Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
A Demo of and Preventing XSS in.NET Applications.
Barracuda Web Application Firewall
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Project Part II Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Payment Card Industry (PCI) Data Security Standard
Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lesson 11: Configuring and Maintaining Network Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Deconstructing API Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Securing Java Applications
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Protection Against Hackers and Vulnerabilities
Securing Your Web Application in Azure with a WAF
API Security Auditing Be Aware,Be Safe
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
HTML Level II (CyberAdvantage)
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Riding Someone Else’s Wave with CSRF
Virtual Patching “A security policy enforcement layer which prevents the exploitation of a known vulnerability”
Double Deuce Jibran Ilyas, Frank LaSota, Paul Lowder, Juan Mendez
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Web Application Firewalls: Patch first, ask questions later Jonathan Werrett Trustwave, SpiderLabs November 2011

OWASP 2 Overview  Web Application Firewalls  Virtual Patching  An Example Web App  Building Virtual Patches  SQL Injection Challenge Results

OWASP 3 Web Application Firewalls  Security device, dedicated to the web application layer  Provides context-specific protection  Can be a hardware or software Positives  High level of web ‘knowledge’  Centralised control  Mature anti-evasion Negatives  Root cause not addressed  Very specific  Won’t address Business Logic and other similar flaws

OWASP 4 Web Application Firewalls Reasons NOT to use a WAF  A standard told you to (Eg. PCI DSS Req. 6.6)  To avoid active testing  To avoid dealing with developers  Your auditor / vendor tells you to Reasons to use a WAF  Segregate security and development functions  Minimise expose windows  Provide `base security` across many apps

OWASP 5 Virtual Patching  Addressing specific flaws at WAF layer  ‘Just in time patching’ Benefits  Time to patch  Flexibility  Scalability  Dealing with legacy code  Dealing with outsourced code  Reduced exposed  ‘Out of band’ patching  Patch availability  Reduce dependency on dev  Avoiding ‘re-inventing’ the wheel

OWASP 6 ModSecurity  Open Source Web Application Firewall  Free to use  Largest install base  Numerous mature features

OWASP 7 Building Virtual Patches – Key Steps Preparation  Make sure you’re running ModSecurity!  Clearly establish roles  Create a suitable test environment Identification & Analysis  Number of sources (active assessments, vulnerability notifications)  Identify key features. Whitelist or Blacklist approach? Deploy & Test  Make sure it doesn’t stop legitimate traffic

OWASP 8 Example Web Application

OWASP 9 Building Virtual Patches – Worked Example Cross-site Scripting

OWASP 10 Building Virtual Patches – Worked Example Cross-site Scripting  ‘White list’ values accepted for user[bio] parameter  Accepts: Text, with spaces, dashes and full stops accepted.  Blocks: Anything else, including punctuation characters <>$()‘”; SecRule ARGS_POST:user[bio] "!^[\w\. ]*$" "phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase"

OWASP 11 Demonstration

OWASP 12 Building Virtual Patches – Worked Example SQL Injection

OWASP 13 Building Virtual Patches – Worked Example SQL Injection  Best method is to ‘white list’ as we did for XSS SecRule REQUEST_FILENAME "!^[\\\w]*$ "phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase"

OWASP 14 Demonstration

OWASP 15 Building Virtual Patches – Worked Example SQL Injection  However, we can also leverage the OWASP Common Ruleset  Numerous generic rules for various issues  Well tested and comprehensive  SQL Injection alone has 179 tests  Sophisticated scoring process, rather than straight forward matching

OWASP 16 Demonstration

OWASP 17 Building Virtual Patches – Worked Example Cross-site Request Forgery  Setting a unique, token per user SecRule STREAM_OUTPUT_BODY s/ / $(function(){ $('a').each(function(){ $(this).attr('href',this.href+'?tk='+$('#mstk').val()); }); /" "phase:4,t:none,nolog,pass, setsid:%{REQUEST_COOKIES._QUIPR_SESSION}, setvar:session.csrf_token=%{UNIQUE_ID}”

OWASP 18 Building Virtual Patches – Worked Example Cross-site Request Forgery  Block requests without the token SecRule &ARGS:tk 1" "phase:2,t:none,log,deny,setsid:%{REQUEST_COOKIES._QUIPR_S ESSION},msg:'No CSRF Token Detected.'” SecRule ARGS:tk %{session.csrf_token}" "phase:2,t:none,log,deny, setsid:%{REQUEST_COOKIES._QUIPR_SESSION}, msg:%{session.csrf_token}"

OWASP 19 Demonstration

OWASP 20 ModSecurity SQL Injection Challenge  650 Participants  Tested the OWASP ModSecurity Core Ruleset  4 Demo Sites for Vendors (Acunetix, Cenzic, HP, IBM)  9 “Winners”  Improvements fed into the Core Ruleset Results  Black listing is hard  WAFs increase ‘hack resistance’ but will never ‘hack proof’

OWASP 21 Summary  Virtual Patching helps makes security fast  Reduces your exposure  Leaves developers the space and time to find the best fix  Centralises security and provides a global `base` Further Reading  ModSecurity –  OWASP ModSecurity Core Rule Set e_Set_Project  ModSecurity SQL Injection Challenge lessons-learned.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.