Hands-On ModSecurity and Logging

A presentation at WeAreDevelopers in June 2019 in Berlin, Germany by Philipp Krenn

Slide 1

Slide 1

Hands-On ModSecurity & Logging Philipp Krenn @xeraa @xeraa

Slide 2

Slide 2

Let’s talk about security… @xeraa

Slide 3

Slide 3

@xeraa

Slide 4

Slide 4

A1:2017-Injection https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

Slide 5

Slide 5

@xeraa

Slide 6

Slide 6

A10:2017-Insufficient Logging & Monitoring https://www.owasp.org/index.php/ Top_10-2017_Top_10 @xeraa

Slide 7

Slide 7

@xeraa

Slide 8

Slide 8

Developer @xeraa

Slide 9

Slide 9

Disclaimer I build highly monitored Hello World apps @xeraa

Slide 10

Slide 10

Hello World of SQL Injection: https://xeraa.wtf @xeraa

Slide 11

Slide 11

https://xeraa.wtf/login.php @xeraa

Slide 12

Slide 12

Hello World of SQL Injection $sql = “SELECT * FROM employees WHERE name=’$name’ AND password=SHA1(‘$password’)”; @xeraa

Slide 13

Slide 13

Hello World of SQL Injection ’ or true — @xeraa

Slide 14

Slide 14

@xeraa

Slide 15

Slide 15

https://xeraa.wtf/read.php?id=1 @xeraa

Slide 16

Slide 16

sqlmap —url “https://xeraa.wtf/read.php?id=1” —purge @xeraa

Slide 17

Slide 17

Hello World of SQL Injection $sql = “SELECT * FROM employees WHERE id = ” . trim($_GET[“id”]); error_log(“SQL query [read.php]: ” . $sql . “\n”, 3, “/var/log/app.log”); mysqli_multi_query($link, $sql); if($result = mysqli_use_result($link)){ $row = mysqli_fetch_array($result, MYSQLI_ASSOC); @xeraa

Slide 18

Slide 18

Injection ;INSERT INTO employees (name) VALUES (‘Bad Actor’) @xeraa

Slide 19

Slide 19

No Escaping Either ;INSERT INTO employees (name) VALUES (‘<script>alert(“Hello Friend”)</script>’) @xeraa

Slide 20

Slide 20

What’s going on in our app? @xeraa

Slide 21

Slide 21

Slide 22

Slide 22

Slide 23

Slide 23

Slide 24

Slide 24

@xeraa

Slide 25

Slide 25

Slide 26

Slide 26

@xeraa

Slide 27

Slide 27

@xeraa

Slide 28

Slide 28

@xeraa

Slide 29

Slide 29

Slide 30

Slide 30

Slide 31

Slide 31

DELETE or DROP? @xeraa

Slide 32

Slide 32

@xeraa

Slide 33

Slide 33

Open source Cross-platform web application firewall (WAF) Visibility into HTTP(S) traffic Rules to implement protections @xeraa

Slide 34

Slide 34

OWASP ModSecurity Core Rule Set (CRS) Version 3 • HTTP Protocol Protection • Real-time Blacklist Lookups • HTTP Denial of Service Protections • Generic Web Attack Protection • Error Detection and Hiding @xeraa

Slide 35

Slide 35

Commercial Rules from Trustwave SpiderLabs • Virtual Patching • IP Reputation • Web-based Malware Detection • Webshell / Backdoor Detection • Botnet Attack Detection • HTTP Denial of Service (DoS) Attack Detection @xeraa

Slide 36

Slide 36

Rerun sqlmap sqlmap —url “https://xeraa.wtf/read.php:8080?id=1” —purge @xeraa

Slide 37

Slide 37

Slide 38

Slide 38

Log to JSON SecAuditLogFormat JSON https://www.cryptobells.com/mod_security-json-audit-logs-revisited/ @xeraa

Slide 39

Slide 39

Custom Rule SecRule REQUEST_FILENAME “form.php” “id:’400001’,chain,deny,log,msg:’Spam detected’” SecRule REQUEST_METHOD “POST” chain SecRule REQUEST_BODY “@rx (?i:(pills|insurance|rolex))” @xeraa

Slide 40

Slide 40

@xeraa

Slide 41

Slide 41

Conclusion @xeraa

Slide 42

Slide 42

Examples https://github.com/xeraa/mod_security-log @xeraa

Slide 43

Slide 43

ModSecurity Logging @xeraa

Slide 44

Slide 44

Hands-On ModSecurity & Logging Philipp Krenn @xeraa @xeraa