Hands-On ModSecurity and Logging

A presentation at DevOpsFest in April 2019 in Kyiv, Ukraine, 02000 by Philipp Krenn

Hands-On ModSecurity and Logging Philipp Krenn @xeraa

Let’s talk about security… @xeraa

@xeraa

A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

@xeraa

A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

@xeraa

Developer @xeraa

Disclaimer I build highly monitored Hello World apps @xeraa

Hello World of SQL Injection: https://xeraa.wtf @xeraa

https://xeraa.wtf/read.php?id=1 @xeraa

@xeraa

python sqlmap.py —url “https://xeraa.wtf/read.php?id=1” -purge @xeraa

Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,’new’,’employee’,10000) @xeraa

No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,’<script>alert(“hello”)</script>’,’evil’,0) @xeraa

@xeraa

@xeraa

@xeraa

@xeraa

What’s going on in our app? @xeraa

DELETE or DROP? @xeraa

@xeraa

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. @xeraa

OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding @xeraa

Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection @xeraa

Run sqlmap again python sqlmap.py —url “https://xeraa.wtf/read.php:8080? id=1” —purge @xeraa

Custom Rule SecRule REQUEST_FILENAME “form.php” “id:’400001’,chain,deny,log,msg:’Spam detected’” SecRule REQUEST_METHOD “POST” chain SecRule REQUEST_BODY “@rx (?i:(pills|insurance|rolex))” @xeraa

@xeraa

Conclusion @xeraa

Examples https://github.com/xeraa/mod_security-log @xeraa

Code Logging ModSecurity @xeraa

Questions? Philipp Krenn @xeraa @xeraa

Philipp Krenn
@xeraa

1 / 37

This talk combines two of the OWASP top ten security risks:

Injections (A1:2017): We are using a simple application that is exploitable by an injection and will then secure it with ModSecurity.
Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Video

Resources

The following resources were mentioned during the presentation or are useful additional information.

GitHub Demo Code

Fighting SQL injections and insufficient logging.

Buzz and feedback

Here’s what was said about this presentation on social media.

When walking to the #JSFestua conference today, I saw that a DevOps conference was happening on the floor below. I snug in and discovered that my awesome @elastic colleague @xeraa was there AND was giving a talk about security! Small world 😄 pic.twitter.com/TsdH9XfTX6
— Thomas Watson (@wa7son) April 6, 2019