Overview
In this blog entry I am going to secure the Apache deployed in OWASP broken web apps VM with Trustwave's ModSecurity. OWASP broken web apps VM comes with ModSecurity integrated. The only thing we have to do, is to enable it.
The main goal for this post, is to help IT professionals enable ModSecurity, an open source waf, and then, get acquainted with it.
Enabling ModSecurity Module
ModSecurity module is not enabled by default in OWASP broken web apps VM. Some actions are needed by our side in order to make the module functional.
First of all we need to shutdown Apache server:
/etc/init.d/apache2 stopWe need to edit httpd.conf located at /etc/apache2 and add the following lines:
<IfModule security2_module>
Include /etc/apache2/modsecurity-crs/activated_rules/*.conf
</IfModule>
Create soft links of the rules we want to activate to the activated rules folder. In our example we are going to copy the whole base rule set by issuing the command:
ln -s /etc/apache2/modsecurity-crs/base_rules/* /etc/apache2/modsecurity-crs/activated_rules/
ln -s /etc/apache2/modsecurity_crs_10_config_log.conf /etc/apache2/modsecurity-crs/activated_rules/ (for the log settings)
Next, we have to edit modsecurity_crs_10_config_log.conf in order to parameterize the loggin engine.
- If we need the ModSecurity waf to block the requests that violate any of the activated rules we have to alter the directive "SecRuleEngine" from "DetectionOnly" to "On".
- Change the directive "SecDefaultAction" to "phase:2,deny,nolog,auditlog" in order to log at at a different file.
- At the end of the file, un-comment the directive "SecAuditEngine" and if you wish, alter the log file location and name by changing the value at the "SecAuditLog" directive.
/etc/init.d/apache2 startNow, ModSecurity is fully operational and logs every rule violation.
Attack Example
At this point, we send a simple SQL payload in order to test ModSecurity rules:
The ModSecurity logs are populated by the module. Here we can see the logs generated after our request:
Message: Rule b853e718 [id "950901"][file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule b853e718 [id "950901"][file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "77"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Pattern match "(?i:([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?([\\d\\w]+)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\(\\)]*)?\\2|([\\s'\"`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\ ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data " 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "(?i:\\bor\\b ?(?:\\d{1,10}|[\\'\"][^=]{1,10}[\\'\"]) ?[=<>]+|(?i:'\\s+x?or\\s+.{1,20}[+\\-!<>=])|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')|\\b(?i:x?or)\\b\\s+(\\d{1,10}|'[^=]{1,10}')\\s*[=<>])" at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "134"] [id "959071"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "' or 1=1--"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
Message: Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*){4,}" at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "-"]
Message: Pattern match "(?i:(?i:\\d[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s+\\d)|(?:^admin\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]|(\\/\\*)+[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]+\\s?(?:--|#|\\/\\*|{)?)|(?:[\"'`\xc2\xb4\xe2\x80\x9 ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "217"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "' or 1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Message: Pattern match "(?i:(?:[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]\\s*?(x?or|div|like|between|and)\\s*?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]?\\d)|(?:\\\\x(?:23|27|3d))|(?:^.?[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98]$)|(?:(?:^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98\\\\]*?(?:[\\ ..." at ARGS:id. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "249"] [id "981242"] [msg "Detects classic SQL injection probings 1/2"] [data "' or 1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 23, SQLi=13, XSS=): 981242-Detects classic SQL injection probings 1/2"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1352206441253338 16368 (- - -)
Stopwatch2: 1352206441253338 16368; combined=11385, p1=165, p2=10807, p3=3, p4=91, p5=318, sr=20, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.0trunk (http://www.modsecurity.org/); core ruleset/2.1.2.
Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5
Conclusion
By enabling ModSecurity in OWASP Broken web apps VM is a good hands-on opportunity for waf administrations to get used to configuring and parametrizing ModSecurity open source web application firewall.
No comments:
Post a Comment