Open Source Web Entry Server Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with opensource software.“ Ivan.
Download ReportTranscript Open Source Web Entry Server Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with opensource software.“ Ivan.
Open Source Web Entry Server Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with opensource software.“ Ivan Bütler [email protected] About me Ivan Bütler ¦ E1 • • • • • • • Founder & Security Researcher for Compass Security Since 1999, Switzerland – www.csnc.ch Speaker @ BlackHat Las Vegas 2008 SmartCard (In) Security – APDU Analysis Speaker @ IT Underground Warsaw 2009 Advanced Web Hacking Speaker @ Swiss IT Leadership Forum Nice 2009 Cyber Underground Lead Swiss Cyber Storm 2011 Security Conference 12-15. May 2011, Switzerland – www.swisscyberstorm.com Board member of Information Security Society Switzerland (ISSS) Lecturing Activities: HSR & HSLU & FHSG • Win a Car! – Wargame! USD 30‘000 main prize • • • • www.swisscyberstorm.com May 12-15, 2011 Switzerland, near Zürich OWASP Trainings planned! Goal of this Talk • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization • We will play with Facebook as our backend application • The LiveCD includes all demos www.hacking-lab.com PCI DSS Requirement Without a Web Application Firewall Multiple connections into DMZ Applications directly accessible Web App Firewall (WAF) Demo with FB Web Application Firewall Reverse Proxy to FB Security Checks Content Rewriting DEMO 1 + 2 demo movies shown here available in Hacking-Lab – OWASP Event www.hacking-lab.com Content Rewriting www.myproxy.com www.fb.com <link href="/css/mystyle.css" rel="stylesheet" type="text/css"> • Relative URL‘s are not a problem! • Content rewriting is not required Content Rewriting www.myproxy.com www.fb.com <a href="http://www.fb.com/css/01.css" type="text/css"> • Absolute URLs must be rewritten • Cookie domain must be rewritten • Cookie values must be rewritten (in some cases) Demo 4 Request Header Patching Cookie Value Patching Web App Firewall www.myproxy.com www.fb.com < request filtering | e.g. sql injection > < response filtering | e.g. stack traces > < inspect files | e.g. pdf exploit analysis > • @inspectFile operator is simply a type of API that will allow you to inspect file attachments Demo 5 + 6 ModSecurity Web Entry Server • Pre-Authentication • Delegated Login Service (DLS) • Session Hiding • URL Access Control • Principal Delegation to Backend App Web Entry Server - Swiss Blueprint Web Entry Server Backend requests are always authenticated! Strong forensic and logging capabilities Central Login Service Pre-Authentication Principal Delegation www.myproxy.com www.fb.com PRINCIPAL login.myproxy.com Login=OK Set-Cookie: UserID=1234; GET /app HTTP/1.0 UserID=1234 RequestID=992x9833asr Pre-Authentication Single Sign On IF SERVICES IS SSO ENABLED 1. 2. 3. IMPORTANT Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234! 4. Server gets initial request with UserID=1234 from WES Server extracts UserID Server creates a new, authenticated session Server authorizes only ALTERNATIVE: 1. 2. User must authenticated twice (SSO disabled) Delegated Login Service (DLS) Pre-Authetication - DLS Delegated Login Service www.myproxy.com www.fb.com IMPORTANT DLS authenticates on behalf of the user into www.fb.com (knows the credentials out of the user repository) -> Non origin cookies are then set to www.myproxy.com DLS login.myproxy.com Demo 7 - SSO Web Forensics NTP is not enough! FW Internet Correlation key FW Entry Tier FW Presentation Tier access.log: - Time - IP Address - User Id - Request Id - URL access.log: - Time - IP Address - User Id - Request Id - URL referer.log: - Time - IP Address - User Id - Request Id - Referer URL business.log: - Time - IP Adresse - User Id - Request Id - Use Case Id - Parameters FW Business Tier Data & Service Tier business.log: - Time - IP Address - User Id - Request-Id - Transaction - Parameters - Transactionstate business.log: - Time - IP Address - User Id - Request-Id - Transaction - Parameters - Transactionstate Demo 7 - UniqueID URL Access Control www.myproxy.com login.myproxy.com Authorization Regexp Login=OK Set-Cookie: AUTHORIZATION=(^/app1|^/app2); Demo 8 Service Level ACL Session Management without session store Reverse Proxy Without Session Cache Session Management with session hiding Reverse Proxy Session Cache (SHM) Entry Server ToolKit http://media.hacking-lab.com/largefiles/livecd/ Feature Reverse Proxy Web App Firewall Forensic Correlation Content Rewriting Pre-Authentication Session Hiding URL Authorization Apache Module mod_proxy mod_security2 mod_unique_id mod_headers mod_replace mod_but mod_but mod_but Remember (I) • Pre-Authentication reduces the attack surface of unauthenticated users • Unique-ID enables proper forensics • Cookie store hides insecure cookies • Service ACL is a second line of defence for the application authorization scheme Remember (II) • Hacking-Lab LiveCD includes all tools you need to replay • Win a car! Qualification wargames have started at www.swisscyberstorm.com • All movies of this talk are available online at www.hacking-lab.com Thank you Ivan Bütler, E1