i Web application firewall with Modsecurity – All things in moderation

Web application firewall with Modsecurity

Some of defintions

We will go through some defintion about Web application firewall and modules related at first. If you’ve already know that you can skip this part.

A Web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

Rule-set recommendation

Comodo
OWASP
Atomic Corp

Setup a demo

You can setup by manual flow steps by steps in here

Or just want test rule first using docker image builed is another option

Run nginx-modsecurity container

docker pull nodeintegration/nginx-modsecurity  
docker run 

We can verify that Mosecurity is working by attemping an SQL injection attack on our virtual host using requet:

http://172.17.0.2/index.php?username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271

The decoded version look like this:

http://172.17.0.2/index.php?username=1' or '1' = '1&password=1' or '1' = '1

This is simple attemple to bypass a naive user authentication system.

index.php file is not exists in our serve if we don’t user modesecurity server will respone 404 code but with modsecurity in dectection mode server will see respone 403 and a number of entries in the nginx error log similar to the following:

2017/06/18 18:26:51 [error] 6#6: [client 172.17.0.1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's&sos' [file "/etc/nginx/modsecurity.conf"] [line "7440"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: 1' or '1' = '1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname ""] [uri "/index.php"] [unique_id "AcAcAcA5E6AcAcAcAcAcAcAc"] 

2017/06/18 18:26:51 [error] 6#6: [client 172.17.0.1] ModSecurity: Warning. detected SQLi using libinjection with fingerprint 's&sos' [file "/etc/nginx/modsecurity.conf"] [line "7440"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:password: 1' or '1' = '1"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname ""] [uri "/index.php"] [unique_id "AcAcAcA5E6AcAcAcAcAcAcAc"]  

2017/06/18 18:26:51 [error] 6#6: [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/nginx/modsecurity.conf"] [line "8909"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 13)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname ""] [uri "/index.php"] [unique_id "AcAcAcA5E6AcAcAcAcAcAcAc"]  

172.17.0.1 - - [18/Jun/2017:18:26:51 +0000] "GET /index.php?username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271 HTTP/1.1" 403 169 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0" "-"  
173.
2017/06/18 18:26:51 [error] 6#6: [client 172.17.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/nginx/modsecurity.conf"] [line "10184"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 13 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] [hostname ""] [uri "/index.php"] [unique_id "AcAcAcA5E6AcAcAcAcAcAcAc"]

As you can see a number of the OWASP rules are triggered by this request.That mean modsecurity is working with owaps-rcs rules.
You can try other attemp to test rules or create new rules for your website.

This post just a quick start for you if you want to test modsecurity and don’t need a complex setup. Hope it’s helpful for you.

REFERENCES

https://www.owasp.org/index.php/Web_Application_Firewall
https://modsecurity.org/about.html
https://modsecurity.org/crs/

One Response

  1. Krishna Modi October 5, 2018

Leave a Reply