fly Suggestions of Rewriting Method Deprecations
ohbarye
1
2.8k
七輪ライブラリー: Claude AI で作る Next.js アプリ
suneo3476
1
110
Building Scalable Mobile Projects: Fast Builds, High Reusability and Clear Ownership
cyrilmottier
2
290
AIコーディングエージェントを 「使いこなす」ための実践知と現在地 in ログラス / How to Use AI Coding Agent in Loglass
rkaga
3
490

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
178
53k
How GitHub (no longer) Works
holman
314
140k
Become a Pro
speakerdeck
PRO
27
5.3k
Designing for Performance
lara
608
69k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
670
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2k
It's Worth the Effort
3n
184
28k
Bash Introduction
62gerente
611
210k
Embracing the Ebb and Flow
colly
85
4.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k

Transcript

  1. Hands-On ModSecurity and Logging Philipp Krenn̴ ̴̴̴@xeraa

  2. Let's talk about security... ̴̴@xeraa

  3. ̴̴@xeraa

  4. A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  5. ̴̴@xeraa

  6. A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  7. ̴̴@xeraa

  8. Developer ̴̴@xeraa

  9. Disclaimer I build highly monitored Hello World apps ̴̴@xeraa

  10. Hello World of SQL Injection: https://xeraa.wtf ̴̴@xeraa

  11. https://xeraa.wtf/read.php?id=1 ̴̴@xeraa

  12. ̴̴@xeraa

  13. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" -- purge ̴̴@xeraa

  14. Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,'new','employee',10000) ̴̴@xeraa

  15. No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,'<script>alert("hello")</script>','evil',0) ̴̴@xeraa

  16. None
  17. None

  18. ̴̴@xeraa

  19. None

  20. ̴̴@xeraa

  21. ̴̴@xeraa

  22. ̴̴@xeraa

  23. None

  24. What's going on in our app? ̴̴@xeraa

  25. None

  26. DELETE or DROP ? ̴̴@xeraa

  27. ̴̴@xeraa

  28. ModSecurity is an open source, cross-platform web application firewall (WAF)

    module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. ̴̴@xeraa

  29. OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP

    Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding ̴̴@xeraa

  30. Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP

    Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection ̴̴@xeraa

  31. Run sqlmap again python sqlmap.py --url "https://xeraa.wtf/read.php:8080? id=1" --purge ̴̴@xeraa

  32. Custom Rule SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" SecRule REQUEST_METHOD "POST"

    chain SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" ̴̴@xeraa

  33. ̴̴@xeraa

  34. Conclusion̴̴ ̴̴@xeraa

  35. Examples https://github.com/xeraa/mod_security-log ̴̴@xeraa

  36. Code Logging ModSecurity ̴̴@xeraa

  37. Questions?̴̴ Philipp Krenn̴̴̴̴̴@xeraa ̴̴@xeraa