Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | herbert-patrick |
View: | 213 times |
Download: | 0 times |
Open Source Web Entry Server
Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“
Ivan Bü[email protected]
About me• Founder & Security Researcher for Compass Security
Since 1999, Switzerland – www.csnc.ch
• Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis
• Speaker @ IT Underground Warsaw 2009Advanced Web Hacking
• Speaker @ Swiss IT Leadership Forum Nice 2009Cyber Underground
• Lead Swiss Cyber Storm 2011 Security Conference12-15. May 2011, Switzerland – www.swisscyberstorm.com
• Board member of Information SecuritySociety Switzerland (ISSS)
• Lecturing Activities: HSR & HSLU & FHSG
Ivan Bütler ¦ E1
•Win a Car! – Wargame!USD 30‘000 main prize
• www.swisscyberstorm.com
• May 12-15, 2011
• Switzerland, near Zürich
• OWASP Trainings planned!
Hac
king
-Lab
Live
CD
Goal of this Talk
•Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization
•We will play with Facebook as our backend application
•The LiveCD includes all demos www.hacking-lab.com
PCI DSS Requirement
Without a Web Application Firewall
Multiple connections into DMZApplications directly accessible
TOOL
TIP
mod
_pro
xy
Web App Firewall (WAF)
Web Application Firewall
Reverse Proxy to FB Security Checks Content Rewriting
Demo with FB
DEMO 1 + 2demo movies shown here
availablein Hacking-Lab – OWASP Event
www.hacking-lab.com
Content Rewriting
•Relative URL‘s are not a problem!
•Content rewriting is not required
<link href="/css/mystyle.css" rel="stylesheet" type="text/css">
www.fb.com
www.myproxy.com
Content Rewriting
•Absolute URLs must be rewritten
•Cookie domain must be rewritten
•Cookie values must be rewritten (in some cases)
<a href="http://www.fb.com/css/01.css" type="text/css">
www.fb.com
www.myproxy.com
TOOL
TIP
mod
_rep
lace
Demo 4
Request Header PatchingCookie Value Patching
TOOL
TIP
mod
_sec
urity
Web App Firewall
•@inspectFile operator is simply a type of API that will allow you to inspect file attachments
< request filtering | e.g. sql injection >< response filtering | e.g. stack traces >< inspect files | e.g. pdf exploit analysis >
www.fb.com
www.myproxy.com
Demo 5 + 6
ModSecurity
TOOL
TIP
mod
_but
Web Entry Server
•Pre-Authentication
•Delegated Login Service (DLS)
•Session Hiding
•URL Access Control
•Principal Delegation to Backend App
Web Entry Server- Swiss Blueprint -
Web Entry Server
Central Login Service
Backend requests are always authenticated!
Strong forensic and logging capabilities
Pre-AuthenticationPrincipal Delegation
www.fb.com
www.myproxy.com
login.myproxy.com
Login=OKSet-Cookie: UserID=1234;
GET /app HTTP/1.0UserID=1234RequestID=992x9833asr
PRINCIPAL
Pre-AuthenticationSingle Sign On
IF SERVICES IS SSO ENABLED
1. Server gets initial request with UserID=1234 from WES
2. Server extracts UserID3. Server creates a new,
authenticated session4. Server authorizes only
ALTERNATIVE:
1. User must authenticated twice (SSO disabled)
2. Delegated Login Service (DLS)
IMPORTANTPrincipal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!
Pre-Authetication - DLS
Delegated Login Service
www.fb.com
www.myproxy.com
login.myproxy.com
DLSIMPORTANTDLS authenticates on behalf of the user into www.fb.com (knows the credentials out of the user repository)
-> Non origin cookies are then set to www.myproxy.com
Demo 7 - SSO
TOOL
TIP
mod
_uni
que-
id
mod
_hea
ders
Web ForensicsNTP is not enough!
Internet
FW FW
Entry TierPresentation
Tier
Data & Service
Tier
BusinessTier
FW FW
access.log:- Time- IP Address- User Id- Request Id
referer.log:- Time- IP Address- User Id- Request Id
business.log:- Time- IP Adresse- User Id- Request Id
business.log:- Time- IP Address- User Id- Request-Id
- URL
- Referer URL
access.log:- Time- IP Address- User Id- Request Id
- URL
- Transaction- Parameters- Transactionstate
- Use Case Id- Parameters
business.log:- Time- IP Address- User Id- Request-Id
- Transaction- Parameters- Transactionstate
Correlationkey
Demo 7 - UniqueID
URL Access Controlwww.myproxy.c
om
login.myproxy.com
Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);
Authorization Regexp
Demo 8
Service Level ACL
Session Managementwithout session store
Reverse ProxyWithout Session Cache
Session Managementwith session hiding
Reverse ProxySession Cache (SHM)
Hac
king
-Lab
Live
CD
Entry Server ToolKitFeature Apache ModuleReverse Proxy mod_proxyWeb App Firewall mod_security2Forensic Correlation mod_unique_id
mod_headersContent Rewriting mod_replacePre-Authentication mod_butSession Hiding mod_butURL Authorization mod_but
http://media.hacking-lab.com/largefiles/livecd/
Remember (I)•Pre-Authentication reduces the
attack surface of unauthenticated users
•Unique-ID enables proper forensics
•Cookie store hides insecure cookies
•Service ACL is a second line of defence for the application authorization scheme
Remember (II)
•Hacking-Lab LiveCD includes all tools you need to replay
•Win a car! Qualification wargames have started at www.swisscyberstorm.com
•All movies of this talk are available online at www.hacking-lab.com
Thank youIvan Bütler, E1