OWASP Plan - Strawman

OWASP Plan - Strawman

Web Application Firewalls: Patch first, ask questions later Jonathan Werrett Trustwave, SpiderLabs [email protected] OWASP +852 6081 1508 8 November 2011 Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this

document under the terms of the OWASP License. The OWASP http://www.owasp.org Foundation Overview Web Application Firewalls Virtual Patching An Example Web App Building Virtual Patches SQL Injection Challenge Results OWASP

2 Web Application Firewalls Security device, dedicated to the web application layer Provides context-specific protection Can be a hardware or software Positives Negatives High level of web knowledge Root cause not addressed

Centralised control Wont address Business Logic and other similar flaws Mature anti-evasion Very specific OWASP 3 Web Application Firewalls

OWASP 4 Virtual Patching Addressing specific flaws at WAF layer Just in time patching Benefits Time to patch Reduced exposed Flexibility

Out of band patching Scalability Patch availability Dealing with legacy code Reduce dependency on dev Dealing with outsourced code Avoiding re-inventing the

wheel OWASP 5 ModSecurity Open Source Web Application Firewall Free to use Largest install base Numerous mature features http://modsecurity.org/ OWASP

6 Building Virtual Patches Key Steps Preparation Make sure youre running ModSecurity! Clearly establish roles Create a suitable test environment Identification & Analysis Number of sources (active assessments, vulnerability notifications) Identify key features. Whitelist or Blacklist approach? Deploy & Test

Make sure it doesnt stop legitimate traffic OWASP 7 Example Web Application http://quipr/ OWASP 8 Building Virtual Patches Worked Example

Cross-site Scripting OWASP 9 Building Virtual Patches Worked Example Cross-site Scripting White list values accepted for user[bio] parameter SecRule ARGS_POST:user[bio] "!^[\w\. ]*$" "phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase"

Accepts: Text, with spaces, dashes and full stops accepted. Blocks: Anything else, including punctuation characters <>$ (); OWASP 10 Demonstration OWASP 11 Building Virtual Patches Worked

Example SQL Injection OWASP 12 Building Virtual Patches Worked Example SQL Injection Best method is to white list as we did for XSS SecRule REQUEST_FILENAME "!^[\\\w]*$

"phase:2,id:00001,t:none,t:urlDecodeUni,t:lowercase" OWASP 13 Demonstration OWASP 14 Building Virtual Patches Worked Example

SQL Injection However, we can also leverage the OWASP Common Ruleset Numerous generic rules for various issues Well tested and comprehensive SQL Injection alone has 179 tests Sophisticated scoring process, rather than straight forward matching OWASP 15 Demonstration

OWASP 16 Building Virtual Patches Worked Example Cross-site Request Forgery Setting a unique, token per user SecRule STREAM_OUTPUT_BODY "@rsub s/<\/body>/

Recently Viewed Presentations

  • Substance Use, HIV and Stigma

    Substance Use, HIV and Stigma

    Beliefs about MAT "Methadone is just substituting one addiction for another." "A patient should get weaned from medications as quickly as possible." "Patients on MAT will be disruptive to the clinic." "I'll get swamped with patients if anyone knows we're...
  • Module 1: Digital Information and Privacy

    Module 1: Digital Information and Privacy

    GENERAL MORAL IMPERATIVES. 1.1 Contribute to society and human well-being. 1.2 Avoid harm to others. 1.3 Be honest and trustworthy. 1.4 Be fair and take action not to discriminate. 1.5 Honor property rights including copyrights and patent. 1.6 Give proper...
  • Mechanisms of antimicrobial action directed against the bacterial

    Mechanisms of antimicrobial action directed against the bacterial

    Outer membrane permeability in Gram-negative bacteria Mechanisms of antimicrobial action directed against the bacterial cell wall and corresponding resistance mechanisms Mechanisms of antimicrobial resistance Subunits for cell wall construction Cell Wall Assembly Transpeptidase, or PBP (orange sunburst) is bound by...
  • Open Macroeconomic Economy Part 2 (Chapter 32)

    Open Macroeconomic Economy Part 2 (Chapter 32)

    The real exchange rate adjusts to equate demand (net exports) with supply (NCO) in the foreign exchange market. Students are much less likely to answer exam questions incorrectly if they carefully study this order and direction of causality among the...
  • Sketching &amp; Sighting - MRS. SPARKS: ART

    Sketching & Sighting - MRS. SPARKS: ART

    Still life warm-ups. BLIND CONTOUR: line drawing in which the artist never looks at the paper. Helps the artist develop a feel for space and form. CONTOUR: drawing in which only outlines are used to represent the subject matter. GESTURE:...
  • Probabilistic Horn abduction and Bayesian Networks

    Probabilistic Horn abduction and Bayesian Networks

    Probabilistic Horn abduction and Bayesian Networks David Poole presented by Hrishikesh Goradia Introduction Logic-based systems for diagnostic problems Too many logical possibilities to handle Many of the diagnoses not worth considering Bayesian networks Probabilistic analysis Probabilistic Horn Abduction Framework for...
  • Prezentace aplikace PowerPoint

    Prezentace aplikace PowerPoint

    ZNAKY LITERATURY. dva protikladné směry: realismus a naturalismus . x . avantgarda a moderna. v dílech oslabena dějovost. konfrontace vnitřního světa autora a vnějšího skutečného
  • Slide title to go in here

    Slide title to go in here

    Journey so far… Aim: To develop and implement a distinctive Social Care Mental Health offer across North Yorkshire for working age adults that supports the benefits of joint approaches with NHS partners. 2016 launch of the Mental Health Pathway Review...