Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Hiranmayi Pai Neeraj Jain
Barracuda Web Application Firewall
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
1 Enabling Secure Internet Access with ISA Server.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
--Harish Reddy Vemula Distributed Denial of Service.
Software Project Documentation. Types of Project Documents  Project Charter  Requirements  Mockups and Prototypes  Test Cases  Architecture / Design.
Security at NCAR David Mitchell February 20th, 2007.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Protecting Students on the School Computer Network Enfield High School.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Module 7: Advanced Application and Web Filtering.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Final Project: Advanced Security Blade IPS and DLP blades.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CS457 Introduction to Information Security Systems
BUILD SECURE PRODUCTS AND SERVICES
Final Project: Advanced security blade
Managing Windows Security
Internet Quarantine: Requirements for Containing Self-Propagating Code
Group 18: Chris Hood Brett Poche
TMG Client Protection 6NPS – Session 7.
Presentation by: Naga Sri Charan Pendyala
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Critical Security Controls
Securing Your Web Application in Azure with a WAF
Chapter 7: Identifying Advanced Attacks
Enabling Secure Internet Access with TMG
World Wide Web policy.
EN Lecture Notes Spring 2016
CheckPoint Accelerated CCSE NGX R65
Threat Management Gateway
Firewalls.
PHP / MySQL Introduction
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
AKAMAI INTELLIGENT PLATFORM™
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Finding High-Risk Web Vulnerabilities with a Small Number of Generic Payloads Detecting Server-Side Injection Vulnerabilities using Expression Probing.
Securing Windows 7 Lesson 10.
Cybersecurity and Cyberhygiene
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design ModSecurity Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

Outline Motivation Introduction to ModSecurity ModSecurity Rules Potential Problems ReDoS CS5260 Midterm Exam Conclusions 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Motivation Familiar with the Apache Web Server Reverse proxy support Interest in securing web and application servers Over 70% of attacks carried over web application level These attacks could include web attacks, cross-site scripting attacks, SQL injections attacks, and so on. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

What is ModSecurity? Open source web application firewall (WAF) ModSecurity Provides: Protection from a range of attacks against web applications HTTP traffic monitoring Real-time analysis Maintained by Breach Security Apache Software License v2 Commercial licenses available with support contracts 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Deployment Options Embedded into existing web server Apache module and directives Other web server ports in the works Network-based deployment Apache-based reverse proxy Protects any number of web, application, and database servers Apache is the what ModSecurity was developed for. It is built as a standard Apache module and has a entire library of directives. Some of the ports include ModSecurity for Java, Nginx, Oracle and Microsoft platforms. Otherwise network-based deployment is an option. This can be done using an Apache-based proxy. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

ModSecurity Rules Bundled with Open Web Application Security Project (OWASP) Core Rules Provide generic protection from unknown vulnerabilities found in web applications Well documented for step-by-step deployment Updated from project website Several rules are regular expressions Commercial Rules available from Trustware SpiderLabs 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Core Rules Content Provide generic web application protection: HTTP Protection Real-time Blacklist Lookups Web-based Malware Detection HTTP Denial of Service Protections Common Web Attacks Protection Automation Detection Integration with AV Scanning for File Uploads Tracking Sensitive Data Trojan Protection Identification of Application Defects Error Detection and Hiding HTTP Protection – detects violations of the HTTP protocol Real-time Blacklist Lookups – utilizes 3rd party IP Reputation Web-based Malware Detection – identifies malicious web content by checking against Google Safe Browsing API HTTP Denial of Service Protections – defends against HTTP Flooding and Slow HTTP DoS Attacks Common Web Attacks Protection – detects common web application security attack Automation Detection – Detects bots, crawlers, scanners and other surface malicious activity Integration with AV Scanning for File Uploads – detects malicious file uploads Tracking Sensitive Data – tracks credit card usage and blocks leakage Trojan Protection – detects access to Trojan horses Identification of Application Defects – alerts on application misconfigurations Error Detection and Hiding – disguises error messages sent by the server 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Potential Problems May introduce false positives Example: CS5260 Midterm Exam Vulnerable to Regular expression Denial of Service (ReDoS) attack A ReDoS attack is when a regular expression implementation reaches extreme situations that cause them to work very slowly. This can grow exponentially related to input size. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Regular Expression DoS Problematic Regex naïve algorithm Build Nondeterministic Finite Automata (NFA) Transition until end of input Several “next” states Deterministic algorithms to get to all states Regex: ^(a+)+$ Payload: aaaaX 24=16 paths Payload: aaaaaaaaaaaaaaaaX 216=655536 From Checkmarx Source Code Analysis Technologies slides in the PDF. A NFA is a finite state machine where each pair of state and input symbol there may be several possible next states. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Evil Regular Expressions Regex is “evil” if it gets stuck on crafted input Pattern Contains: Grouping with repetition Inside the repeating group Repetition Alternation with overlapping 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Evil Regex Examples Examples (a+)+ ([a-zA-Z]+)* (a|aa)+ (a|a?)+ (.*a){x} | for x > 10 Payload*: “aaaaaaaaaaaaaaaaaaaaaaaa!” *payload length depends on pattern and system used All the above are susceptible to the input payload. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

CS5260 Midterm Exam Critical Messages “/etc/” causing WEB_ATTACK/FILE_INJECTION “content” causing WEB_ATTACK/XSS “ having t” causing WEB_ATTACK/SQLI 403 Access Denied returned when “Anomaly Score Exceeded” Mystery Error Rule execution error - PCRE limits exceeded (-8): (null) Possible ReDoS Protection? PCRE stands for Perl Compatible Regular Expressions. PCRE is a library written in C to support Perl-based regular expressions without the need for Perl. Known application that use PCRE are PHP, Postfix, and Nmap. 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

PCRE Limits Many forums suggested increasing the default value from 1000 to 150,000 2.5.12 Release Notes indicate that PCRE was reduced impact of ReDoS on poorly written regex rules 2.5.13 “bug” addressed to indicate which rule PCRE limit was exceeded 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Conclusions ModSecurity is a viable solution for securing web servers and/or acting a reverse proxy ReDoS attacks appear to be mitigated using PCRE limits when evaluating regular expressions 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Questions? 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

References ModSecurity Apache Documentation, http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0/html-multipage/introduction.html#N10024 ApacheCon Europe ‘08 ModSecurity, http://www.modsecurity.org/documentation/ApacheCon_Europe_2008-Web_Intrusion_Detection_with_ModSecurity.pdf OWASP Core Rule Set, https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project Regular Expression DoS, by Alex Roichman and Adar Weidamn, 2009. https://www.owasp.org/images/3/38/20091210_VAC-REGEX_DOS-Adar_Weidman.pdf ModSecurity 2.5.12 Release Notes, http://www.apachelounge.com/viewtopic.php?t=3389 PCRE Issue, https://www.modsecurity.org/tracker/browse/MODSEC-135 11/15/2018 CS6910 Spring 2012 - Shane Jahnke

Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design ModSecurity Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.