Let me secure that for you!

Similar documents
Application security : going quicker

Protect your apps and your customers against application layer attacks

Solutions Business Manager Web Application Security Assessment

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING

OWASP Top 10 The Ten Most Critical Web Application Security Risks

TIBCO Cloud Integration Security Overview

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

haltdos - Web Application Firewall

Web Application Penetration Testing

Web Application Firewall

Certified Secure Web Application Engineer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSWAE Certified Secure Web Application Engineer

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Web Application Security. Philippe Bogaerts

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SECURE CODING ESSENTIALS

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

epldt Web Builder Security March 2017

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Application Firewall (WAF) Evasion Techniques

N different strategies to automate OWASP ZAP

RiskSense Attack Surface Validation for Web Applications

WALLARM AI ENGINE: HOW IT WORKS

Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

ShiftLeft. Real-World Runtime Protection Benchmarking

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

EasyCrypt passes an independent security audit

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Surrogate Dependencies (in

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

OWASP TOP 10. By: Ilia

Robust Defenses for Cross-Site Request Forgery Review

Copyright

OWASP Switzerland,

DreamFactory Security Guide

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Security. CSC309 TA: Sukwon Oh

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

ModSecurity 2.0 Webcast: Answers To Common Questions

Web Vulnerabilities. And The People Who Love Them

Web Application Firewall Getting Started Guide. September 7, 2018

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

1. APPLICATION SECURITY: KEY CHALLENGES

WEB SECURITY: XSS & CSRF

F5 Application Security. Radovan Gibala Field Systems Engineer

Advanced Web Technology 10) XSS, CSRF and SQL Injection

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

SECURITY TESTING. Towards a safer web world

Application Security at Scale

Secure DevOps: A Puma s Tail

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Managed Application Security trends and best practices in application security

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Fighting bad guys with an IPS from scratch

GOING WHERE NO WAFS HAVE GONE BEFORE

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Combating Common Web App Authentication Threats

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security


Welcome to the OWASP TOP 10

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

NET 311 INFORMATION SECURITY

Notes From The field

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Application Security Buyer s Guide

Human vs Artificial intelligence Battle of Trust

Q Web Attack Analysis Report

eb Security Software Studio

Evaluation Criteria for Web Application Firewalls

Web basics: HTTP cookies

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

C1: Define Security Requirements

Code review guide. Notice: Read about the language that you will test its code, if you don t have an idea about the language this will be difficult.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Web basics: HTTP cookies

Web Applications & APIs

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Transcription:

Let me secure that for you! Appsec AU, 9 Sept 2017 Kirk Jackson @kirkj lmstfu.com @LetMeSecureThat

This talk is not about RedShield! We are the world's first web application shielding-with-a-service cybersecurity company. RedShield don t use ModSecurity or node.js We wrap a service around virtual patching How does virtual patching work? Can it be done DIY? No ver t an tise me n ad t!

Building a secure web app

Vulnerability Scan Proxy Penetration Testing IDS DLP File integrity monitoring Web Server AV SIEM App RASP Config Agent IAM Threat modelling Security Reviews Security Training Web app firewall Firewall Attacks Production Configuration Review Monitoring Deployment SDLC Security Testing IAST Cloud workflow protection OS Hardening SAST App Release Patch Automation Management DAST Identity Governance Configuration Management Policies Standard Operating Procedures

Vulnerability Scan Penetration Testing Proxy Production re u c e s t s i g n i y f Veri Security Reviews Security B Testing IAST IDS Web Server AV File integrity monitoring Ho stin g it App RASP DLP Config Agent SIEM sec u IAM Threat modelling se t i SDLC g n i d uil Security Training Web app firewall Firewall Attacks Configuration Review elydeployment r u c rel y Monitoring Cloud workflow protection OS Hardening SAST App Release Patch Automation Management DAST Identity Governance Configuration Management Policies Standard Operating Procedures

Approximate cost: $4.2m

Building a secure web app

But what if there are bugs?

Proxy Penetration Testing Web app firewall Firewall Attacks Production Web Server App RASP The WAF might stop signature-based attacks

c i g o l iness bus But what if there are bugs? ^

Proxy Penetration Testing Web Server App RASP Threat modelling Security Reviews Security Training Web app firewall Firewall Attacks Production Deployment SDLC Security Testing IAST SAST App Release Automation DAST Business logic weaknesses will need a new app release

The cost of releasing updated software Divert team from current projects Branch, merge, build, test Release management, change review board Release Timeframe from discovery to release? Do you even have the source code? What process do you need to shortcut?

Patch the issues without touching underlying website

Proxy Penetration Testing Virtual Patching Firewall Attacks Production Web Server App Replace the WAF with a more capable layer Let me secure that for you!

Virtual Patching prevent the exploitation of a known vulnerability

Virtual Patching An agile security approach Available to security teams in lieu of software development React quickly while waiting for the cleanup https://www.owasp.org/index.php/virtual_patching_cheat_sheet

Our Virtual Patching Approach Understand how to exploit the security issue Only patch known vulnerabilities or weaknesses Avoid over-patching or doing things that will cause issues: Learning mode, tuning, false positives Large blocklists Focus only on the script, page or parameter affected

Our Virtual Patching Approach Choose an approach: Block - if you re not worried about the user s experience Redirect - send the user to an error page Transform - change request or response to make safe Validation - if you want to give helpful messages to guide users to enter correct values Alert - so you know if there s an attack

Let me secure that for you! lmstfu.com

WAF ALERT!!!!! Our users hate our WAF because they re blocked by false positives Our developers hate our WAF because it slows them down Our sysadmins hate our WAF because it requires constant tuning Our security team hate our WAF because it doesn t block real vulnerabilities

Our Virtual Patching Approach Understand how to exploit the security issue Only patch known vulnerabilities or weaknesses Re cap Avoid over-patching or doing things that will cause issues: Learning mode, tuning, false positives Large blocklists Focus only on the script, page or parameter affected

[Pause to demo a vulnerable website] www.dev.0-days.net lmstfu.dev.0-days.net

Our site has multiple vulnerabilities and weaknesses OWASP Top 10: Business-logic vulnerabilities: Access to admin urls Purchase negative quantities SQL injection in product search Cross-site scripting in product comments Cross-site request forgery in product comments Viewing other people s orders Jumping past the payment screen Disclosure of credit card numbers Password weaknesses

Let me secure that for you! ModSecurity Open-source web app firewall OWASP Core Rule Set Node.js Signatures for common OWASP attacks Fast, flexible, event-driven State storage in redis

Docker

Demo of lmstfu setup

ModSecurity Originally an Apache httpd module v2.9.2 also supports IIS and nginx (instabilities) v3.0.0rc rewritten into libmodsecurity + connector Not all features supported yet Doesn t do much out of the box Safe to enable in DetectionOnly mode modsecurity.org www.feistyduck.com/books/modsecurity-handbook/

OWASP ModSecurity Core Rule Set Ruleset for common attacks: SQL Injection (SQLi) Cross Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTPoxy Shellshock Session Fixation Scanner Detection Metadata/Error Leakages GeoIP Country Blocking coreruleset.org Tuned to avoid false positives

OWASP ModSecurity Core Rule Set crs-setup.conf.example - configure mode, paranoia level Look at requests Look at responses REQUEST-901-INITIALIZATION.conf REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf REQUEST-905-COMMON-EXCEPTIONS.conf REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf Is this an attack? REQUEST-949-BLOCKING-EVALUATION.conf RESPONSE-959-BLOCKING-EVALUATION.conf RESPONSE-980-CORRELATION.conf

Anatomy of a SecRule SecRule VARIABLES OPERATOR [ACTIONS] SecRule REQUEST_FILENAME ARGS, ENV, FILES, IP, PATH_INFO, REMOTE_ADDR, REQUEST_COOKIES, REQUEST_URI, REQUEST_HEADERS,... http://lmstfu.com/secrulelayout

Anatomy of a SecRule SecRule VARIABLES OPERATOR [ACTIONS] SecRule REQUEST_FILENAME "@rx /order/details/" \ @rx, @streq, @beginswith, @contains, @gt, @lt,... http://lmstfu.com/secrulelayout

Anatomy of a SecRule SecRule VARIABLES OPERATOR [ACTIONS] SecRule REQUEST_FILENAME "@rx /order/details/" \ "id:11101,phase:1,deny,log,\ Phases: 1) Request headers, 2) Request body, 3) Response headers, 4) Response body, 5)Logging http://lmstfu.com/secrulelayout

Anatomy of a SecRule SecRule VARIABLES OPERATOR [ACTIONS] SecRule REQUEST_FILENAME "@rx /order/details/" \ "id:11101,phase:1,deny,log,\ t:none,t:lowercase,t:normalisepath,\ msg:'blocking access to %{MATCHED_VAR}'" http://lmstfu.com/secrulelayout

SecRule chaining Logical AND between rules: SecRule ARGS:p "@rx test1" \ id:2000,chain,... SecRule ARGS:q "@rx test2"

More complex flow control SecMarker IF SecRule &ARGS:admin "@gt 0" \ "id:2000,pass,nolog,skipafter:else" SecMarker THEN SecRule ARGS:p "@rx K1" "id:2001,block,log" SecAction "id:2003,pass,nolog,skipafter:end" SecMarker ELSE SecRule ARGS:p "@rx K3" "id:2003,block,log" SecMarker END www.feistyduck.com/books/modsecurity-handbook/

Demo of modsecurity

Block a URL Modify Request + Response: GET /admin/orders Inspect Request Headers Is it the right url? Take action: SecRule Reject REQUEST_FILENAME "/admin/orders" \ "id:11101,phase:1,deny,log,\ t:none,t:lowercase,t:normalisepath,\ msg:'blocking access to %{MATCHED_VAR}'"

Validating a parameter Modify Request + Response: Quantity=-1 Inspect Request Headers + Body Is parameter a positive number? Take action: Reject SecRule ARGS:/^ProductChoices\[.*\].Quantity$/ "!@rx ^\d+$" \ "id:10050, phase:2, pass, log, \ t:none, t:removewhitespace, \ msg:'invalid quantity entered: %{MATCHED_VAR}'" (V15)

XSS in the input? Modify Request + Response: <script>alert(1)</script> Inspect Request Headers + Body Does parameter look like XSS? Take action: Reject # Configure-Time: Only test XSS for the Comment parameter SecRuleUpdateTargetByID 941100-941999 "ARGS:Comment" # See V15

Blocking XSS 26 regexes from coreruleset.org

Blocking XSS ModSecurity also uses libinjection for XSS and SQLi detection Guns and Butter: Towards Formal Axioms of Validation Hanson and Patterson formally proved that for any regex validator, we could construct either a safe query which would be flagged as dangerous, or a dangerous query which would be flagged as correct https://github.com/client9/libinjection http://slidesha.re/obch5k

SQL injection in the input? Modify Request + Response: ' OR 1==1 - Inspect Request Headers + Body Does parameter look like SQLi? Take action: Reject # Configure-Time: Only test SQLi for the SearchTerm parameter SecRuleUpdateTargetByID 942100-942999 "ARGS:SearchTerm" # See V17

Cross-Site Request Forgery Modify Request + Response: POST /AddComment # # # # Inspect Request Headers + Body Is the referrer wrong? Is the origin wrong? Is there a valid CSRF token? If no token exists: Take action: - Create a CSRF token using ModSecurity - Send the token as a cookie - Add the token to the form post using inserted Reject javascript # - On POST, check if the cookie value matches the posted value See V16

Missing headers and cookie flags Modify Request + Response: Alter Response Headers Set cookie flags Add new headers Set-Cookie: a=b Header edit Set-Cookie "(?i)^(.aspnetcore.antiforgery.(?:(?!httponly).)+)$" "$1; HttpOnly" See V13

Why do we use ModSecurity + CRS? Good, low false positive set of XSS and SQLi rules Efficient processing and blocking Allows simple things to be done relatively easily Can be extended to do complex things, but it gets complicated fast!

Limitations of ModSecurity Hard to capture program state Limited manipulation of the response body Hard to remove sensitive data, add validation text etc Daunting syntax Extensible via Lua, but not many examples

How do we keep state in web apps? Client-side: URL Cookies Hidden Fields Server Side: In memory On disk Databases Web farm state servers State storage needs to survive reboots and protect against tampering

Let me secure that for you! node.js proxy Business logic Storing state in redis Transforming HTML

Redbird, http-proxy, harmon, trumpet Redbird Wraps http-proxy with extra features Harmon Uses trumpet for streaming HTML manipulation 160+ node modules! Search www.npmjs.com for Redbird, http-proxy, harmon, trumpet

Demo - More complex vulnerabilities

View other people s orders GET /Order Modify Request + Response: Orders 1,2,3,5 Inspect the response to the My Orders request Store all the user s orders persistently Check requests for order details to make sure the user can access GET /Order/Details?id=14 Take action: ordercontrol.js Block

Skip the payment step and get free orders Modify Request + Response: GET /ShoppingCart/Step1,2,4 Keep track of which steps have submitted successfully Check no step is missed Take action: stepcontrol.js Redirect to Step1

HTML Manipulation simpleselect.query = 'input[type=password]'; simpleselect.func = function (node) { node.setattribute('autocomplete','off'); } <html> stepcontrol.js

Other examples Password strength checking HTML manipulation Tamper-protection on hidden fields Changing validation rules and messages XML / json inspection API protection

Why use node.js proxy? Javascript is the language of the internet Fast, scalable, mature Often used for node.js load balancing Performant HTML manipulation

Limitations of node.js proxy Asynchronous programming is hard Still need modsecurity + CRS for signatures Lot of overlaps with modsecurity - which tool is the right one?

Virtual Patching is a thing

Another tool to add to your toolbelt

Prepare the infrastructure in advance

Vulnerability Scan Penetration Testing Proxy Production re u c e s t s i g n i y f Veri Security Reviews Security B Testing IAST IDS AV Web Server File integrity monitoring Ho stin g it ReApp act q ui RASP DLP cklconfig y Agent SIEM sec u IAM Threat modelling se t i SDLC g n i d uil Security Training Virtual Patching Firewall Attacks Configuration Review elydeployment r u c rel y Monitoring Cloud workflow protection OS Hardening SAST App Release Patch Automation Management DAST Identity Governance Configuration Management Policies Standard Operating Procedures

Our Virtual Patching Approach Understand how to exploit the security issue Only patch known vulnerabilities or weaknesses Re cap Avoid over-patching or doing things that will cause issues: Learning mode, tuning, false positives Large blocklists Focus only on the script, page or parameter affected

Our Virtual Patching Approach Only patch known vulnerabilities or weaknesses Re cap

This talk is not about RedShield! We are the world's first web application shielding-with-a-service cybersecurity company. RedShield don t use ModSecurity or node.js We wrap a service around virtual patching How does virtual patching work? Can it be done DIY? No ver t an tise me n ad t!

Let me secure that for you! Appsec AU, 9 Sept 2017 Kirk Jackson @kirkj lmstfu.com @LetMeSecureThat

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback