Hands-On ModSecurity and Logging

A presentation at WeAreDevelopers in June 2019 in Berlin, Germany by Philipp Krenn

Hands-On ModSecurity & Logging Philipp Krenn @xeraa @xeraa

Let’s talk about security… @xeraa

@xeraa

A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

@xeraa

A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

@xeraa

Developer @xeraa

Disclaimer I build highly monitored Hello World apps @xeraa

Hello World of SQL Injection: https://xeraa.wtf @xeraa

https://xeraa.wtf/login.php @xeraa

Hello World of SQL Injection $sql = “SELECT * FROM employees WHERE name=’$name’ AND password=SHA1(‘$password’)”; @xeraa

Hello World of SQL Injection ’ or true — @xeraa

@xeraa

https://xeraa.wtf/read.php?id=1 @xeraa

sqlmap —url “https://xeraa.wtf/read.php?id=1” —purge @xeraa

Hello World of SQL Injection $sql = “SELECT * FROM employees WHERE id = ” . trim($_GET[“id”]); error_log(“SQL query [read.php]: ” . $sql . “\n”, 3, “/var/log/app.log”); mysqli_multi_query($link, $sql); if($result = mysqli_use_result($link)){ $row = mysqli_fetch_array($result, MYSQLI_ASSOC); @xeraa

Injection ;INSERT INTO employees (name) VALUES (‘Bad Actor’) @xeraa

No Escaping Either ;INSERT INTO employees (name) VALUES (‘<script>alert(“Hello Friend”)</script>’) @xeraa

What’s going on in our app? @xeraa

@xeraa

@xeraa

@xeraa

@xeraa

DELETE or DROP? @xeraa

@xeraa

Open source Cross-platform web application firewall (WAF) Visibility into HTTP(S) traffic Rules to implement protections @xeraa

OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding @xeraa

Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection @xeraa

Rerun sqlmap sqlmap —url “https://xeraa.wtf/read.php:8080?id=1” —purge @xeraa

Log to JSON SecAuditLogFormat JSON https://www.cryptobells.com/mod_security-json-audit-logs-revisited/ @xeraa

Custom Rule SecRule REQUEST_FILENAME “form.php” “id:’400001’,chain,deny,log,msg:’Spam detected’” SecRule REQUEST_METHOD “POST” chain SecRule REQUEST_BODY “@rx (?i:(pills|insurance|rolex))” @xeraa

@xeraa

Conclusion @xeraa

Examples https://github.com/xeraa/mod_security-log @xeraa

ModSecurity Logging @xeraa

Hands-On ModSecurity & Logging Philipp Krenn @xeraa @xeraa

Philipp Krenn
@xeraa

1 / 44

This talk combines two of the OWASP top ten security risks:

Injections (A1:2017): We are using a simple application that is exploitable by injection and will then secure it with ModSecurity.
Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring the application both with and without ModSecurity with the open source Elastic Stack.

To make it more interactive the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.

Resources

The following resources were mentioned during the presentation or are useful additional information.

GitHub Demo Code

Fighting SQL injections and insufficient logging.