Misconfiguration Exploitability 3 Prevalence 3 Detectability 3 Technical 2 Example: Capital One https://krebsonsecurity.com/tag/capital-one-breach Capital One VPC ModSecurity AWS S3 Bucket AWS EC2 VM $ > a w s i a m l i s t - r o l e s $ > … P E % { R E Q B O D Y _ P R O C E S S O R _ E R R O R } , \ B Q % { M U L T I P A R T _ B O U N D A R Y _ Q U O T E D } , \ B W % { M U L T I P A R T _ B O U N D A R Y _ W H I T E S P A C E } , \ D B % { M U L T I P A R T _ D A T A _ B E F O R E } , \ D A % { M U L T I P A R T _ D A T A _ A F T E R } , \ H F % { M U L T I P A R T _ H E A D E R _ F O L D I N G } , \ L F % { M U L T I P A R T _ L F _ L I N E } , \ M o d S e c u r i t y C o n f i g u r a t i o n • M i s t a k e i n M o d S e c u r i t y a l l o w e d a t t a c k e r i n t o V M • I A M m i s c o n f i g u r a t i o n a l l o w e d a c c e s s t o S 3 # ModSecurity (default) configuration SecRuleEngine DetectionOnly SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:Content-Type "application/json" \ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.’, logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:400, \ msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" SecPcreMatchLimit 1000 SecPcreMatchLimitRecursion 1000 SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"