Upload File

hands-on modsecurity & logging · a1:2017-injection top_10-2017_top_10 4 4@xeraa

  • Home
  • Documents
  • Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
44
Hands-On ModSecurity & Logging Philipp Krenn@xeraa @xeraa

Upload: others

Post on 29-Jul-2020

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hands-On

ModSecurity & LoggingPhilipp Krenn@xeraa

@xeraa

Page 2: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Let's talk about security...

@xeraa

Page 3: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 4: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

A1:2017-Injectionhttps://www.owasp.org/index.php/

Top_10-2017_Top_10

@xeraa

https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/index.php/Top_10-2017_Top_10
Page 5: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 6: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

A10:2017-Insufficient Logging & Monitoring

https://www.owasp.org/index.php/Top_10-2017_Top_10

@xeraa

https://www.owasp.org/index.php/Top_10-2017_Top_10
https://www.owasp.org/index.php/Top_10-2017_Top_10
Page 7: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 8: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Developer !

@xeraa

Page 9: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Disclaimer

I build highly monitored Hello World apps

@xeraa

Page 10: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hello World of SQL Injection:https://xeraa.wtf

@xeraa

https://xeraa.wtf
Page 11: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

https://xeraa.wtf/login.php !

@xeraa

https://xeraa.wtf/login.php
Page 12: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hello World of SQL Injection

$sql = "SELECT * FROM `employees` WHERE name='$name' AND password=SHA1('$password')";

@xeraa

Page 13: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hello World of SQL Injection' or true --

@xeraa

Page 14: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 15: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

https://xeraa.wtf/read.php?id=1 !

@xeraa

https://xeraa.wtf/read.php?id=1
Page 16: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

sqlmap --url "https://xeraa.wtf/read.php?id=1" --purge

@xeraa

Page 17: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hello World of SQL Injection$sql = "SELECT * FROM employees WHERE id = " . trim($_GET["id"]);error_log("SQL query [read.php]: " . $sql . "\n", 3, "/var/log/app.log");

mysqli_multi_query($link, $sql);if($result = mysqli_use_result($link)){ $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

@xeraa

Page 18: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Injection

;INSERT INTO employees (name) VALUES ('Bad Actor')

@xeraa

Page 19: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

No Escaping Either;INSERT INTO employees (name) VALUES ('<script>alert("Hello Friend")</script>')

@xeraa

Page 20: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

What's going on in our app?

@xeraa

Page 21: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 22: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 23: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 24: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 25: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 26: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 27: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 28: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 29: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 30: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 31: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

DELETE or DROP?

@xeraa

Page 32: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 33: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Open source

Cross-platform web application firewall (WAF)

Visibility into HTTP(S) traffic

Rules to implement protections

@xeraa

Page 34: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

OWASP ModSecurity Core Rule Set (CRS) Version 3

• HTTP Protocol Protection

• Real-time Blacklist Lookups

• HTTP Denial of Service Protections

• Generic Web Attack Protection

• Error Detection and Hiding

@xeraa

Page 35: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Commercial Rules from Trustwave SpiderLabs

• Virtual Patching

• IP Reputation

• Web-based Malware Detection

• Webshell / Backdoor Detection

• Botnet Attack Detection

• HTTP Denial of Service (DoS) Attack Detection

@xeraa

Page 36: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Rerun sqlmapsqlmap --url "https://xeraa.wtf/read.php:8080?id=1" --purge

@xeraa

Page 37: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa
Page 38: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Log to JSONSecAuditLogFormat JSON

https://www.cryptobells.com/mod_security-json-audit-logs-revisited/

@xeraa

https://www.cryptobells.com/mod_security-json-audit-logs-revisited/
Page 39: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Custom RuleSecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"SecRule REQUEST_METHOD "POST" chainSecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"

@xeraa

Page 40: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

@xeraa

Page 41: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Conclusion

@xeraa

Page 42: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Exampleshttps://github.com/xeraa/mod_security-log

@xeraa

https://github.com/xeraa/mod_security-log
Page 43: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

ModSecurity ❤

Logging

@xeraa

Page 44: Hands-On ModSecurity & Logging · A1:2017-Injection Top_10-2017_Top_10 4 4@xeraa

Hands-On

ModSecurity & LoggingPhilipp Krenn@xeraa

@xeraa


Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm

toolsmith ModSecurity for IIS - HolisticInfoSecInformation Services (IIS) and nginx web server platforms. With support for these platforms, ModSecurity now runs on approximately 85%

Logging SQL Injection Attempts

Thru-Pipe Logging System (ThruLog) Wireline Logging System20191108… · Slam Logging System (SlamLog) Slim Hostile Logging System (HostileLog) Thru-Pipe Logging System (ThruLog)

ModSecurity Handbook

Disposal and Injection Well Requirements - Saskatchewan and... · Disposal and Injection Well Requirements ... wellbore integrity logging, operational monitoring, ... Cement bond

Securing Web Applications with ModSecurity€¦ · OWASP 4 Problem: web applications are not secure (2)

Analyzers for Well Logging - Baselineproducts.baseline-mocon.com/Asset/Well Logging Brochure D042.0.pdf · History of Well Logging Well logging is also known as mud logging, gas logging

Modsecurity Manual

Field Day Logging Software & Paper Logging

MODSECURITY Firewall de Aplicação WEB Open Source · 2019. 10. 11. · Proxy Reverso ou Embarcado. 23 Logs, Lots of Logs. 24 Apache Logs: Logs, Lots of Logs. 25 Modsecurity Audit

KINERJA MODSECURITY TECHNICAL REPORT (STUDI KASUS

ModSecurity: Firewall OpenSource para A plicações W eb (WAF)

CloudFlare vs Incapsula vs ModSecurity · CloudFlare vs Incapsula vs ModSecurity (February 13, 2013) Comparative penetration testing analysis report v2.0 Stefan Petrushevski Gjoko

Logging - Cisco · Step4 ChooseConfiguration > Device Management > Logging > Logging Setup toenableloggingforthe currentsessiononly. Step5 ChecktheEnable logging checkbox,thenclickApply

Logging Configuration - Cisco€¦ · Logging Configuration Thefollowingdescribeshowtoenableauditandeventloggingonthecontroller. • LoggingConfigurationOverview,page1 Logging Configuration

Adaptive Logging: Optimizing logging and recovery …ooibc/alogging-sigmod16.pdf · Adaptive Logging: Optimizing Logging and Recovery ... of data logging versus command logging becomes

Dynamic Vulnerability Remediation with ModSecurity

Christian Folini / @ChrFolini Introducing the OWASP ModSecurity … · 2017. 3. 30. · Introducing the OWASP ModSecurity Core Rule Set 3.0. ... The Plan for Today • Sampling Mode

Pilot Re-Lining of the injector well Žu-111 /water injection · Pilot Re-Lining of the injector well Žu-111 for EOR Project of CO 2 /water injection Authors: ... CMT Quality Logging

Otway injection Experiment: Measuring downhole pressure ... · wellbore storage effects Thermal response 0.5 m Assume no convection Pulsed neutron logging < 0.5 m Wellbore fluids

Web Intrusion Detection With ModSecurity

ModSecurity Handbook 1ed

Cybersecurity Web ApplicationsWebApplication).pdf · A9: Using known vulnerable components A10: Insufficient logging and monitoring (new) 15 A1: Injection ... 21 Unvalidated Input

Ivan Ristic Chief Evangelist Breach Security ivanr@modsecurity Version 1.3 (28 June 2007)

Introduction Storage Failure Recovery Logging Undo Logging Redo Logging ARIES

Protecting TYPO3 With Suhosin And Modsecurity

ModSecurity 3.0 and NGINX: Getting Started

Analyzers for Well Logging - Baselineproducts.baseline-mocon.com/Asset/Well Logging Brochure D042.0... · Well logging is also known as mud logging, gas logging or hydrocarbon well

Logging Camps Logging Contractors SIC2411 M

OWASP ModSecurity Core Rules Paranoia Mode

Semantic Logging: Avoiding the Logging Chaos

Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity

BH US 12 Wroblewski ModSecurity Universal WP

ANALISIS KINERJA MODSECURITY (STUDI KASUS: … · Gambar 6 SQL injection pada mutillidae berhasil dilakukan III. PERANCANGAN 1. Spesifikasi Hardware (host+client) Untuk implementasi