2. WAF ( A quick fix)
Instead of rewriting code, some potentially quicker methods is to put
an application to intercept the HTTP traffic ahead of the HTTP server
known as a Web Application Firewall (WAF).
The WAF takes configurations like a normal firewall on what traffic to
pass and reject. The difference is that it is responding specifically to
an HTTP server like Apache or IIS.
For Apache, the most popular approach is to use its Open Source
plugin called mod_security. http://www.modsecurity.org/
For IIS, WebKnight from AQTronix, http://aqtronix.com/?PageID=99
is the most popular Open Source solution.
Not everything can be covered by a WAF, especially session hijacking
flaws, but XSS and SQL Injection can be mitigated.
http://www.owasp.org/index.php/Category:OWASP_Best_Practices:
_Use_of_Web_Application_Firewalls
3. WAF ( Not just a server fix)
WAFs are filters that sit in front of the Web Application.
Depending on their configuration, they will deny, or log, validated
information from the Internet into the Application.
They are a good source in auditing the information that is hitting
the Web site and the scans that are constantly taking place.
4. Pro’s and Con’s
Pro’s:
Installing a WAF is quicker, in most cases, than changing code and re-
deploying a Web Application.
WAF’s may find issues, by using its rule sets, that the code may not be
prepared to find. This is because WAFs have thousands of rules
generated by industry experts.
Con’s:
WAFs are limited by the rules that are installed in them. Therefore, if
the rule is not there, it cannot protect against it.
Validation is a better protection, because form level validation will use
white-listing on what input is allowed, versus black-listing on the input
that is denied.
7. Tomcat will need Apache
Starting Apache:
If there is an error, run the “StartApache.bat” in the lab and
observe the error. Likely Apache may already be started.
Check Apache by IE http://localhost/ and it returns:
8. Tomcat will need Apache
To link Tomcat and Apache, the mod_jk module will need to be
installed, see http://tomcat.apache.org/connectors-doc/ . Also
known as the Tomcat Connector.
Note: Tomcat can also use Microsoft’s IIS, instead of Apache,
utilizing the Microsoft ISAPI plugin.
The easiest way to install the mod_jk connector is to have Tomcat
generate “conf/auto/mod_jk.conf” from its Container and have
Apache reference it from its “conf/httpd.conf” file:
LoadModule jk_module modules/mod_jk.so
Include C:/Apache2/apache-tomcat-6.0.28/conf/auto/mod_jk.conf
See http://www.johnturner.com/howto/apache2-tomcat4129-jk-
winxp-howto.html
10. Tomcat will need Apache
Start in “C:LabsLab_Mod_JK”. Run the “TestApacheConfig.bat”
The Apache directory is pre-installed in “C:Apache2”.
Tomcat will be pre-installed in “C:Apache2apache-tomcat-
6.0.28”
11. Tomcat will need Apache
You might receive the following screen from the generated
mod_jk.conf:
The mod_jk.conf is generated from Tomcat and is running an old
version of Tomcat. This file can be edited and copied to a new
location and referenced, such as “C:Apache2apache-tomcat-
6.0.28conf” .
12. Installing mod_jk
mod_jk is the module that Tomcat and Apache will use to
communicate. The C:Apache2apache-tomcat-
6.0.28confautomod_jk.conf file is generated from Tomcat at
startup to tell Apache which files are available.
The Apache httpd.conf is configured to find the mod_jk.so module
and configuration files by adding the following lines:
This is both in the Lab1 directory and already modified.
13. Installing mod_jk
Notice that the mod_jk.log will log the communications from
Apache to Tomcat.
A workers.properties also has to be created in the $tomcat/conf to
describe the ajp13 (mod_jk protocol) threads across port 8009.
Tomcat’s server.xml also has to be modified to listen with the
mod_jk.so file:
14. Starting Tomcat/Apache
After a successful Start in Apache, and running
C:Apache2apache-tomcat-6.0.28binstartup.bat . You can see it
is successful by looking at the logs for an exceptions (look for the
keyword exception in the files) and a successful start:
15. Port 8009
Port 8009 was used in the configuration workers.properties and
server.xml to communicate between Apache and Tomcat. Using a
product like fport.exe from Foundstone, the port should appear to
be open and listening from java starting it, notice port 8009:
16. Now Try a Struts XSS Sample
Calling http://localhost/mandiant-struts-form-
vulnerable/index.jsp
17. Now Try a Struts XSS Sample
Typing in the XSS “<script>alert(123)</script>”, XSS appears:
19. Apache mod_security
The mod_security module information can be found at
http://www.modsecurity.org/
Load the mod_security and unique id modules (this example is
XP) in conf/httpd.conf:
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Add the base configuration and some of the base rules:
Include conf/mod_security.conf
Include conf/base_rules/modsecurity_crs_41_xss_attacks.conf
Include conf/base_rules/modsecurity_crs_23_request_limits.conf
Include conf/base_rules/modsecurity_crs_35_bad_robots.conf
Include conf/base_rules/modsecurity_crs_40_generic_attacks.conf
Include conf/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
20. Apache mod_unique_id
The modules/mod_unique_id.so has to be installed for
mod_security to work.
To check to see which modules are currently being used by Apache,
run httpd –t –D DUMP_MODULES from the Apache2/bin
directory:
21. Apache mod_unique_id
Ensuring that the field is set in Apache2/httpd.conf :
Now run httpd –t –D DUMP_MODULES from the Apache2/bin
directory:
22. Apache mod_security2
Copying the libxml2.dll, mod_security2.so, and pcre.dll to
Apache2/modules, and adding the following to httpd.conf :
Now run httpd –t –D DUMP_MODULES from the Apache2/bin
directory to see security2_module:
23. mod_security2 minimal configuration
Changing the modsecurity.conf-minimal to modsecurity.conf, the
httpd.conf needs to call it:
Setting the rules to “500 Internal Server Error”, the XSS now
returns an error code of 500:
24. Testing which rules may apply
http://www.modsecurity.org/demo/phpids has a smoketest to
verify which rules may apply
27. Apache mod_security logs
The mod_security logs show what the mod_security blocked.
If the minimal configuration was used with mod_security, it will
send which rule that it blocked on to the
“Apache2/logs/mod_audit.log.”
The log will match a rule that will define, usually through a Regex
expression, the blocking sequence.
To log, the location of the logs need to be defined, as well as their
level of logging.
SecAuditEngine On Enables audit logging for all transactions.
SecAuditEngine RelevantOnly Enables audit logging only for
transactions that match a rule, or that have a status code that
matches the regular expression configured via SecAuditLo-
gRelevantStatus.
SecAuditEngine Off Disables audit logging.
29. What do the mod_audit log say?
It blocked the mandiant page for the following reasons:
30. What do the mod_audit log say?
Looking closer,
It appears that the phids filter identified “<scri” as XSS.
31. What do the mod_audit log say?
Looking closer,
It appears that the phids filter identified “<scri” as XSS.
32. A simple test
Let’s see what happens when we remove the 41_phids_filters.conf
I am going to leave Tomcat running, it is not processing the rules,
only Apache.
I am going to stop Apache, delete the 41_phids_filters.conf file,
test the configuration, and start Apache.
The Apache configuration tested good, always test with changes…
33. This time it didn’t block,
but triggered an audit rule
In the modsecurity_crs_41_xss_attacks.conf, it says pass and
audit:
34. Conclusion
Adding the file 41_phids_filters.conf back in will start the process
to block again.
Another alternative is to set the xss_attacks.conf rule to block by
changing the rule from changing “pass” to “deny”.
There are many, many rules, and more than likely, they overlap in
some manner.
This exercise was to show how to manipulate the rules just in case
some of them block normal business activities.
36. Startup
Ensure that Apache is set to block XSS with phids rules as before.
In this exercise, we will simply log and not block.
By default, modsecurity only logs, so we need to simply commit out
the deny statement in the httpd.conf, after stopping Apache, check
the config, and restart Apache.
38. The XSS alerts are logged
In the audit log we see the phpids alerts for XSS, along with the
other rules as well. This is because it was not blocked by the
phpids alert and kept going:
41. ModSecurity audit logs
When Netsparker scanned the site, the audit logs went from 32 KB
to 732 KB. This is because it was capturing the NetSparker attacks.
43. Conclusions
The most interesting part of this exercise is that we have the ability
to capture an audit log , without blocking anything, and
understand what attacks are hitting the web site.
45. Startup
Ensure that Apache is set to block XSS with phids rules as before.
By knowing the Web Server type, and patches, it provides hackers a
roadmap of what attacks to perform.
ModSecurity can fake the signature.
Changing the httpd.conf:
51. WebKnight
WebKnight is an Open Source Web Application Firewall from
AQTronix, http://aqtronix.com/?PageID=99
IIS 5.1 and SQL Server 2008 be installed from (Need ISO/Disk for
XP while Installing) Web Platform Installer
http://www.microsoft.com/web/downloads/platform.aspx
What also will prove useful is the Web Visual Studio 2010 Express,
http://www.microsoft.com/web/downloads/platform.aspx
The version of HacmeBank is an updated version of HacmeBank to
work on the modern .NET frameworks, it may work with versions
2.0 – 4.0. It was updated from the older versions found at
http://www.owasp.org/index.php/OWASP_O2_Platform/WIKI/U
sing_O2_on:_HacmeBank
52. Ensure IIS is started
and HacmeBank installed (Control Panel->
Administrative Tools->Internet Information Services)
53. Webknight
HacmeBank has 3 main pieces:
The Hacme_Bank_V2_WS – Hacme Bank Web Service that
will provide the Login web service to the Database, has .asmx
files.
The Hacme_Bank_V2_Website – provides the asp files for the
pages and forms.
The FoundStone_Bank Database will have to be installed.
64. Intro to SQL Injection…
Many web pages communicate directly to a backend database for
processing.
For example, a username and password is asked for on the Web
page and the web page will pass it to the database to validate the
information.
Some applications will not validate the field adequately before
passing it to the database, and the database will process whatever it
will receive.
Hackers will pass SQL commands directly to the database, and in
some cases tables like “passwords” are returned because the SQL
commands are not being filtered adequately.
SQL may return errors in the web page that even lists the correct
tables to query so that the hacker may make more accurate
attempts to get data.
65. SQL Injection
SQL Injection is the ability to inject malicious SQL commands
into the backend code.
For example:
SELECT * FROM users WHERE username = ‘USRTEXT ' AND
password = ‘PASSTEXT’
Passing ' OR 1=1-- in the USRTEXT field generates:
SELECT * FROM users WHERE username = ‘’ OR 1=1 -- ' AND
password = ‘PASSTEXT’
The OR 1=1 returns true and the rest is commented out
66. Common attack strings
‘ or 27(hex) – delineates SQL string values.
“ or 22 (hex) – also delineates SQL string values.
; or 3B (hex) - terminates statements.
# or 23(hex) - also terminates a statement. (Access DB)
/* or 2F2A (hex) - comment delimiter.
-- or 2D2D (hex) – also comment delimiter.
( or 28 (hex) or ) or 29 (hex) – logical sub clauses.
{ or 7B (hex) or } or 7D (hex) – terminates a question.
exec – used to call MS-SQL stored procedures.
union – a SQL command very common to SQL injection.
69. Common Code fixes to SQL Injection…
Validate the form field to only accept specific input for the fields.
For example, for login name use ^[0-9a-zA-Z]*$, which is Regular
expressions for an alpha-numerical field.
For Apache Struts, use the
org.apache.struts.validator.ValidatorPlugin,
http://www.owasp.org/index.php/Data_Validation_(Code_Review) .
For JSPs/Servlets, validate in the Servlet using the with the
“java.utile.regex” framework in a similar manner.
Don’t use SQL
Use Prepared Statements, or Hibernate, to call the database.
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Jav
a
75. WebKnight
The WebKnight page is http://aqtronix.com/?PageID=99
How to install can be found at
http://aqtronix.com/?PageID=99#Install
The WebKnight FAQ can be found at
http://aqtronix.com/?PageID=114 and troubleshooting
http://aqtronix.com/?PageID=114#trouble
82. WebKnight
The Webknight product has a Loaded .xml that shows what is
currently loaded, a WebKnight.xml on what needs to be loaded
next and a Robots.xml dedicated to Bots.
If you ever get into trouble, you can delete the WebKnight.XML
and the default will be created.
WebKnight has preview settings to look at online
http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml
Make sure you edit the file WebKnight.xml and NOT Loaded.xml
(this last one is for debugging and to see what is loaded in
memory).
Once every minute, the Loaded.xml will replace itself with the
WebKnight.xml.
83. WebKnight
The Webknight product has editors for looking at the logs and xml:
That are read from the AQTRONIX directory in Program Files:
94. Configuring WebKnight
Configuring WebKnight is mostly a combination of going between
testing the site for desired results, looking at WebKnight’s Log
Analysis to validate if the desired results match perceived results,a
and using the WebKnight Configuration tool to change the results
until they meet the desired outcome.
Always stop/start IIS after the changes.
WebKnight has preview settings to look at online
http://www.aqtronix.com/WebKnight/Manual/WebKnight.xml
Make sure you edit the file WebKnight.xml and NOT Loaded.xml
(this last one is for debugging and to see what is loaded in
memory).
95. WebKnight
Looking back at WebKnight, the shadow.txtbox.gif appears as a
shadow file and was blocked.
96. WebKnight
We set WebKnight to temporarily allow all files as test and Soap
calls. Wait a minute for it to load as a Loaded.XML.
103. Configuring WebKnight
Ensure that WebKnight is in Logging Only mode from the last
exercise.
Ensure that Netsparker is installed, if not install it from the “My
Documents” directory. It will require the .NET 3.5 framework.
105. If you are in Logging Only mode
If in Logging Only Mode, Netsparker will report many issues with
the Hacme site.
The WebKnight logs will have many alerts in it from NetSparker
attacking IIS.
106. Turn off the Logging Only mode
Double check by both checking the Loaded.xml and test the site for
SQLInjection.
108. The scan is cleaner
If there is time, we can go through the WebKnight.xml, change
some settings, test, and continue to reconfigure WebKnight to get
the optimal results.
110. Final Thoughts
Are there any Questions?
Feel free to contact me at rich.helton@state.co.us
Also, always only try these tools with your own test site or
with permission of the system owner.