SlideShare ist ein Scribd-Unternehmen logo

The waf book intro v1.0 lior rotkovitch

Lior Rotkovitch
Lior Rotkovitch

The waf book intro

Software
1 von 61
Downloaden Sie, um offline zu lesen
Practical Defensive Security for Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @Rotkovitch @sirt_club ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
• The Web Application • The Attack / attacking • The Protect / protecting • WAF Policy • WAF SIR • Summary 70295 https://SIRT.club ©
HTTP Response HTTP Request Web App Paradigm THE WEB TCP/IP – Connection Clients Web Application 70295 https://SIRT.club ©
Router Router Firewall Internet PC Response Request Browser WAF Web App ecosystem – Legacy Application Server/s Web Server/s 3 tiers model Perimeter model OPS DEV Database Server/s Data Center - On premises / Appliance ADC 70295 https://SIRT.club ©
DEV.SEC.OPS NF Web Application Unknow User Web Bot Requests Responses ABSTRACTION LAYER/S automated traffic Application/s Request handler/s AAA Mobile app/ {API} Database/s DEV Perimeter/Ingress OPS SIRT.OPS Web Site DEVOPS App Mesh Cloud private /public Zone X CI/CD • Microservice • Container • Pods Web App ecosystem - Modern WAF NG Mobile Users Ads/ 3rd party services Partners Valuable User Valuable User SIEM ≈ Analytics ∑ Internet Edge 70295 https://SIRT.club ©
NF Database Application Servers Web Servers WEB ISP ➢ Bugs = glitch– “unexpected condition in software”LR ➢ Security bug - bug can be utilized to take advantages Software Bug by Thomas Edison bugs bugs Software Security Attacks : ▪ SQL injection ▪ Directory traversal ▪ Cross site attack CLOUD’S 70295 https://SIRT.club ©
Aggregated 21.21k 23.57 36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Application Security https://SIRT.club ©
70295 https://SIRT.club ©
Attacking the Web App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s Load % Statistics CPU 100% 0/1/2 Memory 100% 80GB Throughput 100% 11.7Mbps RPS 100% 10k Attack goals: ▪ Damage - Affect services ▪ Data - leakage / manipulation ▪ Computing power – usage 70295 https://SIRT.club ©
Attack Elements HTTP Web Application Database App Servers Web Servers “Attack occurs when: attack agent is sending exploit to execute the vulnerability that resides in the attack surface 70295 https://SIRT.club ©
Attack Elements Attack agent Exploit Attack Vector Vulnerability Attack Surface Vulnerability – is a software condition aka bug in the software with security implication that create a risk to the application assets - security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the client software that is used to sends the exploit to the attack surface that contains vulnerability. Exploit – the code/payload that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal 70295 https://SIRT.club ©
Threat Landscape - Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Web Exploits Hacker playground ..;-() 70295 Web Application https://SIRT.club ▪ SQL injection ▪ Directory traversal ▪ Cross site attack ©
Threat Landscape - Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Automation - battlefield Cloud ${{:-}j Internet Cloud 70295 https://SIRT.club ©
70295 https://SIRT.club ©
Web Application Protect Dude HTTP CI/CD WAF– Web App Firewall ❑ Allow ❑ Monitor ❑ Block 70295 https://SIRT.club D&P Security WAF D&P= detect & prevent ©
2. CONTROL PLAIN – SETTINGS 3. REPORTING - VISUALIZATION WAF STRUCTURE Web Application Web Clients 1. DATA PLANE REQUEST RESPONSE 1. Data Plane - WAF Engines 2. Control Plain – Settings 3. Reporting - Visualization 70295 https://SIRT.club ©
2. CONTROL PLAIN – SETTINGS 3. REPORTING - VISUALIZATION DATA PLANE – ENGINES WEB APPLICATION WEB CLIENTS WAF SECURITY ENGINEER PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE 70295 https://SIRT.club ©
Request engines phases in WAF Application Firewall Engines Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /index.php User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Source IP 192.168.1.1 Time 01:32:44 Detections: Signatures - User Agent Python-urllib/2.6 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Mozilla/4.0 (Hydra) Prevention action Alarm Block page Reset conn GET / HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Parser Traps Enforcer Web Application 70295 https://SIRT.club ©
WEB CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input Parser Traps Enforcer DETECTIONS ENTITIES PREVENTION ACTION 70295 https://SIRT.club ©
https://sirt.club/home/search.php?q=cve&cat=all Protocol: https Host: sirt.club Path: /home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all Entities: - URL Protocol: https Host: sirt.club Path /home/ Object search.php Query Sting ? Parameter name q Parameter value cve 2nd Parameter name cat 2nd Parameter value all REQUEST 70295 Parser: https://SIRT.club ©
http://sirt.club/home/search.php?q=lala Entities VERB GET URL /search.php HTTP version HTTP/1.1 Parameter name q Parameter value lala Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0. 8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0aa13ed GET /search.php?q=lala HTTP/1.1 Host: sirt.club Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed REQUEST Protocol Payload (headers) User input https://SIRT.club ©
HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Entities Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>SIRT protectors of the realm</p> </Body> </HTML> Parser - HTTP Response WEB CLIENTS WEB APP RESPONSE Payload (headers) Protocol Server output 70295 https://SIRT.club ©
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS ENTITIES DETECTIONS PREVENTION ACTION PROTECTION ELEMENTS (PE) WEB APP Traps Protocol Payload User input Parser Enforcer 70295 https://SIRT.club ©
Parser Entities Value Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value SELECT * FROM products where id =* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Source IP 192.168.1.1 ENTITIES GET /search.php?q= SELECT * FROM products where id =* HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 WAF Signature SELECT * FROM where id =* ………….. Detection: Signature SIGNATURES 70295 DETECTIONS https://SIRT.club ©
Parser (entities) Value Verb (Method) POST Protocol HTTP 1.1 URL /query.php User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Source IP 192.168.1.1 Post Data – param 01:32:44 Post Data – Value ' or 1=1-- WAF User Agent signature Python-urllib/2.6 Apache-HttpClient/4.5.7 (Java/1.8.0_221) Mozilla/4.0 (Hydra) Detection: Signature POST / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club Content-Length: 59 User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Content-Type: application/x-www-form-urlencoded action=' or 1=1-- WAF exploit Signature ../../../../../../etc/passwd <script>alert('XSS')</script> ' or 1=1-- " or ""=" SIGNATURES ENTITIES DETECTIONS 70295 https://SIRT.club ©
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
Internet IP (Parser ) 5 min 20 min 1 hour AVG 10.0.0.138 50 60 180 192.168.1.1 180 0 0 172.29.44.6 400 350 3000 172.29.46.9 250 100 1000 10.1.1.1 1800 1200 800 192.168.24.24 0 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 ANOMALY Anomaly – increase in RPS form IP’s Detection: Anomaly 70295 https://SIRT.club ©
IP (Parser ) Current FLI /5min 60min FLI 10.0.0.138 60 180 192.168.1.1 0 0 172.29.44.6 35 40 172.29.46.9 100 1000 10.1.1.1 1800 3000 192.168.24.24 10 150 Aggregated data – Policy limit: FLI per IP Source IP: ANY @ 5 Min FLI/IP over 5 min limit : Min 300 Max 1000 Internet Detection: Anomaly Anomaly – increase in FLI form IP’s Fail Login Try Again ANOMALY 70295 https://SIRT.club ©
IP (Parser ) Sig count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Aggregated data – Policy limit: Signatures per IP Source IP: ANY @ 1 Min Max signature from IP / 1min Min 20 Max 30 Post max 150 -> shun for 12 hours ANOMALY Anomaly – increase Sig from IP Internet Detection: Anomaly 70295 https://SIRT.club ©
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
Detections: Restrictions Length Min Chars Max chars GET Param value Min 3 chars Max 130 chars Parser (entities) Value Length - found Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value longlonglonglonglonglonglonglonglonglonglonglo nglonglonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong 136 chars Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=longlonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglong Host: sirt.club User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Length check policy RESTRICTIONS 70295 https://SIRT.club ©
Detections : Restrictions RFC @ any request Policy: Allow/ Block Header with no value Block Double host header Block HTTP verbs: POST Get HEAD Block Null in request Block Parameter value with ' Block Protocol versions 1.1 Allow Protocol versions 1.0 Block Parser (entities) Value Verb (Method) OPTIONS Protocol HTTP 1.0 Parameter name q Parameter value mc’mer Host header Sirt.club www.sirt.club Time 11:11:11 Header123 _____ Accept text/html,application/,*/* %00; Restrictions – HTTP RFC RESTRICTIONS OPTIONS /search.php?q=mc’merHTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/,*/* %00; Host: sirt.club Header123: 70295 https://SIRT.club ©
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
User Browser WAF - CI App First request GET /sell.php GET /sell.php (not verified) Client – interrogation Return interrogation results Forward request HTTP Response (verified) interrogation Tests: • CLI ? • Support JS? • Support cookie ? • Mouse movements • UA fit resolution ? • Framework ? GET /img.png (verified ) GET /img.png (verified) HTTP Response (verified) HTML rendering interrogation results : If failed – drop / block request if pass – forward Detections : Client interrogation Are you a browser or what ? 70295 https://SIRT.club ©
IP:Y IP:X Who are you ? IP:A Client interrogation Detections: Client interrogation NATed clients query CI results Allowed Browser Yes CLI No JS capable Yes Cookie set Yes 70295 https://SIRT.club ©
TRAPS -> DETECTIONS: Signatures - Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists 70295 https://SIRT.club ©
SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP WEB CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
• Alert – GUI • Alert – Log • SMS • Messaging – slack • Email Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Semi blocking: Stripping / Cloaking ALERT Browser BLOCK This request has been blocked To: WAF admin To: End Users 70295 Drop connection https://SIRT.club ©
• Limiting rate of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban Send users to honeypot for inspections Resent browser to main page LIMIT FOLLOW UP 70295 https://SIRT.club ©
3. REPORTING 1. DATA PLANE 2. CONTROL PLANE WAF PROTECTION ELEMENTS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
70295 P D E https://SIRT.club ©
WAF – Traffic Manager WEB APPLICATION Application/s Request handler/s Database/s Expected Traffic Footprint Attack Traffic Footprint No Services for you WEB APP OWNER ✓ Allow valuable traffic ✓ Stop attack Welcome P D E 70295 https://SIRT.club ©
Entity 1.PROTOCOL 2.PAYLOAD 3.USER INPUT Detections 1.SIGNATURES 2.ANOMALY 3.RESTRICTIONS 4.CLIENT INTERROGATION Prevention 1.ALERT 2.BLOCK 3.LIMITING 4.FOLLOW UP E D P WAF – PE and Rules Rule PROTECTION ELEMENTS (PE) 70295 https://SIRT.club ©
Rules Concept PROTOCOL PAYLOAD – HEADERS USER INPUT SIGNATURES ANOMALY RESTRICTIONS CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP • Entity: user agent header • Detection: Signature hydra • PA: RST connection PR2 PE:S CAV: Auto • Entity : user input parameter value • Detection: Signature SQLi select * from • PA: Blocking page PR1 PE:S CAV: WE-SQLi ENFORCER TRAPS PARSER E D P Rule: 70295 https://SIRT.club ©
WAF Policy – CAV Base policy WA-CAV BRUTE FORCE ADDoS VULNERABILITY HUNTING AUTOMATED ATTACKS Brute force Rules E D P E D P E D P E D P E D P E D P E D P ADDoS Rules Vulnerability Hunting Rules E D P E D P E D P Bot/Botnet Rules APP *Common Attack Vector – CAV 70295 WAF POLICY https://SIRT.club ©
Reporting WAF LOGS AUDIT MAINTENANCE SYSTEM o Audit – who did what – changes to policy o Maintenance – update / upgrade fails o System – memory, configuration SECURITY REPORTING SUPPORT REPORTING 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLANE - WAF ENGINES 70295 https://SIRT.club GRAPHS STATISTICS LOGS DASHBOARD ©
App Health Incidents Traffic ETF E:H D:S BLOCK E:URL D:A ALARM 1IP 100 Req Critical E:IP D:R RATE LIMIT Medium High 1IP 10Req 10IP 1000Req 56.00% 58.00% 60.00% 62.00% 64.00% 66.00% 68.00% 70.00% 72.00% App 1 App2 App3 App3 Action items: • Update signature for CVE XXXXX • False positive on parameter q • Update swagger schema 70295 https://SIRT.club ©
Aggregated 21.21k 23.57 36.72k 10.10.1.12 2.75k 3.05 4.08k 72.1.38.240 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.16.184.126 2.23k 2.48 4.64k 192.168.1.12 2.01k 2.23 2.82k 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 RPS @ URL / Top URL’s RPS / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k Statistics 0 1000 2000 3000 4000 5000 RPS @ Login.php 10.10.10.0 10.10.20.0 10.10.30.0 10.10.40.0 10.10.50. total Graphs 70295 https://SIRT.club ©
Security Request log R1 GET /314355195369564852’2.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Host: sirt.club R2 TRACK / HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Trace-Test: Nikto Incident Incident Incident Incident Incident R1 R2 R3 R4 Rx R1 GET /3143551953695648522.php HTTP/1.1 User-Agent: Mozilla/5.0 Host: sirt.club Entity: 3143551953695648522.php Detections: meta char in URL ‘ Prevention: blocking page Time: 11:12:13 Source IP: 10.0.0.138 R3 OPTIONS /API/V1/login HTTP/1.1 User-Agent: Mozilla/5.0 Firefox/11.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Host: sirt.club “Outlook view of incident and their request details 70295 https://SIRT.club
Security Incident Response 70295 https://SIRT.club ©
2.MITIGATION 1.AM I 3.RESPONSE BTR INVOCATION 70295 https://SIRT.club ©
INVOCATION Invocation – a possible security related issue/s needs attention, Now ▪ Dashboard alert ▪ Email ▪ SMS ▪ Instant messaging ▪ Phone call ► Security Device ► App monitoring ► Humans P1.AMI 70295 https://SIRT.club ©
1. AM I • S1 – Service down • S2 – Major impact • S3 – General impact Declare the incident type and Determine the impact Am I under attack ? RA – Real attack FP – False positive FA – False alarm BTR P2.MITIGATION Impact: 70295 https://SIRT.club ©
2. MITIGATION ❑ Suspicious indicators (3SIN) ❑ Compose prevention rule (PR) How to mitigate (S&D) P3.RESPONSE Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR) 70295 https://SIRT.club ©
3. RESPONSE Apply prevention rule and verify attack mitigation Response – Apply & Verify 70295 https://SIRT.club ❑ Apply mitigation strategy ❑ Monitor mitigation ©
BTR Back To Routine (BTR) ✓ BTR – monitoring attack ✓ BTR – EoA – end of attack Declaring back to routine when attack is being blocked or attack stopped Win 70295 https://SIRT.club ©
70295 https://SIRT.club ©
Web Exploits SQLi XSS LFI/ RFI RCE CSRF ATO BF CS PS DDoS Floods Loads BOT/S BOTNET/S Web Application Attack Surface Vulnerability Exploit Attack Agent ATTACK AUTOMATION ORCHESTRATION – NODE’S AUTO https://SIRT.club 70295 ©
3. REPORTING 1. DATA PLANE 2. CONTROL PLANE GUI API CONFIG File WAF STRUCTURE SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer Graphs Stats Request LOG Dashboard ISO 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
•SQLi •XSS •LFI/ RFI •CSRF •RCE Web Exploits •BF •CS •PS ATO •Floods •Loads DDoS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTG ANOMALY ANOMALY CLIENT INTG E D P WEB APP SIGNATURES ANOMALY RESTRICTIONS CLIENT INT V AS AA e RESTRICTIONS 70295 AUTO https://SIRT.club ©
https://SIRT.club By: Lior Rotkovitch “Man’s biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©

Empfohlen

F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Lior Rotkovitch
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchLior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 

Empfohlen

F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices Lior Rotkovitch
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Lior Rotkovitch
 
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchAsm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitchLior Rotkovitch
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanWAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 cleanLior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
gofortution
gofortutiongofortution
gofortutiongofortution
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
D@W REST security
D@W REST securityD@W REST security
D@W REST securityGaurav Sharma
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchThe waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchLior Rotkovitch
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 

Weitere ähnliche Inhalte

Was ist angesagt?

Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsDenis Kolegov
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINXWallarm
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 

Was ist angesagt? (20)

Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
How to secure your web applications with NGINX
How to secure your web applications with NGINXHow to secure your web applications with NGINX
How to secure your web applications with NGINX
 
gofortution
gofortutiongofortution
gofortution
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
D@W REST security
D@W REST securityD@W REST security
D@W REST security
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 

Ähnlich wie The waf book intro v1.0 lior rotkovitch

The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchThe waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchLior Rotkovitch
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014cornelia davis
 
Node summit workshop
Node summit workshopNode summit workshop
Node summit workshopShubhra Kar
 
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecturecross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architectureOleksandr Tserkovnyi
 
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Alen Leit
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
SignalR + Mobile Possibilities
SignalR + Mobile PossibilitiesSignalR + Mobile Possibilities
SignalR + Mobile PossibilitiesSam Basu
 
Build Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean KubernetesBuild Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean KubernetesDigitalOcean
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETAzure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETLorenzo Barbieri
 
SignalR Intro + WPDev
SignalR Intro + WPDevSignalR Intro + WPDev
SignalR Intro + WPDevSam Basu
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCloud Security Alliance, UK chapter
 
From nothing to production in 1 hour
From nothing to production in 1 hourFrom nothing to production in 1 hour
From nothing to production in 1 hourRoy Braam
 
Building Rich Applications with Appcelerator
Building Rich Applications with AppceleratorBuilding Rich Applications with Appcelerator
Building Rich Applications with AppceleratorMatt Raible
 
REST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side DevelopmentREST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side DevelopmentHyunghun Cho
 

Ähnlich wie The waf book intro v1.0 lior rotkovitch (20)

The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitchThe waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
 
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
 
Node summit workshop
Node summit workshopNode summit workshop
Node summit workshop
 
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecturecross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecture
 
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Node.js Tools Ecosystem
Node.js Tools EcosystemNode.js Tools Ecosystem
Node.js Tools Ecosystem
 
SignalR + Mobile Possibilities
SignalR + Mobile PossibilitiesSignalR + Mobile Possibilities
SignalR + Mobile Possibilities
 
Build Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean KubernetesBuild Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean Kubernetes
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETAzure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNET
 
SignalR Intro + WPDev
SignalR Intro + WPDevSignalR Intro + WPDev
SignalR Intro + WPDev
 
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti MohulCsa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
 
Bezpečnostní architektura F5
Bezpečnostní architektura F5Bezpečnostní architektura F5
Bezpečnostní architektura F5
 
From nothing to production in 1 hour
From nothing to production in 1 hourFrom nothing to production in 1 hour
From nothing to production in 1 hour
 
Building Rich Applications with Appcelerator
Building Rich Applications with AppceleratorBuilding Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
 
REST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side DevelopmentREST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side Development
 

Mehr von Lior Rotkovitch

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...Lior Rotkovitch
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfLior Rotkovitch
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...Lior Rotkovitch
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfLior Rotkovitch
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchThe waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchLior Rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineLior Rotkovitch
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitchLior Rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training Lior Rotkovitch
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתLior Rotkovitch
 

Mehr von Lior Rotkovitch (12)

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitchThe waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
 

Kürzlich hochgeladen

Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 

Kürzlich hochgeladen (20)

Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 

The waf book intro v1.0 lior rotkovitch

  • 1. Practical Defensive Security for Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @Rotkovitch @sirt_club ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
  • 2. • The Web Application • The Attack / attacking • The Protect / protecting • WAF Policy • WAF SIR • Summary 70295 https://SIRT.club ©
  • 3. HTTP Response HTTP Request Web App Paradigm THE WEB TCP/IP – Connection Clients Web Application 70295 https://SIRT.club ©
  • 4. Router Router Firewall Internet PC Response Request Browser WAF Web App ecosystem – Legacy Application Server/s Web Server/s 3 tiers model Perimeter model OPS DEV Database Server/s Data Center - On premises / Appliance ADC 70295 https://SIRT.club ©
  • 5. DEV.SEC.OPS NF Web Application Unknow User Web Bot Requests Responses ABSTRACTION LAYER/S automated traffic Application/s Request handler/s AAA Mobile app/ {API} Database/s DEV Perimeter/Ingress OPS SIRT.OPS Web Site DEVOPS App Mesh Cloud private /public Zone X CI/CD • Microservice • Container • Pods Web App ecosystem - Modern WAF NG Mobile Users Ads/ 3rd party services Partners Valuable User Valuable User SIEM ≈ Analytics ∑ Internet Edge 70295 https://SIRT.club ©
  • 6. NF Database Application Servers Web Servers WEB ISP ➢ Bugs = glitch– “unexpected condition in software”LR ➢ Security bug - bug can be utilized to take advantages Software Bug by Thomas Edison bugs bugs Software Security Attacks : ▪ SQL injection ▪ Directory traversal ▪ Cross site attack CLOUD’S 70295 https://SIRT.club ©
  • 7. Aggregated 21.21k 23.57 36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Application Security https://SIRT.club ©
  • 9. Attacking the Web App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s Load % Statistics CPU 100% 0/1/2 Memory 100% 80GB Throughput 100% 11.7Mbps RPS 100% 10k Attack goals: ▪ Damage - Affect services ▪ Data - leakage / manipulation ▪ Computing power – usage 70295 https://SIRT.club ©
  • 10. Attack Elements HTTP Web Application Database App Servers Web Servers “Attack occurs when: attack agent is sending exploit to execute the vulnerability that resides in the attack surface 70295 https://SIRT.club ©
  • 11. Attack Elements Attack agent Exploit Attack Vector Vulnerability Attack Surface Vulnerability – is a software condition aka bug in the software with security implication that create a risk to the application assets - security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the client software that is used to sends the exploit to the attack surface that contains vulnerability. Exploit – the code/payload that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal 70295 https://SIRT.club ©
  • 12. Threat Landscape - Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Web Exploits Hacker playground ..;-() 70295 Web Application https://SIRT.club ▪ SQL injection ▪ Directory traversal ▪ Cross site attack ©
  • 13. Threat Landscape - Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Automation - battlefield Cloud ${{:-}j Internet Cloud 70295 https://SIRT.club ©
  • 15. Web Application Protect Dude HTTP CI/CD WAF– Web App Firewall ❑ Allow ❑ Monitor ❑ Block 70295 https://SIRT.club D&P Security WAF D&P= detect & prevent ©
  • 16. 2. CONTROL PLAIN – SETTINGS 3. REPORTING - VISUALIZATION WAF STRUCTURE Web Application Web Clients 1. DATA PLANE REQUEST RESPONSE 1. Data Plane - WAF Engines 2. Control Plain – Settings 3. Reporting - Visualization 70295 https://SIRT.club ©
  • 17. 2. CONTROL PLAIN – SETTINGS 3. REPORTING - VISUALIZATION DATA PLANE – ENGINES WEB APPLICATION WEB CLIENTS WAF SECURITY ENGINEER PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE 70295 https://SIRT.club ©
  • 18. Request engines phases in WAF Application Firewall Engines Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /index.php User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Source IP 192.168.1.1 Time 01:32:44 Detections: Signatures - User Agent Python-urllib/2.6 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Mozilla/4.0 (Hydra) Prevention action Alarm Block page Reset conn GET / HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Parser Traps Enforcer Web Application 70295 https://SIRT.club ©
  • 19. WEB CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input Parser Traps Enforcer DETECTIONS ENTITIES PREVENTION ACTION 70295 https://SIRT.club ©
  • 20. https://sirt.club/home/search.php?q=cve&cat=all Protocol: https Host: sirt.club Path: /home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all Entities: - URL Protocol: https Host: sirt.club Path /home/ Object search.php Query Sting ? Parameter name q Parameter value cve 2nd Parameter name cat 2nd Parameter value all REQUEST 70295 Parser: https://SIRT.club ©
  • 21. http://sirt.club/home/search.php?q=lala Entities VERB GET URL /search.php HTTP version HTTP/1.1 Parameter name q Parameter value lala Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0. 8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0aa13ed GET /search.php?q=lala HTTP/1.1 Host: sirt.club Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed REQUEST Protocol Payload (headers) User input https://SIRT.club ©
  • 22. HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Entities Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>SIRT protectors of the realm</p> </Body> </HTML> Parser - HTTP Response WEB CLIENTS WEB APP RESPONSE Payload (headers) Protocol Server output 70295 https://SIRT.club ©
  • 23. 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS ENTITIES DETECTIONS PREVENTION ACTION PROTECTION ELEMENTS (PE) WEB APP Traps Protocol Payload User input Parser Enforcer 70295 https://SIRT.club ©
  • 24. Parser Entities Value Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value SELECT * FROM products where id =* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Source IP 192.168.1.1 ENTITIES GET /search.php?q= SELECT * FROM products where id =* HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 WAF Signature SELECT * FROM where id =* ………….. Detection: Signature SIGNATURES 70295 DETECTIONS https://SIRT.club ©
  • 25. Parser (entities) Value Verb (Method) POST Protocol HTTP 1.1 URL /query.php User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Source IP 192.168.1.1 Post Data – param 01:32:44 Post Data – Value ' or 1=1-- WAF User Agent signature Python-urllib/2.6 Apache-HttpClient/4.5.7 (Java/1.8.0_221) Mozilla/4.0 (Hydra) Detection: Signature POST / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club Content-Length: 59 User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Content-Type: application/x-www-form-urlencoded action=' or 1=1-- WAF exploit Signature ../../../../../../etc/passwd <script>alert('XSS')</script> ' or 1=1-- " or ""=" SIGNATURES ENTITIES DETECTIONS 70295 https://SIRT.club ©
  • 26. 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
  • 27. Internet IP (Parser ) 5 min 20 min 1 hour AVG 10.0.0.138 50 60 180 192.168.1.1 180 0 0 172.29.44.6 400 350 3000 172.29.46.9 250 100 1000 10.1.1.1 1800 1200 800 192.168.24.24 0 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 ANOMALY Anomaly – increase in RPS form IP’s Detection: Anomaly 70295 https://SIRT.club ©
  • 28. IP (Parser ) Current FLI /5min 60min FLI 10.0.0.138 60 180 192.168.1.1 0 0 172.29.44.6 35 40 172.29.46.9 100 1000 10.1.1.1 1800 3000 192.168.24.24 10 150 Aggregated data – Policy limit: FLI per IP Source IP: ANY @ 5 Min FLI/IP over 5 min limit : Min 300 Max 1000 Internet Detection: Anomaly Anomaly – increase in FLI form IP’s Fail Login Try Again ANOMALY 70295 https://SIRT.club ©
  • 29. IP (Parser ) Sig count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Aggregated data – Policy limit: Signatures per IP Source IP: ANY @ 1 Min Max signature from IP / 1min Min 20 Max 30 Post max 150 -> shun for 12 hours ANOMALY Anomaly – increase Sig from IP Internet Detection: Anomaly 70295 https://SIRT.club ©
  • 30. 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
  • 31. Detections: Restrictions Length Min Chars Max chars GET Param value Min 3 chars Max 130 chars Parser (entities) Value Length - found Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value longlonglonglonglonglonglonglonglonglonglonglo nglonglonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong 136 chars Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=longlonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglong Host: sirt.club User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Length check policy RESTRICTIONS 70295 https://SIRT.club ©
  • 32. Detections : Restrictions RFC @ any request Policy: Allow/ Block Header with no value Block Double host header Block HTTP verbs: POST Get HEAD Block Null in request Block Parameter value with ' Block Protocol versions 1.1 Allow Protocol versions 1.0 Block Parser (entities) Value Verb (Method) OPTIONS Protocol HTTP 1.0 Parameter name q Parameter value mc’mer Host header Sirt.club www.sirt.club Time 11:11:11 Header123 _____ Accept text/html,application/,*/* %00; Restrictions – HTTP RFC RESTRICTIONS OPTIONS /search.php?q=mc’merHTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/,*/* %00; Host: sirt.club Header123: 70295 https://SIRT.club ©
  • 33. 1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
  • 34. User Browser WAF - CI App First request GET /sell.php GET /sell.php (not verified) Client – interrogation Return interrogation results Forward request HTTP Response (verified) interrogation Tests: • CLI ? • Support JS? • Support cookie ? • Mouse movements • UA fit resolution ? • Framework ? GET /img.png (verified ) GET /img.png (verified) HTTP Response (verified) HTML rendering interrogation results : If failed – drop / block request if pass – forward Detections : Client interrogation Are you a browser or what ? 70295 https://SIRT.club ©
  • 35. IP:Y IP:X Who are you ? IP:A Client interrogation Detections: Client interrogation NATed clients query CI results Allowed Browser Yes CLI No JS capable Yes Cookie set Yes 70295 https://SIRT.club ©
  • 36. TRAPS -> DETECTIONS: Signatures - Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists 70295 https://SIRT.club ©
  • 37. SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP WEB CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
  • 38. • Alert – GUI • Alert – Log • SMS • Messaging – slack • Email Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Semi blocking: Stripping / Cloaking ALERT Browser BLOCK This request has been blocked To: WAF admin To: End Users 70295 Drop connection https://SIRT.club ©
  • 39. • Limiting rate of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban Send users to honeypot for inspections Resent browser to main page LIMIT FOLLOW UP 70295 https://SIRT.club ©
  • 40. 3. REPORTING 1. DATA PLANE 2. CONTROL PLANE WAF PROTECTION ELEMENTS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
  • 42. WAF – Traffic Manager WEB APPLICATION Application/s Request handler/s Database/s Expected Traffic Footprint Attack Traffic Footprint No Services for you WEB APP OWNER ✓ Allow valuable traffic ✓ Stop attack Welcome P D E 70295 https://SIRT.club ©
  • 44. Rules Concept PROTOCOL PAYLOAD – HEADERS USER INPUT SIGNATURES ANOMALY RESTRICTIONS CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP • Entity: user agent header • Detection: Signature hydra • PA: RST connection PR2 PE:S CAV: Auto • Entity : user input parameter value • Detection: Signature SQLi select * from • PA: Blocking page PR1 PE:S CAV: WE-SQLi ENFORCER TRAPS PARSER E D P Rule: 70295 https://SIRT.club ©
  • 45. WAF Policy – CAV Base policy WA-CAV BRUTE FORCE ADDoS VULNERABILITY HUNTING AUTOMATED ATTACKS Brute force Rules E D P E D P E D P E D P E D P E D P E D P ADDoS Rules Vulnerability Hunting Rules E D P E D P E D P Bot/Botnet Rules APP *Common Attack Vector – CAV 70295 WAF POLICY https://SIRT.club ©
  • 46. Reporting WAF LOGS AUDIT MAINTENANCE SYSTEM o Audit – who did what – changes to policy o Maintenance – update / upgrade fails o System – memory, configuration SECURITY REPORTING SUPPORT REPORTING 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLANE - WAF ENGINES 70295 https://SIRT.club GRAPHS STATISTICS LOGS DASHBOARD ©
  • 47. App Health Incidents Traffic ETF E:H D:S BLOCK E:URL D:A ALARM 1IP 100 Req Critical E:IP D:R RATE LIMIT Medium High 1IP 10Req 10IP 1000Req 56.00% 58.00% 60.00% 62.00% 64.00% 66.00% 68.00% 70.00% 72.00% App 1 App2 App3 App3 Action items: • Update signature for CVE XXXXX • False positive on parameter q • Update swagger schema 70295 https://SIRT.club ©
  • 48. Aggregated 21.21k 23.57 36.72k 10.10.1.12 2.75k 3.05 4.08k 72.1.38.240 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.16.184.126 2.23k 2.48 4.64k 192.168.1.12 2.01k 2.23 2.82k 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 RPS @ URL / Top URL’s RPS / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k Statistics 0 1000 2000 3000 4000 5000 RPS @ Login.php 10.10.10.0 10.10.20.0 10.10.30.0 10.10.40.0 10.10.50. total Graphs 70295 https://SIRT.club ©
  • 49. Security Request log R1 GET /314355195369564852’2.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Host: sirt.club R2 TRACK / HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Trace-Test: Nikto Incident Incident Incident Incident Incident R1 R2 R3 R4 Rx R1 GET /3143551953695648522.php HTTP/1.1 User-Agent: Mozilla/5.0 Host: sirt.club Entity: 3143551953695648522.php Detections: meta char in URL ‘ Prevention: blocking page Time: 11:12:13 Source IP: 10.0.0.138 R3 OPTIONS /API/V1/login HTTP/1.1 User-Agent: Mozilla/5.0 Firefox/11.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Host: sirt.club “Outlook view of incident and their request details 70295 https://SIRT.club
  • 52. INVOCATION Invocation – a possible security related issue/s needs attention, Now ▪ Dashboard alert ▪ Email ▪ SMS ▪ Instant messaging ▪ Phone call ► Security Device ► App monitoring ► Humans P1.AMI 70295 https://SIRT.club ©
  • 53. 1. AM I • S1 – Service down • S2 – Major impact • S3 – General impact Declare the incident type and Determine the impact Am I under attack ? RA – Real attack FP – False positive FA – False alarm BTR P2.MITIGATION Impact: 70295 https://SIRT.club ©
  • 54. 2. MITIGATION ❑ Suspicious indicators (3SIN) ❑ Compose prevention rule (PR) How to mitigate (S&D) P3.RESPONSE Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR) 70295 https://SIRT.club ©
  • 55. 3. RESPONSE Apply prevention rule and verify attack mitigation Response – Apply & Verify 70295 https://SIRT.club ❑ Apply mitigation strategy ❑ Monitor mitigation ©
  • 56. BTR Back To Routine (BTR) ✓ BTR – monitoring attack ✓ BTR – EoA – end of attack Declaring back to routine when attack is being blocked or attack stopped Win 70295 https://SIRT.club ©
  • 58. Web Exploits SQLi XSS LFI/ RFI RCE CSRF ATO BF CS PS DDoS Floods Loads BOT/S BOTNET/S Web Application Attack Surface Vulnerability Exploit Attack Agent ATTACK AUTOMATION ORCHESTRATION – NODE’S AUTO https://SIRT.club 70295 ©
  • 59. 3. REPORTING 1. DATA PLANE 2. CONTROL PLANE GUI API CONFIG File WAF STRUCTURE SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer Graphs Stats Request LOG Dashboard ISO 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
  • 60. •SQLi •XSS •LFI/ RFI •CSRF •RCE Web Exploits •BF •CS •PS ATO •Floods •Loads DDoS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTG ANOMALY ANOMALY CLIENT INTG E D P WEB APP SIGNATURES ANOMALY RESTRICTIONS CLIENT INT V AS AA e RESTRICTIONS 70295 AUTO https://SIRT.club ©
  • 61. https://SIRT.club By: Lior Rotkovitch “Man’s biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©