Hands-On ModSecurity and Logging

Slide 1

Hands-On ModSecurity and Logging Philipp Krenn @xeraa

Slide 2

Let’s talk about security… @xeraa

Slide 3

@xeraa

Slide 4

A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

Slide 5

@xeraa

Slide 6

A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

Slide 7

@xeraa

Slide 8

Developer @xeraa

Slide 9

Disclaimer I build highly monitored Hello World apps @xeraa

Slide 10

Hello World of SQL Injection: https://xeraa.wtf @xeraa

Slide 11

https://xeraa.wtf/read.php?id=1 @xeraa

Slide 12

@xeraa

Slide 13

python sqlmap.py —url “https://xeraa.wtf/read.php?id=1” -purge @xeraa

Slide 14

Injection ;INSERT INTO employees (id,name,city,salary) VALUES (4,’new’,’employee’,10000) @xeraa

Slide 15

No Escaping Either ;INSERT INTO employees (id,name,city,salary) VALUES (5,’<script>alert(“hello”)</script>’,’evil’,0) @xeraa

Slide 16

Slide 17

Slide 18

@xeraa

Slide 19

Slide 20

@xeraa

Slide 21

@xeraa

Slide 22

@xeraa

Slide 23

Slide 24

What’s going on in our app? @xeraa

Slide 25

Slide 26

DELETE or DROP? @xeraa

Slide 27

@xeraa

Slide 28

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. @xeraa

Slide 29

OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding @xeraa

Slide 30

Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection @xeraa

Slide 31

Run sqlmap again python sqlmap.py —url “https://xeraa.wtf/read.php:8080? id=1” —purge @xeraa

Slide 32

Custom Rule SecRule REQUEST_FILENAME “form.php” “id:’400001’,chain,deny,log,msg:’Spam detected’” SecRule REQUEST_METHOD “POST” chain SecRule REQUEST_BODY “@rx (?i:(pills|insurance|rolex))” @xeraa

Slide 33

@xeraa

Slide 34

Conclusion @xeraa

Slide 35

Examples https://github.com/xeraa/mod_security-log @xeraa

Slide 36

Code Logging ModSecurity @xeraa

Slide 37

Questions? Philipp Krenn @xeraa @xeraa