This presentation demonstrates a dynamic, real-time integration between the ModSecurity open source WAF and the Arachni web application security scanner framework to achieve on-demand assessments and virtual patching of resources.
– Member of SpiderLabs Research – Surveillance Team Lead • IDS/IPS • MailMax • WAF – Web Application Defense – ModSecurity Project Leader • Author – “Preventing Web Attacks with Apache” • Pearson Publishing - 2006 – “The Web Application Defenders’ Cookbook” • Wiley Publishing – (Due end of 2012)
security policy enforcement layer which prevents the exploitation of a known vulnerability. • Method – A reactive, remediation-oriented, tactical response that relies upon other processes to identify vulnerabilities. • Process – The virtual patch logic analyzes HTTP transactions and intercepts attacks in transit so that malicious traffic never reaches the web application. • Result – While application flaws still exist, attackers are unable to exploit them.
has to be a known vulnerability that you are protecting. • With a known vulnerability, a WAF can then become more aggressive with blocking options when attacks are identified in the vulnerable location.
utilize both Strategic and Tactical remediation efforts to address vulnerabilities • Strategic Initiatives – Ownership is application developers – Focus on root-causes of vulnerabilities for web applications that must be fixed within the application code itself – Ideal for applications that are in the Design phase of the SDLC – Examples include adding in OWASP Enterprise Security API (ESAPI) components – Keep in mind that this takes TIME • Tactical Responses (Virtual Patching) – Ownership is operations security staff – Focus on web applications that are already in production and exposed to attacks – Attack Surface Reduction – Minimize the Time-to-Fix exposures
DAST - Identify vulnerabilities on live web applications – WAF – Prevent the exploitation of vulnerabilities within live web applications • Different Perspectives – DAST – Acts as an HTTP client, sends simulated malicious requests and inspects responses – WAF – Acts as a middle-man and inspects requests and responses looking for signs of malicious behavior • Different Teams – DAST – Information Security – WAF – Operational Security
scanning can be “harmful” to some applications • Rules of Engagement – Restrictive controls around who, what, where, when and how web applications may be actively scanned – Normally exclude mission-critical, sensitive systems – Often exclude testing subcategories such as Denial of Service or Brute Force attacks • Result is a decreased scope of testing http://www.isecom.org/projects/rules.shtml
time restricted – Test for N days • Scanners perform a breadth-first traversal of a web site for links to map a site and identify areas of user input – These crawls are usually only a few levels deep and miss large portions of the application – Credentialed vs. Anonymous access – Unless properly configured, scanners can miss possible navigation options (pull- down, user fields) or multi-step business flows – Handling client-side code such as AJAX Application Functionality Tested Functionality Untested Functionality (Security Testing)
scan? – Have I scanned the entire site? – When are there new code pushes? • What should I scan? – What are the URLs? – What are the Parameters? – What are the Cookies?
WAFs are run as “Attack Detection Systems” – Lack knowledge of vulnerability information. • Many vulnerabilities can not be identified passively – You must act as a client and send stimulus and review responses to confirm vulnerabilities
analysts have a difficult time with security event prioritization. – App without any SQL Injection Vulnerabilities • SQL Injection Alert for Site A -> URL1 -> Param:foo = Notice – App with confirmed SQL Injection Vulnerabilities • SQL Injection Alert for Site B -> URL2 -> Param:bar = Critical • Users are hesitant to utilize disruptive actions without confirmation of a vulnerability – Fear of false positive blocking causing business disruption
Injection Points • URL • Parameter/Cookie Name • Vulnerability Type (SQLi, XSS, etc…) • WAF – Site Tree Data (URLs and Parameters) – Application Credentials (Cookies) – Gathered from Live Application Users • Wouldn’t it be great if we could share data?
<pluginid>40005</pluginid> <alert>SQL Injection</alert> <riskcode>3</riskcode> <reliability>1</reliability> <riskdesc>High (Suspicious)</riskdesc> <desc>SQL injection is possible. User parameters submitted will be formulated into a SQL query for database processing. If the query is built by simple 'string concatenation', it is possible to modify the meaning of the query by carefully crafting the parameters. Depending on the access right and type of database used, tampered query can be used to retrieve sensitive information from the database or execute arbitrary code. MS SQL and PostGreSQL, which supports multiple statements, may be exploited if the database access right is more powerful. This can occur in URL query strings, POST paramters or even cookies. Currently check on cookie is not supported by Paros. You should check SQL injection manually as well as some blind SQL injection areas cannot be discovered by this check. </desc> <uri>http://192.168.168.128/vicnum/vicnum5.php</uri> <param>player</param> <attack>test%27INJECTED_PARAM'INJECTED_PARAM</attack> --CUT-- </alertitem>
- Type: SQL Injection Found a SQL Injection vulnerability. Validating URL: http://192.168.168.128/vicnum/vicnum5.php URL is well-formed Continuing Rule Generation Current vulnerable Param(s): player SQL Injection (uricontent and param) rule successfully generated and saved in ./modsecurity_crs_48_virtual_patches.conf. =========================================================== --CUT-- ************ END OF SCRIPT RESULTS ***************** Number of Vulnerabilities Processed: 5 Number of ModSecurity rules generated: 2 Number of Unsupported vulns skipped: 2 Number of bad URLs (rules not gen): 0 ****************************************************
Time-to-Fix metrics for web application vulnerabilities. – We must beat the Time-to-Hack metric for attackers • Use Automation for Integration – Attackers use automation – so should we! – Use WAF to initiate DAST scans of individual resources – DAST Scans Resource and generates report – WAF pulls report and extracts vulnerability data – WAF correlates vulnerability data for protection
to integrate DAST/ WAF, the scanner needs to be run as a service – Not as a client desktop app – Need an API Service • Using Arachni Scanner – Written by Tasos Laskos (@Zap0tek) – Developed in Ruby – RPC service http://arachni-scanner.com/
Arachni - Web Application Security Scanner Framework Author: Tasos "Zapotek" Laskos <[email protected]> <[email protected]> (With the support of the community and the Arachni Team.) Website: http://github.com/Zapotek/arachni Documentation: http://github.com/Zapotek/arachni/wiki Arachni - Web Application Security Scanner Framework v0.4.1 [0.2.5] Author: Tasos "Zapotek" Laskos <[email protected]> <[email protected]> (With the support of the community and the Arachni Team.) Website: http://github.com/Zapotek/arachni Documentation: http://github.com/Zapotek/arachni/wiki I, [2012-04-05T11:11:35.605542 #2985] INFO -- System: RPC Server started. I, [2012-04-05T11:11:35.605931 #2985] INFO -- System: Listening on 192.168.168.128:39127
Arachni: Host: 192.168.168.128 Arachni: Filename: /vicnum/vicnum5.php Arachni: URL to scan is: http://192.168.168.128/vicnum/vicnum5.php Arachni: Request Method is: POST Arachni: Arg Name: player and Value: test. Arachni: Updated ARGS table is: --- player: test Arachni: Updated Cookies table is: --- {} Arachni: Yaml output of vectors is: --- - inputs: player: test type: form method: POST action: http://192.168.168.128/vicnum/vicnum5.php
System: RPC Server started. I, [2012-04-05T11:33:32.007164 #3771] INFO -- System: Listening on 192.168.168.128:44604 I, [2012-04-05T11:35:47.390623 #3746] INFO -- Call: dispatcher.dispatch [192.168.168.128] I, [2012-04-05T11:35:47.419363 #3748] INFO -- Call: modules.load [192.168.168.128] Arachni - Web Application Security Scanner Framework v0.4.1 [0.2.5] Author: Tasos "Zapotek" Laskos <[email protected]> <[email protected]> (With the support of the community and the Arachni Team.) Website: http://github.com/Zapotek/arachni Documentation: http://github.com/Zapotek/arachni/wiki I, [2012-04-05T11:35:47.451187 #3748] INFO -- Call: plugins.load [192.168.168.128] I, [2012-04-05T11:35:47.447358 #3837] INFO -- System: RPC Server started. I, [2012-04-05T11:35:47.453383 #3837] INFO -- System: Listening on 192.168.168.128:61420 I, [2012-04-05T11:35:47.459832 #3748] INFO -- Call: opts.set [192.168.168.128] I, [2012-04-05T11:35:47.487119 #3748] INFO -- Call: framework.run [192.168.168.128]
resource Wrote variable: name "__expire_KEY", value "1333644233". Wrote variable: name "KEY", value "192.168.168.128_/vicnum/vicnum5.php". Wrote variable: name "TIMEOUT", value "3600". Wrote variable: name "__key", value "192.168.168.128_/vicnum/vicnum5.php". Wrote variable: name "__name", value "resource". Wrote variable: name "CREATE_TIME", value "1333640632". Wrote variable: name "UPDATE_COUNTER", value "1". Wrote variable: name "min_pattern_threshold", value "50". Wrote variable: name "min_traffic_threshold", value "100". Wrote variable: name "arachni_scan_initiated", value "1". Wrote variable: name "arachni_instance_info_port", value "30118". Wrote variable: name "arachni_instance_info_token", value "c5ab2feb9072ed8e7737f7d526e7b254". Wrote variable: name "traffic_counter", value "1". Wrote variable: name "request_method_counter_POST", value "1". Wrote variable: name "NumOfArgs_counter_1", value "1". Wrote variable: name "args_names_counter_player", value "1". Wrote variable: name "ARGS:player_length_4_counter", value "1". Wrote variable: name "ARGS:player_alpha_counter", value "1". Wrote variable: name "LAST_UPDATE_TIME", value "1333640633". Persisted collection (name "resource", key "192.168.168.128_/vicnum/vicnum5.php").
checking scan status. Arachni: Port info: 30118 and Token info: c5ab2feb9072ed8e7737f7d526e7b254 Arachni: Scan completed - calling for report. Arachni: Yaml Results: --- - cwe: '79' description: "Client-side code (like JavaScript) can\n be injected into the web application which is then returned to the user's browser.\n This can lead to a compromise of the client's system or serve as a pivoting point for other attacks." references: ha.ckers: http://ha.ckers.org/xss.html Secunia: http://secunia.com/advisories/9716/ variations: [] _hash: d241855ec9dd4694f6eaf28e28a0913f mod_name: XSS var: player elem: form url: http://192.168.168.128/vicnum/vicnum5.php cvssv2: '9.0' method: POST
"50". Wrote variable: name "min_traffic_threshold", value "100". Wrote variable: name "arachni_scan_initiated", value "1". Wrote variable: name "arachni_instance_info_port", value "30118". Wrote variable: name "arachni_instance_info_token", value "c5ab2feb9072ed8e7737f7d526e7b254". Wrote variable: name "traffic_counter", value "2". Wrote variable: name "request_method_counter_POST", value "2". Wrote variable: name "NumOfArgs_counter_1", value "2". Wrote variable: name "args_names_counter_player", value "2". Wrote variable: name "ARGS:player_length_4_counter", value "2". Wrote variable: name "ARGS:player_alpha_counter", value "2". Wrote variable: name "LAST_UPDATE_TIME", value "1333640642". Wrote variable: name "xss_vulnerable_params", value "player". Wrote variable: name "sqli_vulnerable_params", value "player". Wrote variable: name "arachni_scan_completed", value "1". Persisted collection (name "resource", key "192.168.168.128_/vicnum/ vicnum5.php").
concept will eventually be put into the OWASP ModSecurity CRS • Need to account for Changed Resources • Need to incorporate more vulnerability classes – Currently handle • SQL Injection • Cross-site Scripting • Directory Traversals • Integration with other DAST tools – Zed Attack Proxy API