Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hands-On ModSecurity and Logging

Philipp Krenn
April 06, 2019
Programming
2
120

Hands-On ModSecurity and Logging

This talk combines two of the OWASP top ten security risks:
* Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
* Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Philipp Krenn

April 06, 2019
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.9k
360° Monitoring of Your Microservices
xeraa
7
3.2k
Scale Your Metrics with Elasticsearch
xeraa
4
120
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
260
Centralized Logging Patterns
xeraa
1
920
Dashboards for Your Management with Kibana Canvas
xeraa
1
440
Make Your Data FABulous
xeraa
3
750
Real Integration Tests with TestContainers
xeraa
2
390

Other Decks in Programming

See All in Programming
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
3
240
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
370
CDKコントリビュートの最初の壁を越えよう! -簡単issueの見つけ方-
badmintoncryer
2
120
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
280
Hanami and htmx
bkuhlmann
0
210
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
AmperとFleetを使ったAndroidアプリ
yoppie
0
200
VS Code をプロダクトにどう取り込むか
onomax
1
470
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
680
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
200
Code Reviews
bkuhlmann
4
890
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
540

Featured

See All Featured
Optimizing for Happiness
mojombo
370
69k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Building Applications with DynamoDB
mza
88
5.6k
Raft: Consensus for Rubyists
vanstee
132
6.3k
Bash Introduction
62gerente
604
210k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Rebuilding a faster, lazier Slack
samanthasiow
73
8.2k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k

Transcript

  1. Hands-On ModSecurity and Logging Philipp Krenn̴ ̴̴̴@xeraa

  2. Let's talk about security... ̴̴@xeraa

  3. ̴̴@xeraa

  4. A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  5. ̴̴@xeraa

  6. A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 ̴̴@xeraa

  7. ̴̴@xeraa

  8. Developer ̴̴@xeraa

  9. Disclaimer I build highly monitored Hello World apps ̴̴@xeraa

  10. Hello World of SQL Injection: https://xeraa.wtf ̴̴@xeraa

  11. https://xeraa.wtf/read.php?id=1 ̴̴@xeraa

  12. ̴̴@xeraa

  13. python sqlmap.py --url "https://xeraa.wtf/read.php?id=1" -- purge ̴̴@xeraa

  14. Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,'new','employee',10000) ̴̴@xeraa

  15. No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,'<script>alert("hello")</script>','evil',0) ̴̴@xeraa

  16. None
  17. None

  18. ̴̴@xeraa

  19. None

  20. ̴̴@xeraa

  21. ̴̴@xeraa

  22. ̴̴@xeraa

  23. None

  24. What's going on in our app? ̴̴@xeraa

  25. None

  26. DELETE or DROP ? ̴̴@xeraa

  27. ̴̴@xeraa

  28. ModSecurity is an open source, cross-platform web application firewall (WAF)

    module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. ̴̴@xeraa

  29. OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP

    Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding ̴̴@xeraa

  30. Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP

    Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection ̴̴@xeraa

  31. Run sqlmap again python sqlmap.py --url "https://xeraa.wtf/read.php:8080? id=1" --purge ̴̴@xeraa

  32. Custom Rule SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'" SecRule REQUEST_METHOD "POST"

    chain SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))" ̴̴@xeraa

  33. ̴̴@xeraa

  34. Conclusion̴̴ ̴̴@xeraa

  35. Examples https://github.com/xeraa/mod_security-log ̴̴@xeraa

  36. Code Logging ModSecurity ̴̴@xeraa

  37. Questions?̴̴ Philipp Krenn̴̴̴̴̴@xeraa ̴̴@xeraa