Hands-On ModSecurity and Logging

Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Ce4685da897c912aa41a815435b40a5a?s=128

Philipp Krenn

April 06, 2019
Tweet

Transcript

  1. Hands-On ModSecurity and Logging Philipp Krenn̴ ̴̴̴@xeraa

  2. Let's talk about security... ̴̴@xeraa

  3. ̴̴@xeraa

  4. A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  5. ̴̴@xeraa

  6. A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  7. ̴̴@xeraa

  8. Developer ̴̴@xeraa

  9. Disclaimer I build highly monitored Hello World apps ̴̴@xeraa

  10. Hello World of SQL Injection: https://xeraa.wtf ̴̴@xeraa

  11. https://xeraa.wtf/read.php?id=1 ̴̴@xeraa

  12. ̴̴@xeraa

  13. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" -- purge ̴̴@xeraa

  14. Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,'new','employee',10000) ̴̴@xeraa

  15. No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,'<script>alert("hello")</script>','evil',0) ̴̴@xeraa

  16. None
  17. None
  18. ̴̴@xeraa

  19. None
  20. ̴̴@xeraa

  21. ̴̴@xeraa

  22. ̴̴@xeraa

  23. None
  24. What's going on in our app? ̴̴@xeraa

  25. None
  26. DELETE or DROP ? ̴̴@xeraa

  27. ̴̴@xeraa

  28. ModSecurity is an open source, cross-platform web application firewall (WAF)

    module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. ̴̴@xeraa
  29. OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP

    Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding ̴̴@xeraa
  30. Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP

    Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection ̴̴@xeraa
  31. Run sqlmap again python sqlmap.py --url "https://xeraa.wtf/read.php:8080? id=1" --purge ̴̴@xeraa

  32. Custom Rule SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" SecRule REQUEST_METHOD "POST"

    chain SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" ̴̴@xeraa
  33. ̴̴@xeraa

  34. Conclusion̴̴ ̴̴@xeraa

  35. Examples https://github.com/xeraa/mod_security-log ̴̴@xeraa

  36. Code Logging ModSecurity ̴̴@xeraa

  37. Questions?̴̴ Philipp Krenn̴̴̴̴̴@xeraa ̴̴@xeraa