Open Source Web Entry Server

Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“

Ivan BütlerIvan.buetler@csnc.ch

About me• Founder & Security Researcher for Compass Security

Since 1999, Switzerland – www.csnc.ch

• Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis

• Speaker @ IT Underground Warsaw 2009Advanced Web Hacking

• Speaker @ Swiss IT Leadership Forum Nice 2009Cyber Underground

• Lead Swiss Cyber Storm 2011 Security Conference12-15. May 2011, Switzerland – www.swisscyberstorm.com

• Board member of Information SecuritySociety Switzerland (ISSS)

• Lecturing Activities: HSR & HSLU & FHSG

Ivan Bütler ¦ E1

•Win a Car! – Wargame!USD 30‘000 main prize

• www.swisscyberstorm.com

• May 12-15, 2011

• Switzerland, near Zürich

• OWASP Trainings planned!

Hac

king

-Lab

Live

CD

Goal of this Talk

•Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization

•We will play with Facebook as our backend application

•The LiveCD includes all demos www.hacking-lab.com

PCI DSS Requirement

Without a Web Application Firewall

Multiple connections into DMZApplications directly accessible

TOOL

TIP

mod

_pro

xy

Web App Firewall (WAF)

Web Application Firewall

Reverse Proxy to FB Security Checks Content Rewriting

Demo with FB

DEMO 1 + 2demo movies shown here

availablein Hacking-Lab – OWASP Event

www.hacking-lab.com

Content Rewriting

•Relative URL‘s are not a problem!

•Content rewriting is not required

<link href="/css/mystyle.css" rel="stylesheet" type="text/css">

www.fb.com

www.myproxy.com

Content Rewriting

•Absolute URLs must be rewritten

•Cookie domain must be rewritten

•Cookie values must be rewritten (in some cases)

<a href="http://www.fb.com/css/01.css" type="text/css">

www.fb.com

www.myproxy.com

TOOL

TIP

mod

_rep

lace

Demo 4

Request Header PatchingCookie Value Patching

TOOL

TIP

mod

_sec

urity

Web App Firewall

•@inspectFile operator is simply a type of API that will allow you to inspect file attachments

< request filtering | e.g. sql injection >< response filtering | e.g. stack traces >< inspect files | e.g. pdf exploit analysis >

www.fb.com

www.myproxy.com

Demo 5 + 6

ModSecurity

TOOL

TIP

mod

_but

Web Entry Server

•Pre-Authentication

•Delegated Login Service (DLS)

•Session Hiding

•URL Access Control

•Principal Delegation to Backend App

Web Entry Server- Swiss Blueprint -

Web Entry Server

Central Login Service

Backend requests are always authenticated!

Strong forensic and logging capabilities

Pre-AuthenticationPrincipal Delegation

www.fb.com

www.myproxy.com

login.myproxy.com

Login=OKSet-Cookie: UserID=1234;

GET /app HTTP/1.0UserID=1234RequestID=992x9833asr

PRINCIPAL

Pre-AuthenticationSingle Sign On

IF SERVICES IS SSO ENABLED

1. Server gets initial request with UserID=1234 from WES

2. Server extracts UserID3. Server creates a new,

authenticated session4. Server authorizes only

ALTERNATIVE:

1. User must authenticated twice (SSO disabled)

2. Delegated Login Service (DLS)

IMPORTANTPrincipal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!

Pre-Authetication - DLS

Delegated Login Service

www.fb.com

www.myproxy.com

login.myproxy.com

DLSIMPORTANTDLS authenticates on behalf of the user into www.fb.com (knows the credentials out of the user repository)

-> Non origin cookies are then set to www.myproxy.com

Demo 7 - SSO

TOOL

TIP

mod

_uni

que-

id

mod

_hea

ders

Web ForensicsNTP is not enough!

Internet

FW FW

Entry TierPresentation

Tier

Data & Service

Tier

BusinessTier

FW FW

access.log:- Time- IP Address- User Id- Request Id

referer.log:- Time- IP Address- User Id- Request Id

business.log:- Time- IP Adresse- User Id- Request Id

business.log:- Time- IP Address- User Id- Request-Id

- URL

- Referer URL

access.log:- Time- IP Address- User Id- Request Id

- URL

- Transaction- Parameters- Transactionstate

- Use Case Id- Parameters

business.log:- Time- IP Address- User Id- Request-Id

- Transaction- Parameters- Transactionstate

Correlationkey

Demo 7 - UniqueID

URL Access Controlwww.myproxy.c

om

login.myproxy.com

Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);

Authorization Regexp

Demo 8

Service Level ACL

Session Managementwithout session store

Reverse ProxyWithout Session Cache

Session Managementwith session hiding

Reverse ProxySession Cache (SHM)

Hac

king

-Lab

Live

CD

Entry Server ToolKitFeature Apache ModuleReverse Proxy mod_proxyWeb App Firewall mod_security2Forensic Correlation mod_unique_id

mod_headersContent Rewriting mod_replacePre-Authentication mod_butSession Hiding mod_butURL Authorization mod_but

http://media.hacking-lab.com/largefiles/livecd/

Remember (I)•Pre-Authentication reduces the

attack surface of unauthenticated users

•Unique-ID enables proper forensics

•Cookie store hides insecure cookies

•Service ACL is a second line of defence for the application authorization scheme

Remember (II)

•Hacking-Lab LiveCD includes all tools you need to replay

•Win a car! Qualification wargames have started at www.swisscyberstorm.com

•All movies of this talk are available online at www.hacking-lab.com

Thank youIvan Bütler, E1