Introduction to ModSecurity, CRS & Demo

1. Rahul Choudhary
@r3dinf0

2. What is Web Application Firewall (WAF)???
• Protects a web application by adding a security layer
• present between a user and a web server
• Understands HTTP traffic better than traditional firewalls
• Checks for malicious traffic and blocks it
User requests web application
Ex: proxyserver.com WAF identifies and block malicious
requests
Ex: using ModSecurity
Web
Application
Servers

3. ModSecurity is a toolkit for real-time web
application monitoring, logging, and access control

4. What ModSecurity Can do ???
• Real-time application security monitoring and access control
• Virtual patching
• Full HTTP traffic logging
• Continuous passive security assessment
• Web application hardening

5. What ModSecurity Can do ???
• HTTP Protection - detecting violations of the HTTP protocol and a
locally defined usage policy.
• Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
• HTTP Denial of Service Protections - defense against HTTP Flooding
and Slow HTTP DoS Attacks.
• Common Web Attacks Protection - detecting common web
application security attack.
• Automation Detection - Detecting bots, crawlers, scanners and
other surface malicious activity.

6. What ModSecurity Can do ???
• Integration with AV Scanning for File Uploads - detects malicious
files uploaded through the web application.
• Trojan Protection - Detecting access to Trojans horses.
• Identification of Application Defects - alerts on application
misconfigurations.
• Error Detection and Hiding - Disguising error messages sent by the
server.

7. ModSecurity Processing Phases ..
• Request Headers
• Request Body
• Response Headers
• Response Body
• Logging / Action

8. ModSecurity’ s Rules Language Syntax
SecRule TARGETS OPERATOR [ACTIONS]
Tells ModSecurity where to look
(such as ARGS, ARGS_NAMES or
COOKIES).
Tells ModSecurity how to
process data
Tells ModSecurity what to do if
a rule matches (such as deny,
exec or setvar).
SecRule ARGS
"(?i)(<script[^>]*>[sS]*?</script[^>]*>|<script[^>]*>[sS]*?</script[[sS]]*[sS]|<script[^
>]*>[sS]*?</script[s]*[s]|<script[^>]*>[sS]*?</script|<script[^>]*>[sS]*?)"
"id:'973336',phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'8',t:none,t:urlDecodeU
ni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,log,capture,msg:'XSS Filter - Category 1: Script Tag
Vector',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-
22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'Matched Data:
%{TX.0} found within %{MATCHED_VAR_NAME}:
%{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_an
omaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-
OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

9. ModSecurity Transformations ..
• SQLi
• URL Encode / Decode
• Hex Encode / Decode
• JavaScript Decode
• HTML Entity Decode
• Uppercase / Lowercase
• MD5 / SHA1
• Normalize Paths

10. Ok I understand .. But how can I deploy it ???
ModSecurity supports two deployment options:
• Embedded
ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded
option is a great choice for those who already have their architecture laid out and don't want to change it.
• Reverse proxy deployment
When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a
network web application firewall, which you can use to protect any number of web servers on
the same network. Many security practitioners prefer having a separate security layer. With it
you get complete isolation from the systems you are protection

11. Core Rule Set (CRS) ..???
OWASP community has developed and maintain a
set of rules called OWASP CRS
CRS provides generic protection from unknown
vulnerabilities often found in web applications

12. Core Rules …
HTTP protocol protection
• RFCs
• Defined policy
Common Web Attack Protections
• XSS, SQLi, CSRF, HTTP Response Splitting
Automation Detection
• Bots, web crawlers, web scanners.
Trojan Protection
Server Error Hiding / DLP
• Mask errors sent by the server
• Data Loss Prevention

13. Core Rule Set (CRS) run modes ..???
The CRS can run in two modes:
traditional and anomaly scoring.
Traditional mode:- the first rule that matches will block
the request
Anomaly scoring mode:- the rules increment counters
that "enumerate badness", and if the rule exceeds a
threshold then the request is blocked.

14. Enough …. Give me a scenario !!
x.y.z.a
ModSecurity configured
with Apache serving as
reverse proxy
1.2.3.4
DVWA deployed on web
server
--- AWS Environment for Testing purpose ---

15. Apache configured as Reverse Proxy …

16. Access Vulnerable DVWA host on cloud

17. DVWA SQL Test
MODSECURITY : OFF
MODSECURITY : OFF

18. DVWA SQL Test
MODSECURITY : ON
MODSECURITY : ON

19. DVWA XSS Test MODSECURITY : ON

21. DVWA File Inclusion Test MODSECURITY : OFF

22. ModSecurity Audit Log during Attack MODSECURITY : ON

23. MODSECURITY ATTACK LOGS !!

24. Sample commands to Track & Block...
Track ip addresses :
curl ipinfo.io/49.44.51.20 |cut -d " " -f3,4
Rotate ModSecurity logs :
while true;do cat modsec_audit.log| grep -e HTTP/1.1 -
e 000;sleep 10;clear;done or tail –f modsec_audit.log
Block ip :
iptables -A INPUT -s xx.xx.xx.xx -j DROP

25. How to install ???
Refer :
https://modsecurity.org/
download.html

26. Play online with MODSECURITY !!!

27. Relevant Talks …
https://www.youtube.com/watch?v=HkA_YRSb3jU [Defcon ]
https://www.youtube.com/watch?v=208bFToRJqo&nohtml5=False [BlackHat]
https://www.youtube.com/watch?v=pKGdIxArlKU&nohtml5=False

28. Must to attend !! …