On Wednesday, April 19, 2017, many schools in the South held their own sports meeting on this day. Today, for the people in our secwiki team, one of them, Xiaobian 504, is a dedicated and enthusiastic person for WAF. Today, we share some knowledge about deploying WAF and defense bypassing, which benefits us a lot, no matter the big bull or the small bull, or the new white.
Background
Let's review the history of the era of Web 1.0, when there was no WAF, and with the increasing development of Web 2.0 technology, there are endless attacks. For example, SQL injection, XSS, file inclusion and other web vulnerabilities in the application layer. Because the traditional firewall is placed in the gateway, it can not defend this vulnerability well, so WAF came into being. WAF is deployed in the front end of the web server cluster to protect the web server.
So what is WAF
WAF is based on the two-way decoding analysis of HTTP / HTTPS traffic, to deal with various security threats in http / HTTPS applications, such as SQL injection, XSS, directory traversal, command execution, etc.
Classification of WAF
Some rules of WAF
Some rules are used to protect attacks based on vulnerability types, as shown in the figure below.
Configuration and analysis of WAF
Here we use modsecirity and nginx + Lua for analysis. ModSecurity is an open source web application security program (or web application firewall) that integrates intrusion detection and defense engine functions. It runs as a module of Apache Web server. The goal is to enhance the security of web applications and prevent web applications from being attacked by known or unknown attacks. Nginx is no stranger to you. It is a high-performance HTTP and reverse proxy server. The last Lua, which is a lightweight and small script language, is written in standard C language and open in the form of source code. Its design purpose is to embed in the application program, so as to provide flexible expansion and customization functions for the application program.
Steps and precautions
Here we use Ubuntu 14.04.3 to install ModSecurity
Update source before installing software
apt-get install update
Install apache2
apt-get install apache2
Install ModSecurity
apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache2-modsecurity
Use the following command to view the ModSecurity version
dpkg -s libapache2-modsecurity | grep Version
Reload profile
service apache2 reload
Configure ModSecurity and enable interception mode
~# cd /etc/modsecurity/
:/etc/modsecurity# mv modsecurity.conf-recommended modsecurity.conf
:/etc/modsecurity# vim modsecurity.conf
Change secruleengine off to secruleengine on to set to intercept mode.
Using the ModSecurity core ruleset
The directory where the rule set is placed is ` / usr / share / ModSecurity CRS / activated_`
Select enable base rule set
You can see the rule set file in its directory
~# cd /usr/share/modsecurity-crs/activated_rules/
:/usr/share/modsecurity-crs/activated_rules# for f in $(ls ../base_rules/); do ln -s ../base_rules/$f; done
The multi rule file loads the ModSecurity CRS number by file name. As shown in the picture:
Modify Apache 2 module configuration and enable rule set (version 2.7)
VIM / etc / apache2 / mods-available / security2.conf add the corresponding configuration file, as shown in the figure:
Enable ModSecurity module
a2enmod headersa2enmod security2
service apache2 restart
Need attention
IP access issues
After configuration, through access IP discovery, 403 is displayed.
The reason is that in order to consider completeness, there is a rule that forbids IP access to websites.
We can see from the log (the interception log is in / var / log / apache2 / modsec_audit. Log)
vim /var/log/apache2/modsec_audit.log
The access is blocked by 2960017 in the rule file / usr / share / ModSecurity CRS / activated \ rules / ModSecurity \ CRS \ 21 \ protocol \ anomalies.conf, as shown in the figure:
Solution
During the test, you only need to add the "ා" symbol in front of the corresponding rule secrule in the file to comment out the rule, and then you can use IP to access the website.
ModSecurity processing phase
ModSecurity 2. X allows rules to be placed in one of five phases:
Request? Headers
Request body
Response & headers
Response? Body
Logging
WAF defense
Phpcms v9.6.0 as an example
Fill in the following information on the website registration page
Burpseuite grabs packets and writes them to payload. According to echo, 403 intercepts can be seen.
Here we take a look at the interception log and see the rule ID of the defense, as well as the parameter and attack load.
Specific rules of defense. As can be seen from the figure below, the corresponding regular matching attack load.
Rule considerations are not all bypassed
Sometimes the scenarios considered by the rules of WAF are not comprehensive. In the face of specific program business, some regular matching problems may be bypassed.
By bypassing the WAF, we can construct the payloads that WAF can't match, but it can execute the successful attack load in the application.
For example, for the following problem, the business program itself has filtered the "=" sign, but the WAF rule may only match the < script >. So when you enter < s = = RI = = Pt > on this business website, WAF cannot be matched. But after WAF, the hardware or software that processes application layer data behind it has "=" filtered and executed for < script >.
The above is only a specific business situation to bypass. To find out the characteristics of the hardware / software that processes the application layer packets behind the WAF device, use these characteristics to construct the WAF miss, but the application can execute the successful load, bypass the WAF. These features need to be studied by all major security enthusiasts.
Rule compilation
Format: rule variables operator [actions]
Variables: mainly matching variables, args, args get, args post, matched VaR, request cookies, etc.
Operator: mainly some operations, such as regular, or starting with those variables.
Actions: describes what to do when an operation successfully matches a variable. Specify what action to perform if variable is in accordance with the operator, such as the simplest one is to give interception or warning.
A small example. According to s2-045, the analysis of the loopholes. It's easy to write rules like this.
SecRule REQUEST_HEADERS:Content-Type "%\{.+\}?|\$\{.+\}?" "id:123456,block"
Ubuntu 16.04 lts configure nginx + Lua WAF
Because of the high performance of nginx, many Internet companies will use nginx + Lua to research WAF, and then mainly deploy nginx + Lua WAF.
Download the required installation package
Download nginx, PCRE, luajit, NGX devel kit, Lua nginx module in directory / usr / local / SRC
Subsequent commands:
/usr/local/src# wget http://nginx.org/download/nginx-1.9.4.tar.gz
/usr/local/src#wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.gz
/usr/local/src# wget
http://luajit.org/download/LuaJIT-2.0.4.tar.gz
/usr/local/src# wget https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz
/usr/local/src# wget https://github.com/openresty/lua-nginx-module/archive/v0.9.16.tar.gz
Create a normal user running nginx
[email protected]:/usr/local/src# useradd -s /sbin/nologin -M www
Unzip NDK and Lua nginx module
[email protected]:/usr/local/src# tar zxvf v0.2.19.tar.gz
[email protected]:/usr/local/src# tar zxvf v0.9.16.tar.gz
Installing luajit luajit is the Lua instant compiler
[email protected]:/usr/local/src# tar zxvf LuaJIT-2.0.4.tar.gz
[email protected]:/usr/local/src# cd LuaJIT-2.0.4
[email protected]:/usr/local/src/LuaJIT-2.0.4# make && make install
Install PCRE
[email protected]:/usr/local/src# tar zxvf pcre-8.39.tar.gz
[email protected]:/usr/local/src# cd pcre-8.39
[email protected]:/usr/local/src/pcre-8.39# ./configure
root@ubuntu16:/usr/local/src/pcre-8.39# make && make install
Install libssl dev
[email protected]:/usr/local/src# apt-get install libssl-dev
Compile nginx
[email protected]:/usr/local/src# tar zxvf nginx-1.9.4.tar.gz
[email protected]:/usr/local/src# cd nginx-1.9.4
[email protected]:/usr/local/src/nginx-1.9.4# export LUAJIT_LIB=/usr/local/lib
[email protected]:/usr/local/src/nginx-1.9.4#export LUAJIT_INC=/usr/local/include/luajit-2.0
[email protected]:/usr/local/src/nginx-1.9.4# ./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-http_dav_module --add-module=/usr/local/src/ngx_devel_kit-0.2.19/ --add-module=/usr/local/src/lua-nginx-module-0.9.16/ --with-pcre=/usr/local/src/pcre-8.39
[email protected]:/usr/local/src/nginx-1.9.4# make -j2 && make install
[email protected]:/usr/local/src/nginx-1.9.4# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
Start server:
[email protected]:~# /usr/local/nginx/sbin/nginx -t
[email protected]:~# /usr/local/nginx/sbin/nginx
After installation and startup, the first configuration:
In the configuration file, write the following information to test
[email protected]:~# vim /usr/local/nginx/conf/nginx.conf
Let's visit now and see that the nginx + Lua environment has been configured.
Configure WAF
Download the WAF to nginx installation path written by loveshell from GitHub / usr / local / nginx / conf /:
[email protected]:/usr/local/nginx/conf# git clone https://github.com/loveshell/ngx_lua_waf.git
And name the download file WAF
[email protected]:/usr/local/nginx/conf# mv ngx_lua_waf/ waf/
Add in HTTP section of nginx.conf
lua_package_path "/usr/local/nginx/conf/waf/?.lua";
lua_shared_dict limit 10m;
init_by_lua_file /usr/local/nginx/conf/waf/init.lua;
access_by_lua_file /usr/local/nginx/conf/waf/waf.lua;
Configure WAF rule files
configuration file
[email protected]:/usr/local/nginx/conf/waf/config.lua
Here we need to create a log storage directory, and we need the writable permission of nginx user.
[email protected]:/usr/local/nginx/conf/waf# chown www.www /usr/local/nginx/logs/hack/
[email protected]:/usr/local/nginx/conf/waf# /usr/local/nginx/sbin/nginx -s reload
Test defense
http://192.168.145.150/?id=1%20../../../etc/passwd
The interception is shown in the figure:
view log file
[email protected]:/usr/local/nginx/logs/hack# ls
localhost_2017-04-20_sec.log
Create rules
Under wafconf, the filter rules can be adjusted according to the needs. Each rule needs to be wrapped or separated with |.
The rule get parameter in args is filtered.
URLs are rules that filter only the URLs of get requests.
Post is a rule that filters only in post requests.
Whitelist is a white list. The URLs in it are not filtered if they match.
User agent is the filter rule of user agent.
summary
This sharing is mainly based on the open source WAF to explain its simple deployment and defense, to analyze the defense of WAF against web vulnerabilities. But WAF has many shortcomings, most of which are based on regular WAF. In order to protect the normal operation of business without false positives, and with the extremely flexible language syntax, sometimes it is easy to bypass. In addition, WAF lacks defense against 0day vulnerabilities and basic business defense capabilities. For example, the last week's logical vulnerabilities in technology sharing, WAF is in short supply of defense. For the application of semantic analysis and machine learning in WAF new technology, we will wait and see.
Reference resources
http://www.freebuf.com/articles/web/43559.html
https://github.com/loveshell/ngx_lua_waf
http://blog.oldboyedu.com/nginx-waf/
http://www.freebuf.com/articles/network/128370.html
http://www.freebuf.com/articles/neopoints/125807.html