Open Source Apache <WAF> Web Application Firewall

Open Source Apache <WAF> Web Application Firewall Ivan Bütler - E1 Compass Security AG ivan.buetler@csnc.ch Switzerland - Germany Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

E1 - Who am I ^ Ivan Bütler, Uznach ^ Speaker at Blackhat 2008 Las Vegas ^ Born 31.12.1970 ^ Founder of Compass Security AG ^ Founder of Swiss Cyber Storm II ^ Passionate Security Researcher ^ Husband of Cornelia and father of Tim and Nick (6 & 8) ^ Proud Swiss Citizen Seite 2

Compass Security AG - Team Seite 3

Compass Security - Overview.... Seite 4

Goals of this Talk Understanding the demand for a Web App Firewall Howto build an Open Source Apache Entry Server Understanding the Components Understanding Pros & Cons Understanding Pitfalls Seite 5

Attacking for Fun and Profit Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Direct Attacks Where do you expect the attackers? BLOCKED PASSED BLOCKED Seite 7

Indirect Attacks (I) Man in the Middle Phishing Seite 8

Indirect Attacks (II) Malware Mobile Devices W-LAN Bypassing Perimeter Protection Seite 9

Level 1: Reverse Proxy Level 2: Web Application Firewall Level 3: Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Situations without a Reverse Proxy Direct Access to the Public Web Applications More firewall ports opened Applications directly accessible Seite 11

Reverse Proxy Setup Reverse Proxy Access to Public Web Applications Reverse Proxy Applications protected Seite 12

Reverse Proxy Setup Reverse Proxy Allow to hide different applications behind a single server Single point of entry WebSphere http Browser https Reverse Proxy http IIS Server Cert http WebLogic Seite 13

OWASP Top 10 (Q4 2007) A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 Cross Site Scripting Injection Flaws (SQLi) Malicious File Execution (RFI) Insecure Direct Object Reference Cross Site Request Forgery Information Leakage Broken Auth & Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL Access Seite 14

Commercial Products? United Security Providers (USP) SES Phion/Visonys AirLock AdNovum Nevis Web IBM Tivoli Access Manager (a.k.a. WebSEAL) NetContinuum Application Security Gateway Cisco ACE Web Application Firewall Microsoft ISA Server... (this is not a complete list!) Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Open Source Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Cooking Recipe Apache Core Web Server http://httpd.apache.org Apache Firewall Module mod_security http://www.modsecurity.org Apache Content Rewriting Module mod_replace Visit Swiss Cyber Storm (www.hacking-lab.com) Apache Entry Server Module mod_but Visit Swiss Cyber Storm (www.hacking-lab.com) Apache Forensic Module Within Apache Core: mod_forensic & mod_unique_id Seite 17

Demo Setup Reverse Proxy Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 19

Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy SSLEngine On SSLProxyEngine On SSLCertificateFile SSLCertificateKeyFile SSLProtocol conf/server.crt conf/server.key +TLSv1 +SSLv3 -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP SSLOptions +StdEnvVars +ExportCertData SSLSessionCache shm:ssl/ssl_scache(512000) SSLSessionCacheTimeout 18000 Seite 20

Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy ProxyPass /app1 http://10.1.200.34:8899/ ProxyPassReverse /app1 http://10.1.200.34:8899/ ProxyPass /app2 http://10.1.200.77:8080/ ProxyPassReverse /app2 http://10.1.200.77:8080/ Seite 21

Reverse Proxy: SSL Termination How do you deny weak browsers from your application? Hardenend Cipher Suite Within Application Hardening CipherSuite in httpd.conf SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP I do not recommend hardened Cipher Suites! Error messages on SSL are not user friendly! Therefore.. I recommend application level checks using mod_headers Human friendly error message generated by the backend application when the browser does not fulfill the cipher strength RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e Evaluate the SSL_CIPHER within the application behind the proxy Seite 22

Reverse Proxy: SSL Termination RequestHeader append SSL_PROTOCOL "%{SSL_PROTOCOL}e RequestHeader append SSL_SESSION_ID "%{SSL_SESSION_ID}e RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e RequestHeader append SSL_CIPHER_ALGKEYSIZE "%{SSL_CIPHER_ALGKEYSIZE}e RequestHeader append SSL_CIPHER_EXPORT "%{SSL_CIPHER_EXPORT}e RequestHeader append SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}e RequestHeader append SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" Seite 23

Reverse Proxy: Content Rewriting Problem Backend Application includes absolute href links Example: http://backend/index.html Backend Application secures the cookies Domain restrictions Path restrictions Expiration restrictions Backend Application other protocol than reverse proxy Fixup http to https links Absolute url s Redirections, Location headers (302 Temporary Moved) Why not using mod_rewrite? Because mod_rewrite does not allow to parse and search/replace the body of a http request or response Seite 24

Reverse Proxy: Content Rewriting Why not using mod_substitute? Within apache core since 2.2.7 Perform search and replace operations on response bodies but does not have support for response headers, request headers or request bodies Therefore, I recommend mod_replace Request Header Replacement Request Body Replacement Response Header Replacement Response Body Replacement ReplaceFilterDefine myproxy1 CaseIgnore ReplacePattern myproxy1 "glocken.hacking-lab.com" "192.168.200.130" ReplacePattern myproxy1 "https" "http" HeaderReplacePattern myproxy1 Location "glocken.hacking-lab.com" "192.168.200.130" HeaderReplacePattern myproxy1 Location "https" "http" HeaderReplacePattern myproxy1 Set-Cookie "Secure" "" SetOutputFilter myproxy1 Seite 25

Demo Web Firewall mod_security Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 27

Reverse Proxy: Intrusion Detection Apache mod_security2 LoadModule security2_module modules/mod_security2.so Basic configuration options SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off.... Include conf/modsecurity2/*.conf Configure SecDefaultAction SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replac enulls,t:compresswhitespace" Seite 28

Reverse Proxy: Forensic Logging Correlation across tier (Simplified illustration) Seite 29

Reverse Proxy: Forensic Logging Who generates the Request ID (alias Unique_ID)? Apache mod_unique_id Default Log Option in httpd.conf (without mod_unique_id) LogFormat "%h %l %u %t \"%r\" %>s %b" common Web Application Firewall Log Option (with mod_unique_id) LogFormat "%{forensic-id}n %h %l %u %t \"%r\" %>s %b" common ForensicLog logs/forensic.log Sending the Unique_ID as HTTP Request Header to Backend! RequestHeader append UNIQUE_ID "%{UNIQUE_ID}e" Seite 30

Reverse Proxy: Forensic Logging Unique ID in access.log SYq7yX8AAQEAAGOqIicAAAAA 192.168.200.10 - - [05/Feb/2009:11:13:29 +0100] "GET /webapp/but/echorequest HTTP/1.1" 404 329 Unique ID in forensic.log grep SYq7yX8AAQEAAGOqIicAAAAA forensic.log ========================================================================= +SYq7yX8AAQEAAGOqIicAAAAA GET /webapp/but/echorequest HTTP/1.1 Host:192.168.200.130 User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv%3a1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept:text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language:en-us,en;q=0.5 Accept- Encoding:gzip,deflate Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep- Alive:300 Connection:keepalive Cookie:MOD_BUT=wCUN+1DgcvG7qDM+KI+9YXveU+5bwygb Cache-Control:max-age=0 -SYq7yX8AAQEAAGOqIicAAAAA Seite 31

Demo Session Management mod_but Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 33

Reverse Proxy: Session Management Without a Session Store (Cookie Store) Reverse Proxy Applications protected Seite 34

Reverse Proxy: Session Management With Session Store (Session Hiding) Reverse Proxy Applications protected Seite 35

Reverse Proxy: Pre-Authentication Zones Public Zone: Login Server (anonymous access) Private Zone: E-Business Applications (authentication is required) FW FW Internet Entry Tier Authenticated requests only Application Not authenticated requests Login Service Seite 36

Reverse Proxy: Pre-Authentication Client MOD_BUT DLS (Delegated Login Service) LDAP Backend Application /application Redirect Login Page POST LOGIN DATA authenticate() get LOGIN DATA for Backend App Username/Password for Backend App LOGIN into Backend App Login ok LOGON=ok OK Seite 37

MOD_BUT Logon Cookie Messages from Login Server to MOD_BUT LOGON=ok MOD_BUT_USERNAME=<$user> MOD_BUT_AUTH_STRENGTH=0,1,2 MOD_BUT_SERVICE_LIST=regexp MOD_BUT_BACKEND_SESSION bname=a; bvalue=b; bclearance=c; Seite 38

Reverse Proxy: Service Authorization Service Authorization The user grants permission for certain, but not all URL s behind the Reverse Proxy Example User is authorized for /upload User is authorized for /admin User is not authorized for /enterpriseadmin Login Server sends a control cookie to the Reverse Proxy Set-Cookie: LOGON=ok Set-Cookie: MOD_BUT_USERNAME=$username Set-Cookie: MOD_BUT_SERVICE_LIST=(^/12001(.*)) Set-Cookie: MOD_BUT_AUTH_STRENGTH=0,1,2 Seite 39

Reverse Proxy: DLS DLS = Delegated Login Service Some applications have their own login component Outlook Web Access Wiki The DLS authenticates on behalf of the user Seite 40

MOD_BUT Features Session Store Pre-Authentication Step-Up Authentication (Authorization Level) Service Authorization Delegated Login Server Support Cookie Pass Through Seite 41

The Secure Document Exchange Solution Who uses mod_but? Seite 42

MOD_BUT TODO [ ] Rewrite SHM handling and data structures, eliminate SHM stuff from callers mod_but_cookiestore.c mod_but_session.c mod_but_shm.c Goals: increased performance, lower shared memory usage, more robust interfaces, thread-safety Seite 43

Some differences to Airlock? Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Airlock URL Encryption URL-Encryption Effective against Forceful Browsing URLs and parameters are protected Hides Technology and Topology Works dynamically, no specific configuration necessary GET https://web.server.com/home/mdncigbpceddnkbmmocngdlhbeojje MCHJOIAODKJPNOPOEPOBJONBPFCFCNBOEIPICACIPNAKIIKLFMEIM EGBFGFGMIBDLEipe4PixkUbKsXFBnb6YodmYPJyK66k1Ochxjrr6+Zaziy20 FxB+Sz1hUm8OchL/IREKvKVzlNKSRuiig7sh7jwI4y2xFNltX98GQFYkGq7fb HtzBKtOCQtQ0AviT1pJlP1I+xG5baW/3zx/IuHD9dpJ4I0J92oN9wa5gcs8JXQ 7lkcG2HsV8EiPKbt7wFR2h HTTP/1.1 Seite 45

Airlock Smart Form Protection Smart Form Protection Cryptographic protection of HTML forms Only allowed input is accepted (Airlock remembers form fields ) Automatic protection of hidden and selection fields Seite 46

Load Balancing High Availability Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Failover (London New York) Central Session Store (High Availability) Login Service London Backend Application London Entry Server London Central Session Store Entry Server New York Login Service New York Backend Application New York Seite 48

Entry Server & AJAX Security Implications Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

AJAX Request/Response New engine built-in newer browsers! Interactive GUI Asynchronous processing ; not every action needs to be started by pressing the submit button Asynchronous processing ; AJAX updates the browser window (content) Source: Wikipedia Seite 50

XMLHttpRequest (XHR) XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript Invented by Microsoft in 2000 IE 5.0 / 6.0: COM/ActiveX object Microsoft.XmlHttp ActiveX must be enabled IE 7.0, Firefox, Opera, Safari and other browsers: Native JavaScript object XmlHttpRequest ActiveX not required Portable Seite 51

XMLHttpRequest (XHR) Seite 52

Data Exchange Formats Upstream Data Format Downstream Data Format Seite 53

Upstream Data Formats Possible data formats: GET parameters POST parameters XML SOAP Some server-side API is provided Often maps to server-side objects and their functions AJAX calls in this case are like remote method invocations Seite 54

Upstream: HTTP GET Parameters HTTP GET GET /dyn/req?call=foo&arg=bar HTTP/1.1... Seite 55

Upstream: HTTP POST Parameters HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/x-www-form-urlencoded... call=foo&arg=bar Seite 56

Upstream: XML HTTP POST POST /dyn/req HTTP/1.1 Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <request connectionid="cxooiqm"> <call type="foo"> <argument name="bar">true</argument> </call> </request> Seite 57

Upstream: SOAP HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/soap-xml... <?xml version="1.0" encoding="utf-8"?> <Envelope xmlns="http://schemas.xmlsoap.org /soap/envelope"> <Body>... </Body> </Envelope> Seite 58

Downstream: XML HTTP/1.1 200 OK Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <response> <result type="login"> <status>false</status> <msg>username or password invalid.</msg> </result> </response> Seite 59

Downstream: JavaScript HTTP/1.1 200 OK Content-Type: text/javascript... LibJs.user='nobody'; LibJs.groups=['member','nobody','wnc5Xh']; $L('kYP64i'). render([$e('h1',{classname: 'Compiled',attributes:{},children:[$T(LibJ s.compiler.fromascii('hello world!'))]... LibJs.Server. oncomplete(1664); Seite 60

Downstream: JSON HTTP/1.1 200 OK Content-Type: text/x-json... {"menu": { "id": "file", "popup": { "menuitem": [ {"value": "New", "onclick": "NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ]}}} Seite 61

Downstream: Custom HTTP/1.1 200 OK Content-Type: text/x-gwt... {OK}["53723","84268","78357","27843"] Seite 62

New: The Entry Server Problem What is a valid request? Look at JavaScript code and guess what it might call and what the parameters might be Infeasible! JavaScript way too dynamic! Filter patterns and AJAX How to detect HTML injection in XML? How to detect XSS in JavaScript/JSON? How to sign an AJAX response? Every AJAX application is very different No "standard" like HTML <form> Impossible without support from application! Seite 63

Appendix Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41 61 team@csnc.ch www.csnc.ch

Apache Compilation with mod_replace Copy Module into Filters Directory cp mod_replace.c./httpd-2.2.10/modules/filters Add the following line to./httpd-2.2.11/modules/filters/config.m4 APACHE_MODULE(replace, replace filter module,,, most) Change to $APACHE_SRC and to a autoconf cd./httpd-2.2.10/ autoconf Check if the enable-replace is available cd./httpd-2.2.10/./configure -help grep replace Seite 65

Apache Compilation Compile Apache with mod_replace cd./httpd-2.2.10/./configure \ --prefix=/opt/applic/http-2.2.10 \ --enable-so \ --enable-ssl \ --enable-proxy \ --enable-rewrite \ --enable-substitute \ --enable-replace \ --enable-headers \ --enable-unique-id \ --enable-log-forensic \ --enable-expire \ --enable-replace Seite 66