OWASP Plan - Strawman

OWASP Plan - Strawman

Web Application Firewalls: Patch first, ask questions later Jonathan Werrett Trustwave, SpiderLabs [email protected] OWASP +852 6081 1508 8 November 2011 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this

document under the terms of the OWASP License. The OWASP http://www.owasp.org Foundation Overview Web Application Firewalls Virtual Patching An Example Web App Building Virtual Patches SQL Injection Challenge Results OWASP

2 Web Application Firewalls Security device, dedicated to the web application layer Provides context-specific protection Can be a hardware or software Positives Negatives High level of web knowledge Root cause not addressed

Centralised control Wont address Business Logic and other similar flaws Mature anti-evasion Very specific OWASP 3 Web Application Firewalls

OWASP 4 Virtual Patching Addressing specific flaws at WAF layer Just in time patching Benefits Time to patch Reduced exposed Flexibility

Out of band patching Scalability Patch availability Dealing with legacy code Reduce dependency on dev Dealing with outsourced code Avoiding re-inventing the

wheel OWASP 5 ModSecurity Open Source Web Application Firewall Free to use Largest install base Numerous mature features http://modsecurity.org/ OWASP

6 Building Virtual Patches Key Steps Preparation Make sure youre running ModSecurity! Clearly establish roles Create a suitable test environment Identification & Analysis Number of sources (active assessments, vulnerability notifications) Identify key features. Whitelist or Blacklist approach? Deploy & Test

Make sure it doesnt stop legitimate traffic OWASP 7 Example Web Application http://quipr/ OWASP 8 Building Virtual Patches Worked Example

Cross-site Scripting OWASP 9 Building Virtual Patches Worked Example Cross-site Scripting White list values accepted for user[bio] parameter SecRule ARGS_POST:user[bio] "!^[\w\. ]*$" "phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase"

Accepts: Text, with spaces, dashes and full stops accepted. Blocks: Anything else, including punctuation characters <>$ (); OWASP 10 Demonstration OWASP 11 Building Virtual Patches Worked

Example SQL Injection OWASP 12 Building Virtual Patches Worked Example SQL Injection Best method is to white list as we did for XSS SecRule REQUEST_FILENAME "!^[\\\w]*$

"phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase" OWASP 13 Demonstration OWASP 14 Building Virtual Patches Worked Example

SQL Injection However, we can also leverage the OWASP Common Ruleset Numerous generic rules for various issues Well tested and comprehensive SQL Injection alone has 179 tests Sophisticated scoring process, rather than straight forward matching OWASP 15 Demonstration

OWASP 16 Building Virtual Patches Worked Example Cross-site Request Forgery Setting a unique, token per user SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/

Recently Viewed Presentations

  • Speech

    Speech

    Never give up in anything you do, it's only an inch away. - @douglaschan (Twitter) It is often Life's detours that put us back on the right path. (Sometimes YOU-turns are necessary!) ... Create an elevator speech. Strive for 5...
  • Lecture 16: I/O Systems - People @ EECS at UC Berkeley

    Lecture 16: I/O Systems - People @ EECS at UC Berkeley

    Times New Roman Comic Sans MS Arial Symbol Courier New Office Microsoft Equation 3.0 Microsoft Office Excel Chart CS162 Operating Systems and Systems Programming Lecture 16 Page Allocation and Replacement (con't) I/O Systems Review: Page Replacement Policies Review: Clock Algorithm:...
  • VEO SELECT S A L E S P

    VEO SELECT S A L E S P

    Comfortable carrying - ergonomic harness tucks away when well-padded shoulder strap in use. Ease of transport - connects to the handle of your wheel-along luggage. Always protected - well-padded all round. No fumbling - bright colored interior makes finding things...
  • Elektronischer Hšrsaal - univ-pau.fr

    Elektronischer Hšrsaal - univ-pau.fr

    TCP with asymmetric routing TCP in asymmetric networks incoming throughput (high capacity link) can be limited by rate of outgoing ACKs (ACK compaction, ACK congestion) Mitigation: Delayed ACKs ACK suppression (selectively drop ACKs) TCP header compression triangular routing with Mobile...
  • Presentazione di PowerPoint - OMICS International

    Presentazione di PowerPoint - OMICS International

    During residency he deepened his knowledge in Traumatology and General Orthopedic during first three years, while in the last two years he attended the most important Orthopedic Oncology Department in the world (AOUC Careggi, Florence, headed by Professor Capanna; MSKCC...
  • 2 0 0 9 Tanvzr nneply | 2

    2 0 0 9 Tanvzr nneply | 2

    Szabó Bence 12.A történelem 1. hely tanára: Isztl János Damjanovics Bence 12.E történelem 4. hely tanára: Isztl János Országos versenyeredmények Arany Dániel Matematikai Tanulóverseny Déri Tamás 9.A 1.díj Haász Gergely Zsombor 9.A 2.díj Székely Mátyás 9.A 3.díj tanáruk: Katanics Sándorné...
  • Pricing Longevity Risk - Richards Consulting

    Pricing Longevity Risk - Richards Consulting

    On average one department will appear significantly different just by chance: (24-1)*5%=1.15. 2. Region as risk factor in UMR Source: UMR and Longevitas Ltd. Île-de-France is the baseline and the parameter for this is implicitly zero. Other parameters — such...
  • UCL LIBRARY SERVICES Digital Strategy: European Insights Dr

    UCL LIBRARY SERVICES Digital Strategy: European Insights Dr

    Contents UCL League Tables Library Strategy 2005-10 Contents Institutional Architectures Digital challenges Present architecture is systems-driven Needs to be user-centric UCL's requirements do not fit all modules Federated searching via MetaLib not heavily used New services Digital curation and digital...