Presentation is loading. Please wait.

Presentation is loading. Please wait.

Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

Published byLee Gibson Modified over 6 years ago

Similar presentations

Presentation on theme: "Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design"— Presentation transcript:

1 Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design
ModSecurity Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

2 Outline Motivation Introduction to ModSecurity ModSecurity Rules
Potential Problems ReDoS CS5260 Midterm Exam Conclusions 11/15/2018 CS6910 Spring Shane Jahnke

3 Motivation Familiar with the Apache Web Server
Reverse proxy support Interest in securing web and application servers Over 70% of attacks carried over web application level These attacks could include web attacks, cross-site scripting attacks, SQL injections attacks, and so on. 11/15/2018 CS6910 Spring Shane Jahnke

4 What is ModSecurity? Open source web application firewall (WAF)
ModSecurity Provides: Protection from a range of attacks against web applications HTTP traffic monitoring Real-time analysis Maintained by Breach Security Apache Software License v2 Commercial licenses available with support contracts 11/15/2018 CS6910 Spring Shane Jahnke

5 Deployment Options Embedded into existing web server
Apache module and directives Other web server ports in the works Network-based deployment Apache-based reverse proxy Protects any number of web, application, and database servers Apache is the what ModSecurity was developed for. It is built as a standard Apache module and has a entire library of directives. Some of the ports include ModSecurity for Java, Nginx, Oracle and Microsoft platforms. Otherwise network-based deployment is an option. This can be done using an Apache-based proxy. 11/15/2018 CS6910 Spring Shane Jahnke

6 ModSecurity Rules Bundled with Open Web Application Security Project (OWASP) Core Rules Provide generic protection from unknown vulnerabilities found in web applications Well documented for step-by-step deployment Updated from project website Several rules are regular expressions Commercial Rules available from Trustware SpiderLabs 11/15/2018 CS6910 Spring Shane Jahnke

7 Core Rules Content Provide generic web application protection:
HTTP Protection Real-time Blacklist Lookups Web-based Malware Detection HTTP Denial of Service Protections Common Web Attacks Protection Automation Detection Integration with AV Scanning for File Uploads Tracking Sensitive Data Trojan Protection Identification of Application Defects Error Detection and Hiding HTTP Protection – detects violations of the HTTP protocol Real-time Blacklist Lookups – utilizes 3rd party IP Reputation Web-based Malware Detection – identifies malicious web content by checking against Google Safe Browsing API HTTP Denial of Service Protections – defends against HTTP Flooding and Slow HTTP DoS Attacks Common Web Attacks Protection – detects common web application security attack Automation Detection – Detects bots, crawlers, scanners and other surface malicious activity Integration with AV Scanning for File Uploads – detects malicious file uploads Tracking Sensitive Data – tracks credit card usage and blocks leakage Trojan Protection – detects access to Trojan horses Identification of Application Defects – alerts on application misconfigurations Error Detection and Hiding – disguises error messages sent by the server 11/15/2018 CS6910 Spring Shane Jahnke

8 Potential Problems May introduce false positives
Example: CS5260 Midterm Exam Vulnerable to Regular expression Denial of Service (ReDoS) attack A ReDoS attack is when a regular expression implementation reaches extreme situations that cause them to work very slowly. This can grow exponentially related to input size. 11/15/2018 CS6910 Spring Shane Jahnke

9 Regular Expression DoS
Problematic Regex naïve algorithm Build Nondeterministic Finite Automata (NFA) Transition until end of input Several “next” states Deterministic algorithms to get to all states Regex: ^(a+)+$ Payload: aaaaX 24=16 paths Payload: aaaaaaaaaaaaaaaaX 216=655536 From Checkmarx Source Code Analysis Technologies slides in the PDF. A NFA is a finite state machine where each pair of state and input symbol there may be several possible next states. 11/15/2018 CS6910 Spring Shane Jahnke

10 Evil Regular Expressions
Regex is “evil” if it gets stuck on crafted input Pattern Contains: Grouping with repetition Inside the repeating group Repetition Alternation with overlapping 11/15/2018 CS6910 Spring Shane Jahnke

11 Evil Regex Examples Examples (a+)+ ([a-zA-Z]+)* (a|aa)+ (a|a?)+
(.*a){x} | for x > 10 Payload*: “aaaaaaaaaaaaaaaaaaaaaaaa!” *payload length depends on pattern and system used All the above are susceptible to the input payload. 11/15/2018 CS6910 Spring Shane Jahnke

12 CS5260 Midterm Exam Critical Messages
“/etc/” causing WEB_ATTACK/FILE_INJECTION “content” causing WEB_ATTACK/XSS “ having t” causing WEB_ATTACK/SQLI 403 Access Denied returned when “Anomaly Score Exceeded” Mystery Error Rule execution error - PCRE limits exceeded (-8): (null) Possible ReDoS Protection? PCRE stands for Perl Compatible Regular Expressions. PCRE is a library written in C to support Perl-based regular expressions without the need for Perl. Known application that use PCRE are PHP, Postfix, and Nmap. 11/15/2018 CS6910 Spring Shane Jahnke

13 PCRE Limits Many forums suggested increasing the default value from 1000 to 150,000 Release Notes indicate that PCRE was reduced impact of ReDoS on poorly written regex rules “bug” addressed to indicate which rule PCRE limit was exceeded 11/15/2018 CS6910 Spring Shane Jahnke

14 Conclusions ModSecurity is a viable solution for securing web servers and/or acting a reverse proxy ReDoS attacks appear to be mitigated using PCRE limits when evaluating regular expressions 11/15/2018 CS6910 Spring Shane Jahnke

15 Questions? 11/15/2018 CS6910 Spring Shane Jahnke

16 References ModSecurity Apache Documentation, ApacheCon Europe ‘08 ModSecurity, OWASP Core Rule Set, Regular Expression DoS, by Alex Roichman and Adar Weidamn, ModSecurity Release Notes, PCRE Issue, 11/15/2018 CS6910 Spring Shane Jahnke

17 Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design
ModSecurity Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design

Download ppt "Speaker: Shane Jahnke CS 6910 – Advanced System Security & Design"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
--Harish Reddy Vemula Distributed Denial of Service.

--Harish Reddy Vemula Distributed Denial of Service.

Similar presentations

Ads by Google