Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hands-On ModSecurity and Logging

Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Philipp Krenn

April 06, 2019
Tweet

More Decks by Philipp Krenn

Other Decks in Programming

Transcript

  1. Hands-On
    ModSecurity and Logging
    Philipp Krenn̴ ̴̴̴@xeraa

    View full-size slide

  2. Let's talk about security...
    ̴̴@xeraa

    View full-size slide

  3. A1:2017-Injection
    https://www.owasp.org/index.php/
    Top_10-2017_Top_10
    ̴̴@xeraa

    View full-size slide

  4. A10:2017-Insufficient Logging &
    Monitoring
    https://www.owasp.org/index.php/
    Top_10-2017_Top_10
    ̴̴@xeraa

    View full-size slide

  5. Developer
    ̴̴@xeraa

    View full-size slide

  6. Disclaimer
    I build highly monitored Hello World
    apps
    ̴̴@xeraa

    View full-size slide

  7. Hello World of SQL Injection:
    https://xeraa.wtf
    ̴̴@xeraa

    View full-size slide

  8. https://xeraa.wtf/read.php?id=1
    ̴̴@xeraa

    View full-size slide

  9. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" --
    purge
    ̴̴@xeraa

    View full-size slide

  10. Injection
    ;INSERT INTO employees (id,name,city,salary) VALUES
    (4,'new','employee',10000)
    ̴̴@xeraa

    View full-size slide

  11. No Escaping Either
    ;INSERT INTO employees (id,name,city,salary) VALUES
    (5,'alert("hello")','evil',0)
    ̴̴@xeraa

    View full-size slide

  12. What's going on in our app?
    ̴̴@xeraa

    View full-size slide

  13. DELETE
    or
    DROP
    ?
    ̴̴@xeraa

    View full-size slide

  14. ModSecurity is an open source, cross-platform web application
    firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs,
    it enables web application defenders to gain visibility into HTTP(S)
    traffic and provides a power rules language and API to implement
    advanced protections.
    ̴̴@xeraa

    View full-size slide

  15. OWASP ModSecurity Core Rule Set (CRS) Version 3
    • HTTP Protocol Protection
    • Real-time Blacklist Lookups
    • HTTP Denial of Service Protections
    • Generic Web Attack Protection
    • Error Detection and Hiding
    ̴̴@xeraa

    View full-size slide

  16. Commercial Rules from Trustwave SpiderLabs
    • Virtual Patching
    • IP Reputation
    • Web-based Malware Detection
    • Webshell / Backdoor Detection
    • Botnet Attack Detection
    • HTTP Denial of Service (DoS) Attack Detection
    ̴̴@xeraa

    View full-size slide

  17. Run sqlmap again
    python sqlmap.py --url "https://xeraa.wtf/read.php:8080?
    id=1" --purge
    ̴̴@xeraa

    View full-size slide

  18. Custom Rule
    SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"
    SecRule REQUEST_METHOD "POST" chain
    SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"
    ̴̴@xeraa

    View full-size slide

  19. Conclusion̴̴
    ̴̴@xeraa

    View full-size slide

  20. Examples
    https://github.com/xeraa/mod_security-log
    ̴̴@xeraa

    View full-size slide

  21. Code
    Logging
    ModSecurity
    ̴̴@xeraa

    View full-size slide

  22. Questions?̴̴
    Philipp Krenn̴̴̴̴̴@xeraa
    ̴̴@xeraa

    View full-size slide