Soumettre la recherche
Mettre en ligne
The WAF book intro protection elements v1.0 lior rotkovitch
•
1 j'aime
•
93 vues
Lior Rotkovitch
Suivre
The waf book intro protection elements Web Application Firewall
Lire moins
Lire la suite
Logiciels
Signaler
Partager
Signaler
Partager
1 sur 69
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
F5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
Recommandé
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
Lior Rotkovitch
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018
MarketingArrowECS_CZ
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
F5 DDoS Protection
F5 DDoS Protection
MarketingArrowECS_CZ
Novinky F5
Novinky F5
MarketingArrowECS_CZ
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application Performance
Cloudflare
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Casey Smith
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
David Blevins
F5 Meetup presentation automation 2017
F5 Meetup presentation automation 2017
Guy Brown
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
Cloudflare
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporter
vfmindia
Pentest Apocalypse
Pentest Apocalypse
Beau Bullock
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
Caitlin Magat
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
Android pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Imperva Incapsula
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
Peter Moskovits
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
Contenu connexe
Tendances
Novinky F5
Novinky F5
MarketingArrowECS_CZ
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application Performance
Cloudflare
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Casey Smith
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
David Blevins
F5 Meetup presentation automation 2017
F5 Meetup presentation automation 2017
Guy Brown
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
Cloudflare
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporter
vfmindia
Pentest Apocalypse
Pentest Apocalypse
Beau Bullock
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
Caitlin Magat
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
Android pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Imperva Incapsula
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
Peter Moskovits
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
Avi Shulman
Tendances
(20)
Novinky F5
Novinky F5
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
How CDNs Can improve Mobile Application Performance
How CDNs Can improve Mobile Application Performance
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security
F5 Meetup presentation automation 2017
F5 Meetup presentation automation 2017
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Why Many Websites are still Insecure (and How to Fix Them)
Why Many Websites are still Insecure (and How to Fix Them)
Vfm bluecoat proxy sg solution with web filter and reporter
Vfm bluecoat proxy sg solution with web filter and reporter
Pentest Apocalypse
Pentest Apocalypse
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
Android pentesting the hackers-meetup
Android pentesting the hackers-meetup
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure Website
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
Similaire à The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
Hacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
API SECURITY
API SECURITY
Tubagus Rizky Dharmawan
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
OpenStack Architecture
OpenStack Architecture
Mirantis
OpenStack Architecture
OpenStack Architecture
Mirantis
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
High Availability by Design
High Availability by Design
David Prinzing
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
ForgeRock
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
Securing RESTful API
Securing RESTful API
Muhammad Zbeedat
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
SOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
Web technology-guide
Web technology-guide
Srihari
Web api security
Web api security
9xdot
Similaire à The WAF book intro protection elements v1.0 lior rotkovitch
(20)
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
Hacking Client Side Insecurities
Hacking Client Side Insecurities
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
API SECURITY
API SECURITY
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
High Availability by Design
High Availability by Design
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
Securing RESTful API
Securing RESTful API
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
SOHOpelessly Broken
SOHOpelessly Broken
Web technology-guide
Web technology-guide
Web api security
Web api security
Plus de Lior Rotkovitch
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Lior Rotkovitch
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Lior Rotkovitch
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
Lior Rotkovitch
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
Lior Rotkovitch
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Lior Rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
Html cors- lior rotkovitch
Html cors- lior rotkovitch
Lior Rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
Lior Rotkovitch
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
Lior Rotkovitch
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
Plus de Lior Rotkovitch
(15)
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Html cors- lior rotkovitch
Html cors- lior rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Dernier
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
Hironori Washizaki
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
ABSYZ Inc
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
manoharjgpsolutions
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
Roberto Pérez Alcolea
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
Anthony Dahanne
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Drew Moseley
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
vyaparkranti
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
ssuser9e7c64
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
vaideheekore1
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
OnePlan Solutions
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
preethippts
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
Christopher Curtin
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
Marharyta Nedzelska
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
Lionel Briand
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
andrehoraa
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
VictoriaMetrics
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
RTS corp
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Rob Geurden
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
Dernier
(20)
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
The WAF book intro protection elements v1.0 lior rotkovitch
1.
Practical Defensive Security for
Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @Rotkovitch @sirt_club ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
2.
https://SIRT.club 70295 ©
3.
NF Database Application Servers Web Servers WEB ISP bugs CLOUD’S Web Application Security Software
bugs security design ▪ Design bugs– insecure implementations ▪ Misconfiguration bugs– wrong, defaults Expected traffic footprint ▪ Code ▪ 3rd party libraries ▪ Lack of enforcement on traffic usage 70295 ©
4.
Attack Elements HTTP Web Application Database App Servers Web Servers “Attack
occurs when: attack agent is sending exploit to execute the vulnerability that resides in the attack surface Part of: 70295 ©
5.
Web Application Application/s Request handler/s Database/s Expected
Traffic Footprint Attack Traffic Footprint No Services for you Welcome “The need: a tool that will help us differentiate between Expected Traffic Footprint and Attack Traffic Footprint Suspicious Traffic FoF ? The solution: WAF 70295 ©
6.
WAF–the traffic manager ❑
Allow ❑ Monitor ❑ Block 70295 ©
7.
2. CONTROL PLAIN
– SETTINGS 3. REPORTING - VISUALIZATION WAF STRUCTURE Web Application Web Clients 1. DATA PLANE REQUEST RESPONSE 1. Data Plane - WAF Engines 2. Control Plain – Settings 3. Reporting - Visualization 70295 ©
8.
2. CONTROL PLAIN
– SETTINGS 3. REPORTING - VISUALIZATION WAF STRUCTURE Web Application Web Clients 1. DATA PLANE PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE REQUEST ARRIVE WAF SECURITY ENGINEER Inline device 70295 ©
9.
Request phases in
WAF Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /index.php User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Source IP 192.168.1.1 Time 01:32:44 Detection: Signatures -User Agent Python-urllib/2.6 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Mozilla/4.0 (Hydra) Prevention action Alert Block page Reset conn GET / HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Parser Traps Enforcer Web Clients 70295 ©
10.
PARSER ENGINE TRAPS
ENGINE ENFORCER ENGINE Entity Detections Prevention Policy PROTECTION ELEMENTS (PE) WEB CLIENTS 70295 ©
11.
Protocol req/res Payload User input PARSER
ENGINE Entity types Parser engine Parser: software that process HTTP traffic and breaks it into small chunks called entities for additional actions. 70295 ©
12.
https://sirt.club/home/search.php?q=waf&cat=all Protocol: https Host: sirt.club Path:
/home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all REQUEST Part of: Parser Request Parsing 70295 ©
13.
https://sirt.club/home/search.php?q=waf&cat=all Protocol: https Host: sirt.club Path:
/home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all Entities: - URL Protocol: https Host: sirt.club Path /home/ Object search.php Query Sting ? Parameter name q Parameter value waf 2nd Parameter name cat 2nd Parameter value all REQUEST Parser: Part of: 70295 ©
14.
http://sirt.club/home/search.php?q=lala Entities VERB GET URL /search.php HTTP
version HTTP/1.1 Parameter name q Parameter value lala Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0. 8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0aa13ed GET /search.php?q=lala HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed Part of: Protocol Payload (headers) User input GET Request Parsing 70295 ©
15.
POST login.php HTTP/1.1 Host:
www.sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/* Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 32 Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=2a59508d7509c6d2c21bbf5b uname=meme&pass=god123 POST REQUEST Post Data, Headers – Entities: WEB CLIENTS WEB APP Entities Host: sirt.club Method: POST HTTP version: 1.1 URL: login.php Content-Length: 32 Content-Type application/x-www-form-urlencoded Param 1 uname Param 1 value meme Param 2 pass Param 2 value god123 POST Request Parsing 70295 ©
16.
POST /search.php?id=12&query=Golden%20god HTTP/1.1 Host:
172.29.46.23 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,appl ication/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed username=omg&password=123456&action=Send Parser Buffers 70295 ©
17.
HTTP/1.1 200 OK Date:
Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Entities Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>SIRT protectors of the realm</p> </Body> </HTML> HTTP Response Parser WEB CLIENTS WEB APP RESPONSE Payload (headers) Protocol Server output Part of: 70295 70295 ©
18.
TRAPS -> DETECTIONS: Signatures
- Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists Protocol Payload User input @ PARSER - ENTITY 70295 ©
19.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS ENTITIES
DETECTIONS PREVENTION ACTION PROTECTION ELEMENTS (PE) WEB APP Traps Protocol Payload User input Parser Enforcer 70295 ©
20.
Definition: Parten matching
enginee Matching known words / key words on entities • Pros • Powerful pattern matching engine (IPS) • Block know exploits • Virtual patching & Leak prevention • Security visibility • Cons • False positives • Management time • Consuming resources Signatures Attacks: Web Exploit, Bot UA, SQLi, XSS, LFI,RFI, Command Execution, Predictable Resource etc GET /search.php?q=EXPLOIT HTTP/1.1 Connection: keep-alive Host: sirt.club User-Agent: Mozilla/5.00 Signature example ▪ Informational signature – User agent, defaults, general words ▪ Generic exploits signature – common web exploits ▪ Specific exploit signature – CVE/ real known exploits 70295 ©
21.
Parser (entities) Value Verb
(Method) GET Protocol HTTP 1.1 URL /query.php User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Source IP 192.168.1.1 WAF User Agent signature Python-urllib/2.6 Apache-HttpClient/4.5.7 (Java/1.8.0_221) Mozilla/4.0 (Hydra) Signature: Informational GET / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) SIGNATURES ENTITIES DETECTIONS WEB APP 70295 ©
22.
Parser Entities Value Verb (Method)
GET Protocol HTTP 1.1 Parameter name q Parameter value ../../../../../../etc/passwd User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Source IP 192.168.1.1 GET /search.php?q=../../../../../../etc/passwd HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 WAF Signature ../../../../../../etc/passwd <script>alert('XSS')</script> []=PATH DISCLOSURE ………….. Signature - generic exploits SIGNATURES ENTITIES DETECTIONS WEB APP 70295 ©
23.
POST /submit.php HTTP/1.1 Host:
sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Content-Length: 142 Cookie: SESSION=aafa5676ce60d1b33b58c0dd6de6fa87; {“my_book”: 1.1, “tlv_book”: [<scripts>alert('lala')<script>]} Signature – POST Data <scripts>alert('lala')<script> <scripts> alert('') <script> Parser (entities) Host: sirt.club Method: POST HTTP version: 1.1 URL: submit.php Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html, image/webp, */* POST Data {“my_book”: 1.1, “tlv_book”: [<scripts>alert('lala')<script>]} SIGNATURES Signature - generic exploits WEB APP 70295 ©
24.
Signature – Exploit Application
Firewall Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL GUI.php..;/etc/passwd User-Agent: Mozilla/5.00 Source IP 192.168.1.1 Time 01:32:44 CVE signatures ..;/etc/passwd /............winntwin.ini ..../..../boot.ini Prevention action Alert Block page Reset conn GET /GUI.php..;/etc/passwd HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 Web App Application Server/s Web Server/s Database Server/s 70295 ©
25.
POST /index.html?id=12&query=green%20age HTTP/1.1 Host:
172.29.46.23 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,appl ication/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed {“book”: 1.1, “tlv_book”: [100$US]} Parsing Buffers 70295 ©
26.
Signature and entity
level GET /search.php?q=EXPLOIT HTTP/1.1 Connection: keep-alive Host: sirt.club User-Agent: Mozilla/5.00 Parser – Request Entities Value Request GET /search.php?q=EXPLOIT HTTP/1.1 Connection: keep-alive Host: sirt.club User-Agent: Mozilla/5.00 * *q Parser - Global parameter Parameter Name Value q EXPLOIT * q search.php Parser - URL parameter Parameter Name URL Value q search.php EXPLOIT Signature EXPLOIT 70295 ©
27.
Signature - Response
phases in WAF ENFORCER TRAPS PARSER Signature - Request 70295 ©
28.
HTTP/1.1 200 OK Date:
Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>Page Test </p> </Body> </HTML> Signature - HTTP Response headers WEB CLIENTS RESPONSE Headers Response body Signature – Response Headers Apache/2.1 (Unix) PHP/7.1.2 WEB APP 70295 ©
29.
HTTP/1.1 200 OK Date:
Sun, 29 May 2022 13:13:13 GMT Server: Apache/2.1 (Unix) PHP/7.1.2 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html <br> <b>Warning</b>: Supplied argument is not a valid MySQL result resource in <b> /var/htdocs/myapp/ </b> on line <b>9</b><br> <br> <b>Warning</b>: Cannot add header information - headers already sent by (output started at /var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/ </b> on line <b>18</b><br> …… ….. Parser - Response Response Status Code HTTP/1.1 200 OK Date: Sun, 29 May 2022 13:13:13 GMT Server: Apache/2.1 (Unix) PHP/7.1.2 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Response body <br> <b>Warning</b>: Supplied argument is not a valid MySQL result resource in <b> /var/htdocs/myapp/ </b> on line <b>9</b><br> <br> <b>Warning</b>: Cannot add header information - headers already sent by (output started at /var/htdocs/myapp/login.php:9) in <b> /var/htdocs/myapp/ </b> on line <b>18</b><br> RAW HTML Response Signature – Response Body “Supplied argument is not a valid MySQL result resource in” Signature - HTTP Response Body 70295 ©
30.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS
(PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP 70295 ©
31.
Anomaly • Pros: • Easy
to use • Effective automation detection • Very effective in noisy attacks e.g. DdoS, BF, • Cons: • Needs fine tune for each site • Advance usage needs knowledge and experience Anomaly example ▪ Request per second (RPS) ▪ Failed log in (FLI) ▪ Session opening Definition: Data aggregation engine Measure exceeding defined threshold Attacks: Brute force , credential stuffing , application DDoS , etc 70295 ©
32.
Internet IP (Parser )
5 min 20 min 1 hour AVG 10.0.0.138 50 60 180 192.168.1.1 180 0 0 172.29.44.6 400 350 3000 172.29.46.9 250 100 1000 10.1.1.1 1800 1200 800 192.168.24.24 0 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 ANOMALY Anomaly – increase in RPS form IP’s Detection: Anomaly 70295 ©
33.
IP (Parser ) Current FLI
/5min 60min FLI 10.0.0.138 60 180 192.168.1.1 0 0 172.29.44.6 35 40 172.29.46.9 100 1000 10.1.1.1 1800 3000 192.168.24.24 10 150 Aggregated data – Policy limit: FLI per IP Source IP: ANY @ 5 Min FLI/IP over 5 min limit : Min 300 Max 1000 Internet Detection: Anomaly Anomaly – increase in FLI form IP’s Fail Login Try Again ANOMALY 70295 ©
34.
IP (Parser ) Sig
count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Aggregated data – Policy limit: Signatures per IP Source IP: ANY @ 5 Min Max signature from IP / 5min Min 20 Max 80 Post max 150 -> shun for 12 hours ANOMALY Anomaly – increase Sig from IP Internet Detection: Anomaly 70295 ©
35.
Anomaly – increase
in Session ’s from IP’s Application Firewall Internet Session RPS 5 min 20 min 1 hour AVG Session 1234567 50 60 180 Session 842153 180 0 0 Session 764531 300 350 3000 Session 1514345 250 100 1000 Session 5694615 1800 1800 1800 Session 1428648 0 100 150 Aggregated data – Policy limit per IP Session : ANY @ 5 Min RPS limit Min 220 Max 280 70295 ©
36.
Anomaly – increase
in FLI from Geo Application Firewall Internet IP IP to GEO Current RPS 10m RPS 10.0.0.138 Country U 60 180 192.168.1.1 Country X 0 0 172.29.44.6 Country Y 350 3000 172.29.46.9 Country W 100 1000 10.1.1.1 Country V 1800 1800 192.168.24.24 Country Z 100 150 Aggregated data – Policy limit per IP Source IP: country @ 5 Min RPS limit Min 300 Max 1000 IP’s 70295 ©
37.
Anomaly – increase
in Sig to URL’s Application Firewall Internet URL RPS 5 min 20min 1 hour AVG Sell.php 500 600 1800 Help.php 120 100 100 Login.php 3000 6500 8000 Contact.us.php 1500 1000 800 1800 1800 1800 Promo.page.php 10 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 sell.php login.php Contact.php 70295 ©
38.
Anomaly – increase
in Session ’s from IP’s Application Firewall Internet Session RPS 5 min 20 min 1 hour AVG IP 10.0.0.1 – total sessions 4 total RPS 780 Session 1234567 50 60 180 Session 9821363 180 0 0 Session 2972342 300 350 3000 Session 4798435 250 100 1000 IP 192.168.1.14 – total sessions 2 total RPS 1800 Session 2837464 1800 1800 1800 Session 2962349 0 100 150 Aggregated data – Policy limit per IP Session : ANY @ 5 Min Session limit per 5 minutes Min 220 Max 280 Fixed Any ip sessions above 100 in every 1 minute 70295 ©
39.
Anomaly – increase
in NEW Session ’s from IP’s Application Firewall Internet IP New Session 5 min New Session 20 min New Session 1 hour 10.0.0.138 2 10 50 192.168.1.1 180 0 0 172.29.44.6 300 350 3000 172.29.46.9 250 100 1000 10.1.1.1 2 3 3 192.168.24.24 0 0 2 Aggregated data – Policy limit per IP Session : ANY @ 5 Min Session limit per 5 minutes Min 220 Max 280 Fixed Any IP sessions above 100 in every 1 minute 70295 ©
40.
Anomaly – increase
in FLI from Geo Application Firewall Internet IP IP to GEO Current RPS 10m RPS 10.0.0.138 Country U 60 180 192.168.1.1 Country X 0 0 172.29.44.6 Country Y 350 3000 172.29.46.9 Country W 100 1000 10.1.1.1 Country V 1800 1800 192.168.24.24 Country Z 100 150 Aggregated data – Policy limit per IP Source IP: country @ 5 Min RPS limit Min 300 Max 1000 IP’s 70295 ©
41.
Anomaly – increase
Sig from IP Application Firewall Internet IP Sig count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Block IP’s that send too many signatures (scanner , vul hunters etc) Source IP: ANY @ 5 Min Block IP on: Min 20 Max 80 Post max 150 -> shun for 12 hours WAF policy settings 70295 ©
42.
0 2 4 6 8 10 12 14 16 18 1 2 3
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 IP’s/URL’s Series 1 Anomaly - Fixed Vs Ratio 0 5 10 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 IP/URL App 1 70295 ©
43.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS
(PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP 70295 ©
44.
• Pros: • A
powerful and granular allow / deny alerting and enforcement list • Provides a schema for ETF • Provide a schema for user input validation • Holistic security • Cons: • Needs fine tune – false positive • Needs management • Hit count then block is the best Restrictions Matching Allow / Block lists Restriction examples: ▪ Characters sets ▪ RFC & evasion ▪ Flow ▪ Structure Definition: Restrictions engine Attacks: SQLi, XSS, directory traversal, evasions etc 70295 ©
45.
Restrictions – length Length
Min Chars Max chars GET Param value Min 3 chars Max 130 chars Parser (entities) Value Length - found Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value longlonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong long 136 chars Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=longlonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglong Host: sirt.club User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Length policy RESTRICTIONS 70295 ©
46.
Restrictions – HTTP
RFC RFC @ any request Policy – allow/ Deny Header with no value Block Double host header Block HTTP verbs: POST Get HEAD Block Null in request Block Parameter value with ' Block Protocol versions 1.1 Allow Protocol versions 1.0 Block Parser (entities) Value Verb (Method) Head Protocol HTTP 1.0 Parameter name q Parameter value mc’mer Host header 172.29.46.23 SIRT.CLUB Time 11:11:11 Header123 _____ Accept text/html,application/,*/* %00; RESTRICTIONS Options /search.php?q=mc’merHTTP/1.0 Host: SIRT.CLUB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/,*/* %00; Host: 172.29.44.44 Header123: 70295 ©
47.
Restrictions – Meta
characters Metachar for Any parameter value Encoding Policy – allow/ Deny # allow $ % & ' %92 Block ( ) Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 Session d58ec55996a207ed Parameter name q Parameter value Mc’dogal Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=Mc’dogal RESTRICTIONS 70295 ©
48.
Restrictions – HTTP
Verbs VERB Policy GET Allow POST Allow HEAD Allow TRACK Block TRACE Block OPTIONS Block PUT Block Parser (entities) Value Verb (Method) Options Protocol HTTP 1.1 GET /about.php HTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 Options /help.php HTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 HEAD /login.php HTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 RESTRICTIONS 70295 ©
49.
• Multiple host
headers found in request Restrictions – RFC POST http://192.0.0.192/latest/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: sirt.club accept: */* host: sirt.club Payload size GET http://192.0.0.192/latest/May/yeaer HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Connection: Keep-Alive Host: sirt.club accept: */* host: sirt.club RESTRICTIONS 70295 ©
50.
LOGIN PAYMENT Enforce a flow: o
From: login.php o To: payment.php o Refer: index.php (always) LOGIN USER DETAILS Enforce a flow : o From: login.php to user_details.php o Method POST o Additional condition: must have a session RESTRICTIONS 70295 ©
51.
Search Engine name
Fqdn Count /1 day Google search .googlebot.com 150 Bing Search .msn.com 160 Ask .ask.com 10 GET /coffee HTTP/1.1 Host: sirt.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close DNS Server rDNS- is the IP in the result match the IP arriving Source IP – x.y.z.z Source IP – Y.Y.Y.Y 70295 ©
52.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION PROTECTION ELEMENTS
(PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer WEB CLIENTS WEB APP 70295 ©
53.
Client Interrogation When to
use: when source generates many RPS and we want to know if this : 1. Simple bot 2. Full browser bot 3. Full human bot Definition: HTTP client inspection Understating the HTTP client • Pros • Helping with idienfying bots/ automation • None valuable users • Works beyond IP level • Cons: • Add roundt trip, dealy the load time • Can be tricked Types I. CAPTHCA II. Client capabilities L1-4 III. Source ID SID 70295 ©
54.
Type the words
: FF5N AUTO Type the words : FF5NA ??!?!?!! FF5N 70295 ©
55.
User Browser WAF -
CI App First request GET /sell.php GET /sell.php (not verified) Client – interrogation Return interrogation results Forward request HTTP Response (verified) interrogation Tests: • CLI ? • Support JS? • Support cookie ? • Mouse movements • UA fit resolution ? • Framework ? GET /img.png (verified ) GET /img.png (verified) HTTP Response (verified) HTML rendering interrogation results : If failed – drop / block request if pass – forward Client interrogation I : CAPTCHA Prove that you are human answer this Part of: 70295 ©
56.
IP:Y IP:X Who are you
? IP:A Client interrogation Client interrogation II: Capabilities –L1 Only browsers are allowed here CI results Allowed Browser Yes CLI No JS capable Yes Cookie set Yes Part of: 70295 ©
57.
Source interrogation II
– Discrepancies L4 Device OS HTTP Network Devices: • PC • Laptop • Tablet • Mobile • IOT • Cloud nodes OS: • Windows • Linux • MAC • Android Networking: • ISP • Proxies • VPN / Tor • WiFi HTTP: • CLI tool • Browser • Frameworks Fingerprint Browser Screen Discrepancies: • Browser = firefox • Screen = Wide • OS = windows • Device = PC Opera/9.80 (Android 4.1.2; Linux; Opera Mobi/ADR-1305251841) Presto/2.11.355 Version/12.10 JS injection results Actual UA in request Client interrogation II: Capabilities Client interrogation 70295 ©
58.
Source interrogation III–
Source ID Device OS HTTP Network Devices: • PC • Laptop • Tablet • Mobile • IOT • Cloud nodes OS: • Windows • Linux • MAC • Android Networking: • ISP • Proxies • VPN / Tor • WiFi HTTP: • CLI tool • Browser • Frameworks Fingerprint Browser Screen Source ID: • Browser type, version • Plugins • Fonts • OS • Device UR SID: 9883 Client interrogation 70295 ©
59.
IP:Y IP:X IP:Z Detections: Client interrogation
- SID IP:X SID: 9883 IP:X SID: 1253 IP:Y SID: 2873 IP:Z SID: 1151 IP:Z SID: 4948 IP:Z SID: 2222 SID: 9883 SID: 1253 SID: 2873 SID: 1151 SID: 4948 SID: 2222 Bidning IP/SID – measuring Client interrogation 70295 ©
60.
TRAPS -> DETECTIONS: Signatures
- Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists 70295 Part of: ©
61.
SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP WEB
CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer Part of: 70295 ©
62.
• Alert –
GUI • Alert – Log • SMS • Instant messaging • Email ALERT To: WAF admin ▪ DASHBOARD – ALERT / CRITICAL ▪ GRAPHS – VISUAL ▪ STATISTICS – TABLES ▪ LOGS – REQUEST LOGS Browse r User IP 70295 ©
63.
• Alert –
GUI • Alert – Log • SMS • Messaging – slack • Email Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Semi blocking: Stripping / Cloaking ALERT Browse r BLOCK This request has been blocked To: WAF admin To: End Users Part of: Drop connection 70295 ©
64.
Your traffic is
violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Semi blocking: Stripping / Cloaking Browse r BLOCK This request has been blocked To: End Users Drop connection ▪ Affective 70295 ©
65.
• Limiting rate
of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban LIMIT Part of: IP q search.php index.php IP Advantages ▪ Delay attack ▪ Mix traffic good and bad ▪ Less aggressive then blocking ▪ Typically works on anomalies 70295 ©
66.
Send users to
honeypot for inspections Resent browser to main page FOLLOW UP Part of: Advantages ▪ Delay attack ▪ Mix traffic good and bad ▪ Less aggressive then blocking ▪ Typically works on anomalies 70295 ©
67.
• Limiting rate
of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban Send users to honeypot for inspections Resent browser to main page LIMIT FOLLOW UP Part of: 70295 ©
68.
3. REPORTING 1. DATA
PLANE 2. CONTROL PLANE GUI API CONFIG File WAF STRUCTURE SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer Graphs Stats Request LOG Dashboard ISO Part of: ENTITIES DETECTIONS PREVENTION 70295 ©
69.
https://SIRT.club By: Lior Rotkovitch “Man’s
biggest obstacle is he himself” LR ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers © 70295 ©
Télécharger maintenant