SlideShare ist ein Scribd-Unternehmen logo

Introduction to ModSecurity and the OWASP Core Rule Set

C
Christian Folini

An extended introduction to ModSecurity and the OWASP Core Rule Set

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 An Introduction to ModSecurity and the OWASP Core Rule Set (OWASP Munich) Christian Folini / @ChrFolini
Baseline / 1st Line of Defense Safety Belts
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives
Web Application Firewalls Complex • Overwhelming • Rarely Functional
ModSecurity Embedded • Rule oriented • Granular Control
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/coreruleset/coreruleset Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
@ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini

Empfohlen

Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
Implementing Cisco Network Security Exam (210-260)
Implementing Cisco Network Security Exam (210-260)Implementing Cisco Network Security Exam (210-260)
Implementing Cisco Network Security Exam (210-260)
Jhoni Guerrero
 
Cn lab index
Cn lab indexCn lab index
Cn lab index
Garvit Chopra
 
Chapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryptionChapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryption
Syaiful Ahdan
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
Aaron Zauner
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
Mark Lechtermann
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
Mark Lechtermann
 

Empfohlen

Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule SetExtensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
Implementing Cisco Network Security Exam (210-260)
Implementing Cisco Network Security Exam (210-260)Implementing Cisco Network Security Exam (210-260)
Implementing Cisco Network Security Exam (210-260)
Jhoni Guerrero
 
Cn lab index
Cn lab indexCn lab index
Cn lab index
Garvit Chopra
 
Chapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryptionChapter 10 cryptography-public encryption
Chapter 10 cryptography-public encryption
Syaiful Ahdan
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
Aaron Zauner
 
MQTT with .NET Core
MQTT with .NET CoreMQTT with .NET Core
MQTT with .NET Core
Mark Lechtermann
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
Mark Lechtermann
 
Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)
Cloud Security Alliance Lviv Chapter
 
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
Aaron Zauner
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
State of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeState of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at Large
Aaron Zauner
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
Marc Seeger
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Priyanka Aash
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
Christian Folini
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
Christian Folini
 
Implementing Raft in RabbitMQ
Implementing Raft in RabbitMQImplementing Raft in RabbitMQ
Implementing Raft in RabbitMQ
VMware Tanzu
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
Abhik Roychoudhury
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
testpurposes
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
team-WIBU
 
Web Application Firewall - Friend of your DevOps Pipeline?
Web Application Firewall - Friend of your DevOps Pipeline?Web Application Firewall - Friend of your DevOps Pipeline?
Web Application Firewall - Friend of your DevOps Pipeline?
Franziska Buehler
 
Proximity systems eric de zoeten
Proximity systems eric de zoetenProximity systems eric de zoeten
Proximity systems eric de zoeten
NSW Environment and Planning
 
TechEvent From Zero to DevOps Hero through the Agile Cloud
TechEvent From Zero to DevOps Hero through the Agile CloudTechEvent From Zero to DevOps Hero through the Agile Cloud
TechEvent From Zero to DevOps Hero through the Agile Cloud
Trivadis
 
CloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current SolutionsCloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning
 
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
Amazon Web Services
 
Cwin16 tls-s2 cf safety critical systems
Cwin16 tls-s2 cf safety critical systemsCwin16 tls-s2 cf safety critical systems
Cwin16 tls-s2 cf safety critical systems
Capgemini
 
Telefonica: Automatización de la gestión de redes mediante grafos
Telefonica: Automatización de la gestión de redes mediante grafosTelefonica: Automatización de la gestión de redes mediante grafos
Telefonica: Automatización de la gestión de redes mediante grafos
Neo4j
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
Cisco Canada
 

Weitere ähnliche Inhalte

Was ist angesagt?

No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
Aaron Zauner
 
State of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeState of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at Large
Aaron Zauner
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Priyanka Aash
 

Was ist angesagt? (7)

Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)
 
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
No need for Black Chambers: Testing TLS in the E-Mail Ecosystem at Large (hac...
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
State of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeState of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at Large
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 

Ähnlich wie Introduction to ModSecurity and the OWASP Core Rule Set

The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
Jacopo Nardiello
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
team-WIBU
 
CloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current SolutionsCloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning
 
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
Amazon Web Services
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
Cisco Canada
 
Web Application Firewall - Friend of your DevOps Chain?
Web Application Firewall - Friend of your DevOps Chain?Web Application Firewall - Friend of your DevOps Chain?
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 

Ähnlich wie Introduction to ModSecurity and the OWASP Core Rule Set (20)

Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
 
Implementing Raft in RabbitMQ
Implementing Raft in RabbitMQImplementing Raft in RabbitMQ
Implementing Raft in RabbitMQ
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!RootedCON 2014 - Kicking around SCADA!
RootedCON 2014 - Kicking around SCADA!
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Web Application Firewall - Friend of your DevOps Pipeline?
Web Application Firewall - Friend of your DevOps Pipeline?Web Application Firewall - Friend of your DevOps Pipeline?
Web Application Firewall - Friend of your DevOps Pipeline?
 
Proximity systems eric de zoeten
Proximity systems eric de zoetenProximity systems eric de zoeten
Proximity systems eric de zoeten
 
TechEvent From Zero to DevOps Hero through the Agile Cloud
TechEvent From Zero to DevOps Hero through the Agile CloudTechEvent From Zero to DevOps Hero through the Agile Cloud
TechEvent From Zero to DevOps Hero through the Agile Cloud
 
CloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current SolutionsCloudLightning - Multiclouds: Challenges and Current Solutions
CloudLightning - Multiclouds: Challenges and Current Solutions
 
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
(DVO207) Defending Your Workloads Against the Next Zero-Day Attack
 
Cwin16 tls-s2 cf safety critical systems
Cwin16 tls-s2 cf safety critical systemsCwin16 tls-s2 cf safety critical systems
Cwin16 tls-s2 cf safety critical systems
 
Telefonica: Automatización de la gestión de redes mediante grafos
Telefonica: Automatización de la gestión de redes mediante grafosTelefonica: Automatización de la gestión de redes mediante grafos
Telefonica: Automatización de la gestión de redes mediante grafos
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)
 
Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...
Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...
Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper ...
 
Web Application Firewall - Friend of your DevOps Chain?
Web Application Firewall - Friend of your DevOps Chain?Web Application Firewall - Friend of your DevOps Chain?
Web Application Firewall - Friend of your DevOps Chain?
 
June 2015 - OpenStack-fr meetup - Designing CloudWare applications
June 2015 - OpenStack-fr meetup - Designing CloudWare applicationsJune 2015 - OpenStack-fr meetup - Designing CloudWare applications
June 2015 - OpenStack-fr meetup - Designing CloudWare applications
 

Mehr von Christian Folini

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
Christian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

Mehr von Christian Folini (15)

OWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy endOWASP ModSecurity - A few plot twists and what feels like a happy end
OWASP ModSecurity - A few plot twists and what feels like a happy end
 
Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Introduction to ModSecurity and the OWASP Core Rule Set

  • 1. Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 An Introduction to ModSecurity and the OWASP Core Rule Set (OWASP Munich) Christian Folini / @ChrFolini
  • 2. Baseline / 1st Line of Defense Safety Belts
  • 3. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
  • 4. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives
  • 5. Web Application Firewalls Complex • Overwhelming • Rarely Functional
  • 6. ModSecurity Embedded • Rule oriented • Granular Control
  • 7.
  • 8.
  • 9. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/coreruleset/coreruleset Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
  • 10. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
  • 11. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
  • 12. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
  • 13. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
  • 14. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
  • 15. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
  • 16. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
  • 17. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
  • 18. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 19. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 20. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 21. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 22. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 23. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21
  • 24. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
  • 25. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
  • 26. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
  • 27. @ChrFolini Intro to ModSecurity and CRS – OWASP Munich 2020-07-21 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini