ModSecurity as Universal Cross- pla6orm Web Protec;on Tool. Ryan Barne? Greg Wroblewski

Transcription

1 ModSecurity as Universal Cross- pla6orm Web Protec;on Tool Ryan Barne? Greg Wroblewski

2

3

4

5 WEB APPLICATIONS ARE HIGHLY TARGETED

6 Source Code Fix Challenges 10% Lack of Resources 11% 27% 3rd Party Code 13% Outsourced Code Insufficient Technical Skill 16% 23% Insufficient Contract Scope Cost is Too High Source: OWASP Web Applica2on Virtual Patching Survey

7

8 Account Takeover 6% Spam 5% Profit Fraud 2% Hacktivism Planting of Malware 13% Monetary Loss 15% Leakage of Information 59% Defacement 27% Leakage of Information 27% Downtime 46% Source: WASC Web Hacking Incident Database Q1 2012

9 WHY MODSECURITY?

10 Virtual Patching Defini;on: A security policy enforcement layer which prevents the exploita2on of a known vulnerability.

11 ModSecurity as Virtual Patching Tool Mature, well tested WAF module Project is 10 years old Protec;ng millions of websites >275k source code downloads Rich feature set, spanning both mi;ga;on and audit Significant community support Non- viral open source license OWASP Core Rule Set providing general protec;on

12 MODSECURITY: BEYOND APACHE

13 Web Server Pla6orm Marketshare nginx 11% Other 13% IIS 15% Apache 61% Source: NetcraL: July 2012 Web Server Survey

14 One Config to Rule Them All

15 MODSECURITY IIS EXPERIENCE

16

17

18

19

20

21

22

23 MODSECURITY NGINX EXPERIENCE

24 Build It ~/mod_security#./configure ~/mod_security# cd standalone ~/mod_security/standalone# make ~/nginx #./configure - add- module=../mod_security/nginx/ modsecurity ~/nginx # make ~/nginx # make install

25

26

27 VIRTUAL PATCHING: EXAMPLES

28 CVE Collisions in HashTable May Cause DoS Vulnerability A denial of service vulnerability exists in the way that ASP.NET Framework handles specially crafted requests, causing a hash collision. An attacker who successfully exploited this vulnerability could send a small number of specially crafted requests to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

29

30

31

32 Mi;ga;ons Restrict the request body size Restrict the number of ARGS Iden;fy repe;;ve payloads Check ARGS names against PoC data ü There are ModSecurity rules for all four mi;ga;ons

33

34

35 CVE A classic case of cross- site scrip;ng vulnerability h?p://sharepoint/_layouts/scriptresx.ashx?culture=en- us&name=sp.jsgrid.res&rev=laygpe0lqaosnkb4iqx6m A%3D %3D&sec;ons=All z

36

37

38 CVE Blacklist approach: SecRule REQUEST_FILENAME /_layouts/ scriptresx.ashx" "chain,phase:1,block,msg:'xss Attempt Against SharePoint" SecRule ARGS:sections < > ( ) ; : Whitelist approach: SecRule REQUEST_FILENAME "@contains /_layouts/ scriptresx.ashx" "chain,phase:1,block,msg:'sharepoint Sections Param Violation - Illegal Chars" SecRule ARGS:sections "!@rx ^\w+$"

39

40 MODSECURITY 2.7.0: FIRST MULTI- PLATFORM RELEASE

41 Download RC2 Now h?p://sourceforge.net/projects/mod- security/files/modsecurity- apache/ rc2/ h?p://sourceforge.net/projects/mod- security/files/modsecurity- iis/ rc2/ ModSecurityIIS_ rc2.msi

42 New Protec;ons Coming Microsoh Security Response Center will start publishing ModSecurity rules for vulnerabili;es in Microsoh products IIS/ASP/ASP.NET specific ModSecurity rule sets will be created by community effort

43 SUMMARY

44 Resources ModSecurity home page h?p:// OWASP Core Rule Set for ModSecurity h?ps:// Category:OWASP_ModSecurity_Core_Rule_Set_Project MSRC blog h?p://blogs.technet.com/b/srd/ Trustwave SpiderLabs blog h?p://blog.spiderlabs.com/ Trustwave Commercial Rule Set for ModSecurity h?ps:// rules- support.php

45 Contributors Microsoh ModSecurity Port for IIS Greg Wroblewski Senior Security Developer Suha Can Security Researcher / Developer Trustwave - ModSecurity Ziv Mador Director of Security Research Ryan Barne? Security Researcher Lead Breno Pinto ModSecurity Researcher & Developer Open community - Security Port for Nginx Alan Silva - Sohware Engineer at Alcatel- Lucent

46 BLACK HAT ARSENAL SESSIONS WEDNESDAY, 3:30PM, POD 2 THURSDAY, 10:15AM, POD 2

47 THANK YOU FEEDBACK: