Building Secure Websites With Web Application Firewalls

by
Albert Jose de Vera
Abstract
The current Internet landscape includes sophisticated attacks on websites that disrupt applications from
sericing the intended audiences! "ther types of attacks lead to the unauthori#ed access and control of
the serers$ thereby compromising integrity and confidentiality of data! The security community has
deeloped solutions to mitigate these problems! This paper describes processes and products which
enable website operators to secure their serers and applications from attacks! A sampling of web
application firewalls %WAFs& is discussed and tested against a number of attacks as part of deeloping a
systematic process of securing websites! 'ertain open source WAFs are used in a testing enironment
to determine their effectieness!
1. Introduction
The landscape of the Internet has been changing$ growing tremendously these past decades! In
a span of more than twenty years$ the World Wide Web has become the dominant conduit of
information on the Internet! (lectronic commerce has thried on the Internet ia the Web$ with users
and businesses trading in the global marketplace!
As more users engage with each other on the Internet through the Web$ new problems hae
risen which threaten the integrity and security of transactions and information! The infrastructure is
now constantly under attack by nefarious groups and indiiduals who either seek material gain or seek
notoriety! This has led the Internet community to deelop defenses and best practices against these
attacks!
This paper focuses on securing Web serers using technological tools and best practices! In
particular$ the use of Web Application Firewalls %WAFs& are discussed along with best practices in the
configuration of Web serers!
2. To The Community
The author hopes that this paper gies useful information and insights on how to secure web
serers and applications! The author wants to thank the dedicated people who constantly work on to
proide the technological infrastructure for securing web serers!
3. Threats and Attacks
)uch of today*s websites are dynamic and interactie applications sering information and
transactions to Internet users! +rogramming scripts on the serer and client sides of these web
applications proide the interactiity and interface to data stores! Websites use these data stores to
record and retriee information releant to the users* re,uests! These data stores may simply be te-t
files or be as comple- as a set of database management systems software!
When attackers attempt to break into or disrupt the operation of a website$ they e-ploit bugs in
the web application or the web serer software itself! If there are flaws in the design of the web
application or the web serer$ these are taken adantage of as well!
./0
Some of these ulnerabilities
1
include information leakage$ cross/site scripting$ abuse of functionality$ insufficient authori#ation and
S23 in4ection!
There is actie research on how to mitigate these ulnerabilities! Approaches to securing the
web serer and application ary but usually inoles improing authentication5access controls$
correcting web serer and application configurations and properly alidating user input!
6/.7

4. Web Application Firewalls
As the number of sites on the World Wide Web increased$ so did the prealence of attacks on
the Web serers and applications! 'ommercial and non/commercial entities decided to tackle this
problem by deeloping products aimed at securing web applications!
7
"ne Web Application Firewall %WAF& presented in this paper is )odSecurity!
.8
)odSecurity is
probably one of the most popular open source WAF! As of this writing$ ersion 7!9!0 is the latest
release! )odSecurity supports Apache$ :;I:< and )icrosoft IIS web serers! A ersion for Jaa is
in beta and supports serers such as Apache Tomcat!
Another WAF presented in this paper is Ironbee! Ironbee is an open source WAF deeloped
mostly by the original deelopers of )odSecurity!
.=
Since it is in beta$ it may not be suitable for
production use yet!
. Con!i"urin" and #sin" Web Application Firewalls
In this paper$ )odSecurity and IronBee are installed on 'ent"S 3inu- >!9 running Apache
httpd 7!=! The sources are downloaded from the official sites and compiled with dependencies
installed!
For configuration$ the "WAS+ )odSecurity 'ore ?ule Set!
.9
are utili#ed! ?ulesets are needed
for both )odSecurity and IronBee to parse and filter the web traffic! These rulesets may need to be
customi#ed for use in a particular enironment! For the purpose of this paper$ some of the basic
rulesets are utili#ed as is! :ote that although IronBee and )odSecurity are similar$ the synta- for their
rulesets differ!
)odSecurity is compiled and installed as an Apache web serer module! The following
commands are used to configure$ build and install the module@
./configure --with-apxs=/opt/apache/bin/apxs \
--with-apr=/opt/apache/bin/apr-1-config \
--with-apu=/opt/apache/bin/apu-1-config
make
make installed
The Apache web serer configuration file httpd.conf is modified to include the following@
# For mod_securit!"
#oadFile /usr/lib$%/libxml!.so
&
#oad'odule securit!_module libexec/mod_securit!.so
&
()f'odule securit!_module*
)nclude /etc/opt/apache/extra/httpd-securit!.conf
)nclude /etc/opt/apache/owasp-modsecurit-crs/acti+ated_rules/,.conf
(/)f'odule*
The file httpd-securit!.conf contains directies on how )odSecurity should behae! Below is an
e-cerpt of the file@
# -- -ule engine initiali.ation
8
----------------------------------------------
# /nable 'od0ecurit1 attaching it to e+er transaction. 2se detection
# onl to start with1 because that minimises the chances of post-
# installation disruption.
#
#0ec-ule/ngine 3etection4nl
0ec-ule/ngine 4n
# -- -e5uest bod handling
---------------------------------------------------
# 6llow 'od0ecurit to access re5uest bodies. )f ou don7t1 'od0ecurit
# won7t be able to see an 8409 parameters1 which opens a large
# securit hole for attackers to exploit.
#
0ec-e5uest:od6ccess 4n
The "WAS+ )odSecur i t y 'or e ?ul e Set i s al so i ncl uded from t he di r ect or y
/etc/opt/apache/owasp-modsecurit-crs/acti+ated_rules in the form of config files!
A typical rule in )odSecurity looks like this@
#
# -=; 0<# 4perators ==-
#
0ec-ule -/<2/09_>44?)/0@A-/<2/09_>44?)/0"/__utm/@-/<2/09_>44?)/0_B6'/0@
6-C0_B6'/0@6-C0@D'#"/, EFGi"F\A\
=@\H\H@\@\@@**@((@*=@(=@(*@(=*@xor@rlike@regexp@isnullI@
FG"not\sJbetween\sJK\sJandI@FG"is\sJnullI@Flike
\sJnullI@FG"FG"L@\MIin;J\s=,\F;\s\d\E=J;LFI=,\II@FG"xor@(*@
rlikeFG"\sJbinarIGI@FG"regexp\sJbinarIIE E
phase"!1re+"7!71+er"74M608_>-0/!.!.N71maturit"7O71accurac"7N71capture1t"non
e1t"url3ecode2ni1block1msg
"70<# )nPection 6ttack" 0<# 4perator 3etected71id"7ON1Q1O71logdata"7'atched
3ata" RS9D.KT found within
RS'69>U/3_V6-_B6'/T" R
S'69>U/3_V6-T71se+erit"7!71tag"74M608_>-0/M/:_6996>?/0<#_)BW/>9)4B71tag"7M60
>9>/
M60>-
1O71tag"74M608_948_1K/6171tag"74M608_6pp0ensor/>)/171tag"78>)/$.X.!71set+ar"7
tx.msg=RSrule.msgT71s
et+ar"tx.s5l_inPection_score=JR
Stx.notice_anomal_scoreT1set+ar"tx.anomal_score=JRStx.notice_anomal_s
coreT1set+ar"tx.RSrule.idT-4M608_>-0/M/:_6996>?/0<#_)BW/>9)4B-R
Smatched_+ar_nameT=RStx.KTE
)odSecurity makes use of regular e-pressions to match rules to web traffic data!
)odSecurity goes through seeral stages in checking web traffic data@
. ?e,uest headers %?(2A(STBC(AD(?S&
7 ?e,uest body %?(2A(STBB"DE&
8 ?esponse headers %?(S+":S(BC(AD(?S&
=
= ?esponse body %?(S+":S(BB"DE&
Being an Apache web serer module$ it takes adantage of the Apache A+I to perform these tasks!
A sample web site based on Tufts Aniersity '")+ ..> Fall 7F.8 'apture The Flag web application is
used to test )odSecurity! The following tests and the resultant log message is shown below@
D00
===
9ried to inPect this"
9esting 1 ! Q
(script*window.alertFE9esting 1 ! QEIY(/script*
)s this fairG
;9ue 3ec 1K !!"!$"1!.XN%%1% !K1Q= ;"error= ;pid 1XZ!!"tid 1%KX1N$X%$N$OZ$= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match
E\\\\MS%1TE at 6-C0"post. ;file E/etc/opt/apache/owasp-modsecurit-
crs/acti+ated_rules/modsecurit_crs_%K_generic_attacks.confE= ;line EQZE= ;id
EO$KK!%E= ;re+ E!E= ;msg E'eta->haracter 6nomal 3etection 6lert - -epetati+e Bon-
Mord >haractersE= ;data E'atched 3ata" \\x!!IY(/ found within 6-C0"post" 9esting 1
! Q\\xKd\\xKa(script*window.alertF\\x!!9esting 1 ! Q\\x!!IY(/script*\\xKd\\xKa)s
this fairGE= ;+er E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/E= ;uni5ue_id E25fbV'>o6P<66315k<66668E=
0<# )nPection
=============
;9ue 3ec 1K !!"%!"!!.1OOQ%X !K1Q= ;"error= ;pid 1XZ!Q"tid 1%KX1N$QQZKZ!$%= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match
E\\\\MS%1TE at 6-C0"password. ;file E/etc/opt/apache/owasp-modsecurit-
crs/acti+ated_rules/modsecurit_crs_%K_generic_attacks.confE= ;line EQZE= ;id
EO$KK!%E= ;re+ E!E= ;msg E'eta->haracter 6nomal 3etection 6lert - -epetati+e Bon-
Mord >haractersE= ;data E'atched 3ata" 7 = 7 found within 6-C0"password" 7 4- 717 =
717E= ;+er E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/login.phpE= ;uni5ue_id
E25ffUs>o6P<6631rasN666:-E=
9ried 0<# inPection attack on
sstemFI command +ia 8U8
========================
http"//ctf.h5.linuxunbound.com/Gid=sstemF[/usr/bin/ms5l \user=root \
password=]Mh^tQ+erAMh^tQ+erA_ board -e ]0U4M 96:#/0_`IY
;9ue 3ec 1K !!"X1"Q!.!X$Q!X !K1Q= ;"error= ;pid 1XZ!!"tid 1%KX1N$1!Z!ZXX!= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match
E\\\\MS%1TE at 6-C0"id. ;file E/etc/opt/apache/owasp-modsecurit-
crs/acti+ated_rules/modsecurit_crs_%K_generic_attacks.confE= ;line EQZE= ;id
EO$KK!%E= ;re+ E!E= ;msg E'eta->haracter 6nomal 3etection 6lert - -epetati+e Bon-
Mord >haractersE= ;data E'atched 3ata" F\\xe!\\xNK\\xOc/ found within 6-C0"id"
sstemF\\xe!\\xNK\\xOc/usr/bin/ms5l \\xe!\\xNK\\xO%user=root
\\xe!\\xNK\\xO%password=\\xe!\\xNK\\xONMh^tQ+erAMh^tQ+erA\\xe!\\xNK\\xOO board
-e \\xe!\\xNK\\xON0U4M 96:#/0\\xe!\\xNK\\xOO\\xe!\\xNK\\xOdIYE= ;+er
9
E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/E= ;uni5ue_id E25fh-'>o6P<66315kc66669E=
http"//ctf.h5.linuxunbound.com/Gid=phpinfoR!NR!OY
;9ue 3ec 1K !!"XQ"Q%.OZ%%ZN !K1Q= ;"error= ;pid 1XZ!!"tid 1%KX1N$K!!QZ$O$= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match
EFL;\\E7a\\xc!\\xb%\\xe!\\xNK\\xOO\\xe!\\xNK\\xONY=J@
;\\E7a\\xc!\\xb%\\xe!\\xNK\\xOO\\xe!\\xNK\\xONY=JbIE at 6-C0"id. ;file
E/etc/opt/apache/owasp-modsecurit-
crs/acti+ated_rules/modsecurit_crs_%1_s5l_inPection_attacks.confE= ;line E$%E= ;id
EON1Q1NE= ;re+ E!E= ;msg E0<# )nPection 6ttack" >ommon )nPection 9esting 3etectedE=
;data E'atched 3ata" Y found within 6-C0"id" phpinfoFIYE= ;se+erit E>-)9)>6#E=
;+er E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE= ;tag
E4M608_>-0/M/:_6996>?/0<#_)BW/>9)4BE= ;tag EM60>9>/M60>-1OE= ;tag
E4M608_948_1K/61E= ;tag E4M608_6pp0ensor/>)/1E= ;tag E8>)/$.X.!E= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/E= ;uni5ue_id E25fh+s>o6P<66315kg66662E=
U9'# embedding
==============
9ried to embed cou9ube +ideo"
;9ue 3ec 1K !!"QQ"!X.1KO%OO !K1Q= ;"error= ;pid 1XNK$"tid 1%KX1N$%%1OZ1!K= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match
E\\\\MS%1TE at 6-C0"post. ;file E/etc/opt/apache/owasp-modsecurit-
crs/acti+ated_rules/modsecurit_crs_%K_generic_attacks.confE= ;line EQZE= ;id
EO$KK!%E= ;re+ E!E= ;msg E'eta->haracter 6nomal 3etection 6lert - -epetati+e Bon-
Mord >haractersE= ;data E'atched 3ata" G"\\xKd\\xKa\\xKd\\xKa found within
6-C0"post" Uow about a mo+ieG"\\xKd\\xKa\\xKd\\xKahttp"//www.outube.com/watchG
+=do>#_85.uNE= ;+er E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/E= ;uni5ue_id E25fd:c>o6P<663!^/c<6663<E=
9ried to embed image with (img src*"
;9ue 3ec 1K !!"QO"K$.!%1ZOX !K1Q= ;"error= ;pid 1XZ!Q"tid 1%KX1N$%%1OZ1!K= ;client
1O!.1$N.!.X!= 'od0ecurit" 6ccess denied with code %KQ Fphase !I. 8attern match EFG
i"F;\\\\s7\\Ea\\xc!\\xb%\\xe!\\xNK\\xOO\\xe!\\xNK\\xON\\\\
F\\\\I=,GI\\\\bF;\\\\d\\\\w=JJI
F;\\\\s7\\Ea\\xc!\\xb%\\xe!\\xNK\\xOO\\xe!\\xNK\\xON\\\\F\\\\I=,GIFG"FG"=@(=*@rG
like@sounds\\\\sJlike@regexpI
F;\\\\s7\\Ea\\xc!\\xb%\\xe!\\xNK\\xOO\\xe!\\xNK\\xON\\\\F\\\\I=,GI\\\\!\\\\b@FG"A=@
(=@*=@(*@(@*@\\\\L@is\\\\sJnot ...E at 6-C0"post. ;file E/etc/opt/apache/owasp-
modsecurit-crs/acti+ated_rules/modsecurit_crs_%1_s5l_inPection_attacks.confE=
;line EZZE= ;id EOXKOK1E= ;re+ E!E= ;msg E0<# )nPection 6ttack" 0<# 9autolog
3etected.E= ;data E'atched 3ata" the (img found within 6-C0"post" /+en the (img
src=\\x!!http"//l1.img.com/a+/moneball/ads/-!-1QN1%!N!ZX-N$XK.Ppg\\x!!* Marriors
come.E= ;se+erit E>-)9)>6#E= ;+er E4M608_>-0/!.!.NE= ;maturit EOE= ;accurac ENE=
;tag E4M608_>-0/M/:_6996>?/0<#_)BW/>9)4BE= ;tag EM60>9>/M60>-1OE= ;tag
E4M608_948_1K/61E= ;tag E4M608_6pp0ensor/>)/1E= ;tag E8>)/$.X.!E= ;hostname
Ectf.h5.linuxunbound.comE= ;uri E/E= ;uni5ue_id E25feMs>o6P<6631ras%666:<E=
Though attempts to take adantage of ulnerabilities were blocked$ some matches do not
correspond to the actual attack used! For e-ample$ the S23 in4ection attack on the administration page
of the site was detected as something else!
The compilation of the Ironbee WAF re,uired some libraries and packages not aailable in
>
default installations of 'ent"S >!9! A new ersion of the Boost 'GG 3ibrary %ersion .!=6 and higher
re,uired&$ +rotobuf from ;oogle
.>
$ ?uby and Jaa were re,uired! The Ironbee Apache web serer
module compiled successfully! Testing has not been done using the "WAS+ )odSecurity 'ore ?ule
Set since the synta- for Ironbee differed from that of )odSecurity!
$. Conclusion
A web application firewall is a useful defense against common attacks though configuration
may re,uire some effort to customi#e for a particular application space! )ore tests should hae been
done to determine metrics on performance impact on the web application and on robustness against
more sophisticated attacks including denial/of/serice!
It is the opinion of the author that sites utili#ing sensitie data make use of a web application
firewall! Coweer$ greater importance should be placed on the deelopment of secure web applications
and on the implementation of secure practices!
0
%iblio"raphy
H.I http@55www!cert!org5adisories5'A/.66>/..!html Interpreters in ';I bin Directories
H7I http@55www!cert!org5adisories5'A/.66>/F>!html Vulnerability in :'SA5Apache ';I e-ample
code
H8I http@55www!cert!org5adisories5'A/7FF./.F!html Buffer "erflow Vulnerability in )icrosoft IIS
9!F
H=I http@55www!cert!org5adisories5'A/7FF./.7!html Superfluous Decoding Vulnerability in IIS
H9I http@55www!cert!org5adisories5'A/7FF./.=!html 'isco I"S CTT+ Serer Authentication
Vulnerability
H>I http@55www!cert!org5adisories5'A/7FF7/F6!html )ultiple Vulnerabilities in )icrosoft IIS
H0I http@55www!cert!org5adisories5'A/7FF7/7.!html Vulnerability in +C+
H1I Website Security Statistics ?eport! White Cat Security! )ay 7F.8!
https@55info!whitehatsec!com57F.8/website/security/report!html
H6I D! Tsai$ A! E! 'hang$ et! al! "ptimum Tuning of Defense Settings for 'ommon Attacks on the Web
Applications! +roceedings of the =8rd Annual 7FF6 International 'arnahan 'onference on Security
Technology$ I''ST 7FF6! ISB: 601/./=7==/=.0F/6!
H.FI )! )uthuprasanna$ J! Wei$ et! al! (liminating S23 In4ection Attacks K A Transparent Defense
)echanism! +roceedings of The (ight I((( International Symposium on Web Site (olution %WS(
*F>&! 7FF>! ISB: F/0>69/7>6>/6!
H..I +! Bisht$ +! )adhusudan and V! :! Venkatakrishnan! 'A:DID@ Dynamic 'andidate (aluations
for Automatic +reention of S23 In4ection Attacks! A') Transactions of Information and System
Security! Vol .8! :o! 7! Article .=! February 7F.F!
H.7I ?! B! Brinhosa$ '! B! Westphall$ '! )! Westphall! A Security Framework for Input Validation!
+roceedings of The Second International 'onference on (merging Security Information$ Systems and
Technologies! ISB: 601/F/0>69/8876/7 %(lectronic&!
H.8I )odSecurity website! http@55www!modsecurity!org5
H.=I Ironbee website! https@55www!ironbee!com5
H.9I "WAS+ )odSecurity 'ore ?ule Set!
https@55www!owasp!org5inde-!php5'ategory@"WAS+B)odSecurityB'oreB?uleBSetB+ro4ect
H.>I +rotobuf from ;oogle! http@55code!google!com5p5protobuf5
1