Open Source Apache <WAF> Web Application Firewall

(1)

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] Compass Security AG Glärnischstrasse 7 Postfach 1628

Open Source Apache <WAF>

Web Application Firewall

Ivan Bütler - E1

Compass Security AG | [email protected]

Switzerland - Germany

(2)

E1 - Who am I

^ Ivan Bütler, Uznach

^ Speaker at Blackhat 2008 Las Vegas

^ Born 31.12.1970

^ Founder of Compass Security AG

^ Founder of Swiss Cyber Storm II

^ Passionate Security Researcher

^ Husband of Cornelia and father of Tim and Nick (6 & 8)

^ Proud Swiss Citizen

(3)

(4)

Compass Security - Overview

.

(5)

Goals of this Talk

Understanding the demand for a Web App Firewall

Howto build an Open Source Apache Entry Server

Understanding the Components

Understanding Pros & Cons

(6)

Tel.+41 55-214 41 60 Fax+41 55-214 41 61 [email protected] www.csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil

(7)

Where do you expect the attackers?

Direct Attacks

BLOCKED

PASSED

(8)

Man in the Middle – Phishing

(9)

Malware – Mobile Devices – W-LAN

Indirect Attacks (II)

Bypassing

Perimeter

Protection

(10)

Level 1: Reverse Proxy

Level 2: Web Application Firewall

Level 3: Entry Server

(11)

Situations without a Reverse Proxy

Direct Access to the Public Web Applications

More firewall ports opened

(12)

Reverse Proxy Setup

Reverse Proxy Access to Public Web Applications

Reverse Proxy

(13)

Reverse Proxy Setup

Reverse Proxy

Allow to hide different applications behind a single server

Single point of entry

Reverse

Proxy

IIS

Browser

https

http

Server

Cert

WebLogic

WebSphere

http

(14)

OWASP Top 10 (Q4 2007)

A1

Cross Site Scripting

A2

Injection Flaws (SQLi)

A3

Malicious File Execution (RFI)

A4

Insecure Direct Object Reference

A5

Cross Site Request Forgery

A6

Information Leakage

A7

Broken Auth & Session Management

A8

Insecure Cryptographic Storage

A9

Insecure Communications

A10

Failure to restrict URL Access

(15)

United Security Providers (USP) SES

Phion/Visonys AirLock

AdNovum Nevis Web

IBM Tivoli Access Manager (a.k.a. WebSEAL)

NetContinuum Application Security Gateway

Cisco ACE Web Application Firewall

Microsoft ISA Server

... (this is not a complete list!)

(16)

(17)

Cooking Recipe

Apache Core Web Server

http://httpd.apache.org

Apache Firewall Module

mod_security

http://www.modsecurity.org

Apache Content Rewriting Module

mod_replace

Visit Swiss Cyber Storm (www.hacking-lab.com)

Apache Entry Server Module

mod_but

Visit Swiss Cyber Storm (www.hacking-lab.com)

Apache Forensic Module

(18)

(19)

Reverse Proxy Small Feature List

SSL Termination

Content Rewriting

Intrusion Detection & Prevention

Forensic Logging

Secure Session Management

Pre-Authentication & Single-Sign On

(20)

Reverse Proxy: SSL Termination

Apache mod_ssl & mod_proxy

SSLEngine On

SSLProxyEngine On

SSLCertificateFile

conf/server.crt

SSLCertificateKeyFile

conf/server.key

SSLProtocol

+TLSv1 +SSLv3 -SSLv2

SSLCipherSuite

RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!SSLv2:!EXP

SSLOptions +StdEnvVars +ExportCertData

SSLSessionCache

shm:ssl/ssl_scache(512000)

SSLSessionCacheTimeout 18000

(21)

Reverse Proxy: SSL Termination

Apache mod_ssl & mod_proxy

ProxyPass

/app1

http://10.1.200.

34:8899

/

ProxyPassReverse

/app1

http://10.1.200.

34:8899

/

ProxyPass

/

app2

http://10.1.200

.77:8080

/

(22)

Reverse Proxy: SSL Termination

How do you deny weak browsers from your application?

Hardenend Cipher Suite

Within Application

Hardening CipherSuite in httpd.conf

SSLCipherSuite

RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!SSLv2:!EXP

I do not recommend hardened Cipher Suites!

Error messages on SSL are not user friendly!

Therefore..

I recommend application level checks using mod_headers

Human friendly error message generated by the backend application

when the browser does not fulfill the cipher strength

RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e“

(23)

Reverse Proxy: SSL Termination

RequestHeader append SSL_PROTOCOL "%{SSL_PROTOCOL}e“

RequestHeader append SSL_SESSION_ID "%{SSL_SESSION_ID}e“

RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e“

RequestHeader append SSL_CIPHER_ALGKEYSIZE "%{SSL_CIPHER_ALGKEYSIZE}e“

RequestHeader append SSL_CIPHER_EXPORT "%{SSL_CIPHER_EXPORT}e“

RequestHeader append SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}e“

RequestHeader append SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"

(24)

Reverse Proxy: Content Rewriting

Problem

Backend Application includes absolute href links

Example: http://backend/index.html

Backend Application secures the cookies

Domain restrictions

Path restrictions

Expiration restrictions

Backend Application other protocol than reverse proxy

Fixup http to https links

Absolute url‘s

Redirections, Location headers (302 Temporary Moved)

Why not using mod_rewrite?

Because mod_rewrite does not allow to parse and search/replace the body of

a http request or response

(25)

Reverse Proxy: Content Rewriting

Why not using mod_substitute?

Within apache core since 2.2.7

Perform search and replace operations on response bodies but does not have

support for response headers, request headers or request bodies

Therefore, I recommend mod_replace

Request Header Replacement

Request Body Replacement

Response Header Replacement

Response Body Replacement

ReplaceFilterDefine myproxy1 CaseIgnore

ReplacePattern myproxy1 "glocken.hacking-lab.com" "192.168.200.130" ReplacePattern myproxy1 "https" "http"

HeaderReplacePattern myproxy1 Location "glocken.hacking-lab.com" "192.168.200.130" HeaderReplacePattern myproxy1 Location "https" "http"

HeaderReplacePattern myproxy1 Set-Cookie "Secure" "" SetOutputFilter myproxy1

(26)

Demo „Web Firewall“

mod_security

(27)

Reverse Proxy Small Feature List

SSL Termination

Content Rewriting

Intrusion Detection & Prevention

Forensic Logging

Secure Session Management

Pre-Authentication & Single-Sign On

(28)

Reverse Proxy: Intrusion Detection

Apache mod_security2

LoadModule security2_module modules/

mod_security2.so

Basic configuration options

SecRuleEngine On

SecRequestBodyAccess On

SecResponseBodyAccess Off

..

**Include conf/modsecurity2/*.conf**

Configure SecDefaultAction

SecDefaultAction

"phase:2,log,deny,status:403,t:lowercase,t:replac

eNulls,t:compressWhitespace"

(29)

Reverse Proxy: Forensic Logging

(30)

Reverse Proxy: Forensic Logging

Who generates the Request ID (alias Unique_ID)?

Apache mod_unique_id

Default Log Option in httpd.conf (without mod_unique_id)

LogFormat "%h %l %u %t \"%r\" %>s %b" common

Web Application Firewall Log Option (with mod_unique_id)

LogFormat "

%{forensic-id}n

%h %l %u %t \"%r\" %>s %b" common

ForensicLog logs/forensic.log

Sending the Unique_ID as HTTP Request Header to Backend!

(31)

Reverse Proxy: Forensic Logging

Unique ID in access.log

SYq7yX8AAQEAAGOqIicAAAAA

192.168.200.10 -[05/Feb/2009:11:13:29 +0100] "GET

/webapp/but/EchoRequest HTTP/1.1" 404 329

Unique ID in forensic.log

grep SYq7yX8AAQEAAGOqIicAAAAA forensic.log

========================================================================= +SYq7yX8AAQEAAGOqIicAAAAA|GET /webapp/but/EchoRequest

HTTP/1.1|Host:192.168.200.130|User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv%3a1.8.0.4) Gecko/20060508

Firefox/1.5.0.4|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5|Accept-Language:en-us,en;q=0.5|Accept-

Encoding:gzip,deflate|Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.7|Keep-

Alive:300|Connection:keep-alive|Cookie:MOD_BUT=wCUN+1DgcvG7qDM+KI+9YXveU+5bwygb|Cache-Control:max-age=0 -SYq7yX8AAQEAAGOqIicAAAAA

(32)

Demo „Session Management“

mod_but

(33)

Reverse Proxy Small Feature List

SSL Termination

Content Rewriting

Intrusion Detection & Prevention

Forensic Logging

Secure Session Management

Pre-Authentication & Single-Sign On

(34)

Reverse Proxy: Session Management

Without a Session Store (Cookie Store)

Reverse Proxy

(35)

Reverse Proxy: Session Management

With Session Store (Session Hiding)

Reverse Proxy

(36)

Reverse Proxy: Pre-Authentication

Zones

Public Zone: Login Server (anonymous access)

Private Zone: E-Business Applications (authentication is required)

Entry Tier

Application

Internet

FW

Login Service

Not

authenticated

requests

Authenticated

requests only

(37)

Reverse Proxy: Pre-Authentication

Client MOD_BUT DLS (Delegated Login

Service) LDAP Backend Application

/application Redirect Login Page

POST LOGIN DATA

authenticate()

get LOGIN DATA for Backend App Username/Password for Backend App

LOGIN into Backend App Login ok

LOGON=ok

(38)

MOD_BUT Logon

Cookie Messages from Login Server to MOD_BUT

LOGON=ok

MOD_BUT_USERNAME=<$user>

MOD_BUT_AUTH_STRENGTH=0,1,2

MOD_BUT_SERVICE_LIST=regexp

(39)

Reverse Proxy: Service Authorization

Service Authorization

The user grants permission for certain, but not all URL‘s behind the Reverse

Proxy

Example

User is authorized for /upload

User is authorized for /admin

User is not authorized for /enterpriseadmin

Login Server sends a control cookie to the Reverse Proxy

Set-Cookie: LOGON=ok

Set-Cookie: MOD_BUT_USERNAME=$username

Set-Cookie: MOD_BUT_SERVICE_LIST=(^/12001(.*))

Set-Cookie: MOD_BUT_AUTH_STRENGTH=0,1,2

(40)

Reverse Proxy: DLS

DLS = Delegated Login Service

Some applications have their own login component

Outlook Web Access

Wiki

(41)

MOD_BUT Features

Session Store

Pre-Authentication

Step-Up Authentication (Authorization Level)

Service Authorization

Delegated Login Server Support

(42)

The Secure Document Exchange Solution

(43)

MOD_BUT TODO

[ ] Rewrite SHM handling and data structures, eliminate SHM stuff

from callers mod_but_cookiestore.c

mod_but_session.c

mod_but_shm.c

Goals: increased performance, lower shared

memory usage, more robust interfaces, thread-safety

(44)

(45)

Airlock URL Encryption

URL-Encryption…

Effective against Forceful Browsing

URLs and parameters are protected

Hides Technology and Topology

Works dynamically, no specific configuration necessary

GET

https://web.server.com/home/MDNCIGBPCEDDNKBMMOCNGDLHBEOJJE

MCHJOIAODKJPNOPOEPOBJONBPFCFCNBOEIPICACIPNAKIIKLFMEIM

EGBFGFGMIBDLEipe4PixkUbKsXFBnb6YodmYPJyK66k1Ochxjrr6+Zaziy20

FxB+Sz1hUm8OchL/IREKvKVzlNKSRuiig7sh7jwI4y2xFNltX98GQFYkGq7fb

HtzBKtOCQtQ0AviT1pJlP1I+xG5baW/3zx/IuHD9dpJ4I0J92oN9wa5gcs8JXQ

7lkcG2HsV8EiPKbt7wFR2h HTTP/1.1

(46)

Airlock Smart Form Protection

Smart Form Protection …

Cryptographic protection of HTML forms

Only allowed input is accepted (Airlock “remembers” form

fields”)

(47)

Load Balancing

High Availability

(48)

Failover (London – New York)

Central Session Store (High Availability)

Entry Server London Entry Server New York Backend Application London Backend Application New York Login Service London

Login Service New York

(49)

Entry Server & AJAX

Security Implications

(50)

AJAX Request/Response

Source: Wikipedia

New engine

built-in

newer browsers!

Interactive GUI

Asynchronous

processing

; not every

action needs to be

started by pressing the

submit button

Asynchronous

processing

; AJAX

updates the browser

window (content)

(51)

XMLHttpRequest (XHR)

XmlHttpRequest is a browser API to perform background HTTP

requests from JavaScript

Invented by Microsoft in 2000

IE 5.0 / 6.0: COM/ActiveX object „Microsoft.XmlHttp“

ActiveX must be enabled

IE 7.0, Firefox, Opera, Safari and other browsers:

Native JavaScript object „XmlHttpRequest“

ActiveX not required

Portable

(52)

(53)

Data Exchange Formats

Upstream

Data Format

(54)

Upstream Data Formats

Possible data formats:

GET parameters

POST parameters

XML

SOAP

Some server-side API is provided

Often maps to server-side objects and their functions

(55)

Upstream

: HTTP GET Parameters

HTTP GET

GET

/dyn/req?

call=foo

&

arg=bar

HTTP/1.1

(56)

Upstream

: HTTP POST Parameters

HTTP POST

POST

/dyn/req HTTP/1.1

Content-Type: application/

x-www-form-urlencoded

...

(57)

Upstream

: XML

HTTP POST

POST

/dyn/req HTTP/1.1

Content-Type:

text/xml

...

<?xml version="1.0" encoding="utf-8"?>

<

request

connectionId="cxooiqM">

<

call

type="

foo

">

<

argument

name="

bar

">

true

<

/argument

>

<

/call

>

(58)

Upstream

: SOAP

HTTP POST

POST

/dyn/req HTTP/1.1

Content-Type:

application/soap-xml

...

<?xml version="1.0" encoding="utf-8"?>

<

Envelope

xmlns="http://schemas.xmlsoap.org

/soap/envelope">

<

Body

>

...

<

/Body

>

<

/Envelope

>

(59)

Downstream

: XML

HTTP/1.1

200 OK

Content-Type:

text/xml

...

<?xml version="1.0" encoding="utf-8"?>

<

response

>

<

result

type="

login

">

<

status

>false<

/status

>

<

msg

>Username or password invalid.<

/msg

>

<

/result

>

<

/response

>

(60)

Downstream

: JavaScript

HTTP/1.1

200 OK

Content-Type:

text/javascript

...

LibJs.user='nobody';

LibJs.groups=['member','nobody','wnc5Xh'];

$L('kYP64i').__render([$E('h1',{className:

'Compiled',attributes:{},children:[$T(LibJ

s.Compiler.fromAscii('Hello world!'))] ...

LibJs.Server.__onComplete(1664);

(61)

Downstream

: JSON

HTTP/1.1

200 OK

Content-Type:

text/x-json

...

{"menu": {

"id": "file",

"popup": {

"menuitem": [

{"value": "New", "onclick": "NewDoc()"},

{"value": "Open", "onclick": "OpenDoc()"},

{"value": "Close", "onclick": "CloseDoc()"}

]}}}

(62)

Downstream

: Custom

HTTP/1.1

200 OK

Content-Type:

text/x-gwt

...

{OK}["53723","84268","78357","27843"]

(63)

New: The Entry Server Problem

What is a valid request?

Look at JavaScript code and guess what it might call and what

the parameters might be

Infeasible! JavaScript way too dynamic!

Filter patterns and AJAX

How to detect HTML injection in XML?

How to detect XSS in JavaScript/JSON?

How to sign an AJAX response?

Every AJAX application is very different

No "standard" like HTML <form>

(64)

Appendix

(65)

Apache Compilation with mod_replace

Copy Module into Filters Directory

cp mod_replace.c ./httpd-2.2.10/modules/filters

Add the following line to ./httpd-2.2.11/modules/filters/config.m4

APACHE_MODULE(replace, replace filter module, , , most)

Change to $APACHE_SRC and to a „autoconf“

cd ./httpd-2.2.10/

autoconf

Check if the –enable-replace is available

cd ./httpd-2.2.10/

(66)

Apache Compilation

Compile Apache with mod_replace

cd ./httpd-2.2.10/

./configure \

--prefix=/opt/applic/http-2.2.10 \

--enable-so \

--enable-ssl \

--enable-proxy \

--enable-rewrite \

--enable-substitute \

--enable-replace \

--enable-headers \

--enable-unique-id \

--enable-log-forensic \

--enable-expire \

--enable-replace