Suche senden
Hochladen
The waf book intro v1.0 lior rotkovitch
•
0 gefällt mir
•
80 views
Lior Rotkovitch
Folgen
The waf book intro
Weniger lesen
Mehr lesen
Software
Melden
Teilen
Melden
Teilen
1 von 61
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
Lior Rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
Empfohlen
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection
Lior Rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
Lior Rotkovitch
F5 ASM v12 DDoS best practices
F5 ASM v12 DDoS best practices
Lior Rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
Lior Rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Asm bot mitigations v3 final- lior rotkovitch
Lior Rotkovitch
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Lior Rotkovitch
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior Rotkovitch
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
Stormpath
Token Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
DVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
Rest API Security
Rest API Security
Stormpath
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
Secure Web Services
Secure Web Services
Rob Daigneau
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
How to secure your web applications with NGINX
How to secure your web applications with NGINX
Wallarm
gofortution
gofortution
gofortution
Building an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
D@W REST security
D@W REST security
Gaurav Sharma
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Casey Smith
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Penetration Testing Report
Penetration Testing Report
Aman Srivastava
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
Weitere ähnliche Inhalte
Was ist angesagt?
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
Stormpath
Token Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
DVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
Rest API Security
Rest API Security
Stormpath
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Stormpath
Secure Web Services
Secure Web Services
Rob Daigneau
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
Denis Kolegov
How to secure your web applications with NGINX
How to secure your web applications with NGINX
Wallarm
gofortution
gofortution
gofortution
Building an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
D@W REST security
D@W REST security
Gaurav Sharma
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Casey Smith
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
Penetration Testing Report
Penetration Testing Report
Aman Srivastava
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
Was ist angesagt?
(20)
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
Token Authentication for Java Applications
Token Authentication for Java Applications
DVWA BruCON Workshop
DVWA BruCON Workshop
Rest API Security
Rest API Security
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
Secure Web Services
Secure Web Services
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Rails security: above and beyond the defaults
Rails security: above and beyond the defaults
F5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
How to secure your web applications with NGINX
How to secure your web applications with NGINX
gofortution
gofortution
Building an API Security Ecosystem
Building an API Security Ecosystem
D@W REST security
D@W REST security
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Penetration Testing Report
Penetration Testing Report
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Ähnlich wie The waf book intro v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
Lior Rotkovitch
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Lior Rotkovitch
Hacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
cornelia davis
Node summit workshop
Node summit workshop
Shubhra Kar
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecture
Oleksandr Tserkovnyi
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...
Alen Leit
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Cristian Garcia G.
Node.js Tools Ecosystem
Node.js Tools Ecosystem
Rocket Software
SignalR + Mobile Possibilities
SignalR + Mobile Possibilities
Sam Basu
Build Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean Kubernetes
DigitalOcean
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
CloudIDSummit
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Mohammed Adam
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNET
Lorenzo Barbieri
SignalR Intro + WPDev
SignalR Intro + WPDev
Sam Basu
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Cloud Security Alliance, UK chapter
Bezpečnostní architektura F5
Bezpečnostní architektura F5
MarketingArrowECS_CZ
From nothing to production in 1 hour
From nothing to production in 1 hour
Roy Braam
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
Matt Raible
REST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side Development
Hyunghun Cho
Ähnlich wie The waf book intro v1.0 lior rotkovitch
(20)
The waf book intro attack elements v1.0 lior rotkovitch
The waf book intro attack elements v1.0 lior rotkovitch
The WAF book (Web App Firewall )
The WAF book (Web App Firewall )
Hacking Client Side Insecurities
Hacking Client Side Insecurities
Running your Spring Apps in the Cloud Javaone 2014
Running your Spring Apps in the Cloud Javaone 2014
Node summit workshop
Node summit workshop
cross-platform-assets-based-front-end-architecture
cross-platform-assets-based-front-end-architecture
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Node.js Tools Ecosystem
Node.js Tools Ecosystem
SignalR + Mobile Possibilities
SignalR + Mobile Possibilities
Build Cloud Native Apps With DigitalOcean Kubernetes
Build Cloud Native Apps With DigitalOcean Kubernetes
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNET
SignalR Intro + WPDev
SignalR Intro + WPDev
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Csa UK agm 2019 - Web API attacks - Trends seen in the field Kriti Mohul
Bezpečnostní architektura F5
Bezpečnostní architektura F5
From nothing to production in 1 hour
From nothing to production in 1 hour
Building Rich Applications with Appcelerator
Building Rich Applications with Appcelerator
REST to JavaScript for Better Client-side Development
REST to JavaScript for Better Client-side Development
Mehr von Lior Rotkovitch
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Lior Rotkovitch
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Lior Rotkovitch
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
Lior Rotkovitch
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Lior Rotkovitch
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
Lior Rotkovitch
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Lior Rotkovitch
Html cors- lior rotkovitch
Html cors- lior rotkovitch
Lior Rotkovitch
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
Lior Rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
Lior Rotkovitch
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
Lior Rotkovitch
Mehr von Lior Rotkovitch
(12)
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
The waf book intro waf elements v1.0 lior rotkovitch
The waf book intro waf elements v1.0 lior rotkovitch
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
Html cors- lior rotkovitch
Html cors- lior rotkovitch
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
Kürzlich hochgeladen
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
RTS corp
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
rahul_net
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
Andrey Devyatkin
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
team-WIBU
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
Christopher Curtin
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Drew Moseley
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
Lionel Briand
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
manoharjgpsolutions
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
KrzysztofKkol1
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
itservices996
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
Hironori Washizaki
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Applitools
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
ABSYZ Inc
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
ssuser9e7c64
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
Shane Coughlan
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
OnePlan Solutions
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
Bert Jan Schrijver
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
VictoriaMetrics
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
RTS corp
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
Kürzlich hochgeladen
(20)
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
The waf book intro v1.0 lior rotkovitch
1.
Practical Defensive Security for
Security Engineers Ref: 052921DSMM-TWB-HB-V1.P, SOT:S,B. ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @Rotkovitch @sirt_club ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch Web App Firewall https://SIRT.club By: Lior Rotkovitch 70295 ©
2.
• The Web
Application • The Attack / attacking • The Protect / protecting • WAF Policy • WAF SIR • Summary 70295 https://SIRT.club ©
3.
HTTP Response HTTP Request Web
App Paradigm THE WEB TCP/IP – Connection Clients Web Application 70295 https://SIRT.club ©
4.
Router Router Firewall Internet PC Response Request Browser WAF Web App
ecosystem – Legacy Application Server/s Web Server/s 3 tiers model Perimeter model OPS DEV Database Server/s Data Center - On premises / Appliance ADC 70295 https://SIRT.club ©
5.
DEV.SEC.OPS NF Web Application Unknow User Web
Bot Requests Responses ABSTRACTION LAYER/S automated traffic Application/s Request handler/s AAA Mobile app/ {API} Database/s DEV Perimeter/Ingress OPS SIRT.OPS Web Site DEVOPS App Mesh Cloud private /public Zone X CI/CD • Microservice • Container • Pods Web App ecosystem - Modern WAF NG Mobile Users Ads/ 3rd party services Partners Valuable User Valuable User SIEM ≈ Analytics ∑ Internet Edge 70295 https://SIRT.club ©
6.
NF Database Application Servers Web Servers WEB ISP ➢ Bugs =
glitch– “unexpected condition in software”LR ➢ Security bug - bug can be utilized to take advantages Software Bug by Thomas Edison bugs bugs Software Security Attacks : ▪ SQL injection ▪ Directory traversal ▪ Cross site attack CLOUD’S 70295 https://SIRT.club ©
7.
Aggregated 21.21k 23.57
36.72k 172.29.46.6 2.75k 3.05 4.08k 10.0.0.138 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.29.44.44 2.23k 2.48 4.64k 192.168.1.254 2.01k 2.23 2.82k 0 20 40 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 IP’S IP1 IP2 IP3 IP4 IP5 ISP Partners Unknow User Web Bot automated traffic ISP ISP Coffee shop Mobile users WEB Attacks : ▪ Floods ▪ Brute force ▪ Scraping ▪ ... Load % Statistics CPU 70% 0/1/2 Memory 72% 80GB Throughput 35% 11.7Mbps RPS 25% 10k 70295 Application Security https://SIRT.club ©
8.
70295 https://SIRT.club ©
9.
Attacking the Web
App Attack: Offending traffic that violates the expected usage Application Server/s Web Server/s Database Server/s Load % Statistics CPU 100% 0/1/2 Memory 100% 80GB Throughput 100% 11.7Mbps RPS 100% 10k Attack goals: ▪ Damage - Affect services ▪ Data - leakage / manipulation ▪ Computing power – usage 70295 https://SIRT.club ©
10.
Attack Elements HTTP Web Application Database App Servers Web Servers “Attack
occurs when: attack agent is sending exploit to execute the vulnerability that resides in the attack surface 70295 https://SIRT.club ©
11.
Attack Elements Attack agent Exploit Attack
Vector Vulnerability Attack Surface Vulnerability – is a software condition aka bug in the software with security implication that create a risk to the application assets - security bug Attack surface – the location where the vulnerability exists. Also refer to the entry point for the exploit or the meeting place between the exploit and the vulnerability. Attack agent – the client software that is used to sends the exploit to the attack surface that contains vulnerability. Exploit – the code/payload that active the vulnerability and allow exploitation of the vulnerability. We use the same attack elements for all the attacks. The vector is the technique used to achieve the goal 70295 https://SIRT.club ©
12.
Threat Landscape -
Traditional Users / HTTP clients App SRV Web SRV Server/s Database SRV App owner Web Exploits Hacker playground ..;-() 70295 Web Application https://SIRT.club ▪ SQL injection ▪ Directory traversal ▪ Cross site attack ©
13.
Threat Landscape -
Modern DEVOPS partners NF Mobile Users Ads/ 3rd party services Remote employee Web Bot User Requests Responses ABSTRACTION LAYER Allowed automated traffic Application/s Request handler/s Authorization SIEM ≈ Analytics ∑ Mobile app/ API Database/s DEV OPSSEC INSIDER HACKED PURPOSE BUILD BOTNET Automation - battlefield Cloud ${{:-}j Internet Cloud 70295 https://SIRT.club ©
14.
70295 https://SIRT.club ©
15.
Web Application Protect Dude HTTP CI/CD WAF– Web
App Firewall ❑ Allow ❑ Monitor ❑ Block 70295 https://SIRT.club D&P Security WAF D&P= detect & prevent ©
16.
2. CONTROL PLAIN
– SETTINGS 3. REPORTING - VISUALIZATION WAF STRUCTURE Web Application Web Clients 1. DATA PLANE REQUEST RESPONSE 1. Data Plane - WAF Engines 2. Control Plain – Settings 3. Reporting - Visualization 70295 https://SIRT.club ©
17.
2. CONTROL PLAIN
– SETTINGS 3. REPORTING - VISUALIZATION DATA PLANE – ENGINES WEB APPLICATION WEB CLIENTS WAF SECURITY ENGINEER PARSER ENGINE TRAPS ENGINE ENFORCER ENGINE 70295 https://SIRT.club ©
18.
Request engines phases
in WAF Application Firewall Engines Parser (entities) Value Verb (Method) GET Protocol HTTP 1.1 URL /index.php User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Source IP 192.168.1.1 Time 01:32:44 Detections: Signatures - User Agent Python-urllib/2.6 Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Mozilla/4.0 (Hydra) Prevention action Alarm Block page Reset conn GET / HTTP/1.1 Host: sirt.club User-Agent: Mozilla/5.00 (Nikto/2.1.6) (Evasions:None) (Test:007240) Parser Traps Enforcer Web Application 70295 https://SIRT.club ©
19.
WEB CLIENTS PROTECTION ELEMENTS
(PE) Protocol Payload User input Parser Traps Enforcer DETECTIONS ENTITIES PREVENTION ACTION 70295 https://SIRT.club ©
20.
https://sirt.club/home/search.php?q=cve&cat=all Protocol: https Host: sirt.club Path:
/home/ Object: search.php Query Sting: Parameter name: q Parameter value: cve 2nd Parameter name: cat 2nd Parameter value: all Entities: - URL Protocol: https Host: sirt.club Path /home/ Object search.php Query Sting ? Parameter name q Parameter value cve 2nd Parameter name cat 2nd Parameter value all REQUEST 70295 Parser: https://SIRT.club ©
21.
http://sirt.club/home/search.php?q=lala Entities VERB GET URL /search.php HTTP
version HTTP/1.1 Parameter name q Parameter value lala Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0. 8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0aa13ed GET /search.php?q=lala HTTP/1.1 Host: sirt.club Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed- exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,he;q=0.8 Cookie: SESSION=a6f77f584b48467c32d18a20aa0a13ed REQUEST Protocol Payload (headers) User input https://SIRT.club ©
22.
HTTP/1.1 200 OK Date:
Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 8326 Keep-Alive: timeout=5 Content-Type: text/html; charset=UTF-8 <html lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta charset="UTF-8" /> <title>SIRT Club: Security Incident Response Teams Club</title> <script type="text/javascript"> </script> </head> <body> <div id="logo"> <p> Text </p> </body> </html> Entities Response Status Code HTTP/1.1 200 OK Date: Sat, 08 Jan 2022 13:53:00 GMT Server: Apache X-Powered-By: PHP/7.4.26 Cache-Control: no-cache, must-revalidate, max-age=0 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 8326 Response body <HTML> <HEAD> <TITLE></TITLE> </HEAD> <Body> <p>SIRT protectors of the realm</p> </Body> </HTML> Parser - HTTP Response WEB CLIENTS WEB APP RESPONSE Payload (headers) Protocol Server output 70295 https://SIRT.club ©
23.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS ENTITIES
DETECTIONS PREVENTION ACTION PROTECTION ELEMENTS (PE) WEB APP Traps Protocol Payload User input Parser Enforcer 70295 https://SIRT.club ©
24.
Parser Entities Value Verb (Method)
GET Protocol HTTP 1.1 Parameter name q Parameter value SELECT * FROM products where id =* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Source IP 192.168.1.1 ENTITIES GET /search.php?q= SELECT * FROM products where id =* HTTP/1.1 Host: sirt.club Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 WAF Signature SELECT * FROM where id =* ………….. Detection: Signature SIGNATURES 70295 DETECTIONS https://SIRT.club ©
25.
Parser (entities) Value Verb
(Method) POST Protocol HTTP 1.1 URL /query.php User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Source IP 192.168.1.1 Post Data – param 01:32:44 Post Data – Value ' or 1=1-- WAF User Agent signature Python-urllib/2.6 Apache-HttpClient/4.5.7 (Java/1.8.0_221) Mozilla/4.0 (Hydra) Detection: Signature POST / query.php HTTP/1.1 Connection: Keep-Alive Host: sirt.club Content-Length: 59 User-Agent: Apache-HttpClient/4.5.7 (Java/1.8.0_221) Content-Type: application/x-www-form-urlencoded action=' or 1=1-- WAF exploit Signature ../../../../../../etc/passwd <script>alert('XSS')</script> ' or 1=1-- " or ""=" SIGNATURES ENTITIES DETECTIONS 70295 https://SIRT.club ©
26.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION
ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
27.
Internet IP (Parser )
5 min 20 min 1 hour AVG 10.0.0.138 50 60 180 192.168.1.1 180 0 0 172.29.44.6 400 350 3000 172.29.46.9 250 100 1000 10.1.1.1 1800 1200 800 192.168.24.24 0 100 150 Aggregated data – Policy limit per IP Source IP: ANY @ 5 Min RPS limit Min 220 Max 280 ANOMALY Anomaly – increase in RPS form IP’s Detection: Anomaly 70295 https://SIRT.club ©
28.
IP (Parser ) Current FLI
/5min 60min FLI 10.0.0.138 60 180 192.168.1.1 0 0 172.29.44.6 35 40 172.29.46.9 100 1000 10.1.1.1 1800 3000 192.168.24.24 10 150 Aggregated data – Policy limit: FLI per IP Source IP: ANY @ 5 Min FLI/IP over 5 min limit : Min 300 Max 1000 Internet Detection: Anomaly Anomaly – increase in FLI form IP’s Fail Login Try Again ANOMALY 70295 https://SIRT.club ©
29.
IP (Parser ) Sig
count 5 min Sig count 20min Sig count 1H 10.0.0.138 500 600 1800 192.168.1.1 20 50 100 172.29.44.6 0 1 0 172.29.46.9 0 0 4 10.1.1.1 4 4 4 192.168.24.24 1 1 1 Aggregated data – Policy limit: Signatures per IP Source IP: ANY @ 1 Min Max signature from IP / 1min Min 20 Max 30 Post max 150 -> shun for 12 hours ANOMALY Anomaly – increase Sig from IP Internet Detection: Anomaly 70295 https://SIRT.club ©
30.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION
ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
31.
Detections: Restrictions Length Min
Chars Max chars GET Param value Min 3 chars Max 130 chars Parser (entities) Value Length - found Verb (Method) GET Protocol HTTP 1.1 Parameter name q Parameter value longlonglonglonglonglonglonglonglonglonglonglo nglonglonglonglonglonglonglonglonglonglonglong longlonglonglonglonglonglonglonglonglonglong 136 chars Source IP 192.168.1.1 Time 01:32:44 http://sirt.club/search.php?q=longlonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglonglonglonglonglon glonglonglonglonglonglonglonglonglonglonglong Host: sirt.club User-Agent: Mozilla/5.0 Accept: text/html,application/,*/*; Length check policy RESTRICTIONS 70295 https://SIRT.club ©
32.
Detections : Restrictions RFC
@ any request Policy: Allow/ Block Header with no value Block Double host header Block HTTP verbs: POST Get HEAD Block Null in request Block Parameter value with ' Block Protocol versions 1.1 Allow Protocol versions 1.0 Block Parser (entities) Value Verb (Method) OPTIONS Protocol HTTP 1.0 Parameter name q Parameter value mc’mer Host header Sirt.club www.sirt.club Time 11:11:11 Header123 _____ Accept text/html,application/,*/* %00; Restrictions – HTTP RFC RESTRICTIONS OPTIONS /search.php?q=mc’merHTTP/1.0 Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/,*/* %00; Host: sirt.club Header123: 70295 https://SIRT.club ©
33.
1.SIGNATURES 3.RESTRICTIONS 2.ANOMALY 4.CLIENT INTERROGATION WEB CLIENTS PROTECTION
ELEMENTS (PE) WEB APP Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
34.
User Browser WAF -
CI App First request GET /sell.php GET /sell.php (not verified) Client – interrogation Return interrogation results Forward request HTTP Response (verified) interrogation Tests: • CLI ? • Support JS? • Support cookie ? • Mouse movements • UA fit resolution ? • Framework ? GET /img.png (verified ) GET /img.png (verified) HTTP Response (verified) HTML rendering interrogation results : If failed – drop / block request if pass – forward Detections : Client interrogation Are you a browser or what ? 70295 https://SIRT.club ©
35.
IP:Y IP:X Who are you
? IP:A Client interrogation Detections: Client interrogation NATed clients query CI results Allowed Browser Yes CLI No JS capable Yes Cookie set Yes 70295 https://SIRT.club ©
36.
TRAPS -> DETECTIONS: Signatures
- Pattern matching Anomaly - Aggregation and thresholds Client Interrogation - HTTP client inspection Restrictions - Allow / Block lists 70295 https://SIRT.club ©
37.
SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP WEB
CLIENTS PROTECTION ELEMENTS (PE) Protocol Payload User input ENTITIES DETECTIONS PREVENTION ACTION Traps Parser Enforcer 70295 https://SIRT.club ©
38.
• Alert –
GUI • Alert – Log • SMS • Messaging – slack • Email Your traffic is violating the site policy. If this continues, please contact our support 111-111 Block ID: 10ABC TCP FIN / RESET Semi blocking: Stripping / Cloaking ALERT Browser BLOCK This request has been blocked To: WAF admin To: End Users 70295 Drop connection https://SIRT.club ©
39.
• Limiting rate
of RPS on specific IP • Limiting RPS on site • Limiting RPS on specific URL • Limiting time • Limiting access – 4 hours ban Send users to honeypot for inspections Resent browser to main page LIMIT FOLLOW UP 70295 https://SIRT.club ©
40.
3. REPORTING 1. DATA
PLANE 2. CONTROL PLANE WAF PROTECTION ELEMENTS SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
41.
70295 P D E https://SIRT.club ©
42.
WAF – Traffic
Manager WEB APPLICATION Application/s Request handler/s Database/s Expected Traffic Footprint Attack Traffic Footprint No Services for you WEB APP OWNER ✓ Allow valuable traffic ✓ Stop attack Welcome P D E 70295 https://SIRT.club ©
43.
Entity 1.PROTOCOL 2.PAYLOAD 3.USER INPUT Detections 1.SIGNATURES 2.ANOMALY 3.RESTRICTIONS 4.CLIENT INTERROGATION Prevention 1.ALERT 2.BLOCK 3.LIMITING 4.FOLLOW
UP E D P WAF – PE and Rules Rule PROTECTION ELEMENTS (PE) 70295 https://SIRT.club ©
44.
Rules Concept PROTOCOL PAYLOAD –
HEADERS USER INPUT SIGNATURES ANOMALY RESTRICTIONS CLIENT INTERROGATION ALERT BLOCK LIMIT FOLLOW UP • Entity: user agent header • Detection: Signature hydra • PA: RST connection PR2 PE:S CAV: Auto • Entity : user input parameter value • Detection: Signature SQLi select * from • PA: Blocking page PR1 PE:S CAV: WE-SQLi ENFORCER TRAPS PARSER E D P Rule: 70295 https://SIRT.club ©
45.
WAF Policy –
CAV Base policy WA-CAV BRUTE FORCE ADDoS VULNERABILITY HUNTING AUTOMATED ATTACKS Brute force Rules E D P E D P E D P E D P E D P E D P E D P ADDoS Rules Vulnerability Hunting Rules E D P E D P E D P Bot/Botnet Rules APP *Common Attack Vector – CAV 70295 WAF POLICY https://SIRT.club ©
46.
Reporting WAF LOGS AUDIT MAINTENANCE SYSTEM o Audit
– who did what – changes to policy o Maintenance – update / upgrade fails o System – memory, configuration SECURITY REPORTING SUPPORT REPORTING 3. REPORTING - VISUALIZATION 2. CONTROL PLAIN – SETTINGS 1. DATA PLANE - WAF ENGINES 70295 https://SIRT.club GRAPHS STATISTICS LOGS DASHBOARD ©
47.
App Health Incidents Traffic ETF E:H
D:S BLOCK E:URL D:A ALARM 1IP 100 Req Critical E:IP D:R RATE LIMIT Medium High 1IP 10Req 10IP 1000Req 56.00% 58.00% 60.00% 62.00% 64.00% 66.00% 68.00% 70.00% 72.00% App 1 App2 App3 App3 Action items: • Update signature for CVE XXXXX • False positive on parameter q • Update swagger schema 70295 https://SIRT.club ©
48.
Aggregated 21.21k 23.57
36.72k 10.10.1.12 2.75k 3.05 4.08k 72.1.38.240 2.26k 2.51 5.27k 192.168.1.1 2.25k 2.50 3.10k 172.16.184.126 2.23k 2.48 4.64k 192.168.1.12 2.01k 2.23 2.82k 0 500 1000 1500 2000 2500 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 RPS @ URL / Top URL’s RPS / 21.21k /search.php 2.75k /login.php 2.26k /sell.php 2.25k /user_login.php 2.23k /noneexisting 2.01k Statistics 0 1000 2000 3000 4000 5000 RPS @ Login.php 10.10.10.0 10.10.20.0 10.10.30.0 10.10.40.0 10.10.50. total Graphs 70295 https://SIRT.club ©
49.
Security Request log R1 GET
/314355195369564852’2.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Pragma: no-cache Cache-Control: no-cache Content-Length: 0 Host: sirt.club R2 TRACK / HTTP/1.1 Connection: Keep-Alive Host: sirt.club User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Trace-Test: Nikto Incident Incident Incident Incident Incident R1 R2 R3 R4 Rx R1 GET /3143551953695648522.php HTTP/1.1 User-Agent: Mozilla/5.0 Host: sirt.club Entity: 3143551953695648522.php Detections: meta char in URL ‘ Prevention: blocking page Time: 11:12:13 Source IP: 10.0.0.138 R3 OPTIONS /API/V1/login HTTP/1.1 User-Agent: Mozilla/5.0 Firefox/11.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Host: sirt.club “Outlook view of incident and their request details 70295 https://SIRT.club
50.
Security Incident Response 70295 https://SIRT.club ©
51.
2.MITIGATION 1.AM I 3.RESPONSE BTR INVOCATION 70295 https://SIRT.club ©
52.
INVOCATION Invocation – a
possible security related issue/s needs attention, Now ▪ Dashboard alert ▪ Email ▪ SMS ▪ Instant messaging ▪ Phone call ► Security Device ► App monitoring ► Humans P1.AMI 70295 https://SIRT.club ©
53.
1. AM I •
S1 – Service down • S2 – Major impact • S3 – General impact Declare the incident type and Determine the impact Am I under attack ? RA – Real attack FP – False positive FA – False alarm BTR P2.MITIGATION Impact: 70295 https://SIRT.club ©
54.
2. MITIGATION ❑ Suspicious
indicators (3SIN) ❑ Compose prevention rule (PR) How to mitigate (S&D) P3.RESPONSE Find Suspicious Indicators (SIN) & Compose Prevention Rule (PR) 70295 https://SIRT.club ©
55.
3. RESPONSE Apply prevention
rule and verify attack mitigation Response – Apply & Verify 70295 https://SIRT.club ❑ Apply mitigation strategy ❑ Monitor mitigation ©
56.
BTR Back To Routine
(BTR) ✓ BTR – monitoring attack ✓ BTR – EoA – end of attack Declaring back to routine when attack is being blocked or attack stopped Win 70295 https://SIRT.club ©
57.
70295 https://SIRT.club ©
58.
Web Exploits SQLi XSS LFI/ RFI RCE
CSRF ATO BF CS PS DDoS Floods Loads BOT/S BOTNET/S Web Application Attack Surface Vulnerability Exploit Attack Agent ATTACK AUTOMATION ORCHESTRATION – NODE’S AUTO https://SIRT.club 70295 ©
59.
3. REPORTING 1. DATA
PLANE 2. CONTROL PLANE GUI API CONFIG File WAF STRUCTURE SIGNATURES RESTRICTIONS ANOMALY CLIENT INTERROGATION Alert Block Limit Follow Up Protocol Payload User Input Traps Parser Enforcer Graphs Stats Request LOG Dashboard ISO 70295 ENTITIES DETECTIONS PREVENTION https://SIRT.club ©
60.
•SQLi •XSS •LFI/ RFI •CSRF •RCE Web Exploits •BF •CS •PS ATO •Floods •Loads DDoS SIGNATURES RESTRICTIONS ANOMALY CLIENT
INTG ANOMALY ANOMALY CLIENT INTG E D P WEB APP SIGNATURES ANOMALY RESTRICTIONS CLIENT INT V AS AA e RESTRICTIONS 70295 AUTO https://SIRT.club ©
61.
https://SIRT.club By: Lior Rotkovitch “Man’s
biggest obstacle is he himself” LR 70295 ▪ Email: lior.rotkovitch@gmail.com ▪ Twitter: @rotkovitch ▪ LinkedIn: Lior Rotkovitch ▪ Instagram: l.rotkovitch 70295 Practical Defensive Security for Security Engineers ©
Jetzt herunterladen