About Science WAF (Web appllication Firewall)

1. Foreword

While Web application is becoming richer, the Web server is becoming the main target for its powerful computing ability, processing performance and high value. SQL injection, Web tampering, Web page hanging Horse and other security incidents, frequent occurrence.

Enterprises and other users generally use firewalls as a security system of the first line of defense. But, in reality, they have such problems, such as the traditional firewall system can not respond to the current rapid outbreak and spread of the 0DAY vulnerability rapid response and confrontation, and to solve such vulnerabilities of the code audit and code patching often take a long time, resulting in WAF (Web Application Protection system). The TECNOVA-WAF Web Application Protection System (Web application Firewall, WAF) represents a new type of information security technology to solve Web application security problems such as firewalls with traditional devices. Unlike the traditional firewall, WAF works in the application layer, so it has the innate technical superiority to the Web application protection. Based on a deep understanding of Web application business and logic, WAF the content detection and verification of various requests from Web application clients, ensuring its security and legality, and blocking illegal requests in real time, so as to effectively protect all kinds of web sites.

2. WAF classification

WAF is a network device (hardware WAF) or a software-based solution that adds security features to the Web application (the built-in WAF of the software). That is, the definition of WAF can be divided into:

Hardware WAF:

http://www.nsfocus.com/1_solution/1_2_8_1.html nsfocus WEB Application Firewall

http://www.barracuda.com.cn/products/Barracuda Web Application Firewall

http://www.venustech.com.cn/SafeProductInfo/413/39.Html Web Application Security Gateway

Software WAF:

A block of http://www.modsecurity.org/projects/modsecurity Apache Modsecurity

https://phpids.org/WAF system designed for PHP applications

Http://msdn.microsoft.com/zh-cn/library/aa302368.aspx ISAPI filters integrated into the IIS platform

Http://www.aqtronix.com/WebKnight/Manual/WebKnight-Chinese.pdf

HTTP://WWW.AQTRONIX.COM/?PAGEID=99 integrated into IIS filters

Code-level WAF (filter mode implemented using scripting language)

This mechanism, which is essentially the domain of the application security architecture, is the product of following the best practices of security coding. In the case of PHP Web applications, you can modify in php.ini:

; Automatically add files before PHP document.
; Http://php.net/auto-prepend-file
auto_prepend_file =

; Automatically add files after PHP document.
; Http://php.net/auto-append-file
auto_append_file =

Configuration directives that point to PHP files that execute before and after each requested PHP script. This allows you to perform some forward processing of the data before the various HTTP request collections (Get,post,cookie).

Some open source web frameworks, such as CodeIgniter, use global routing to change the original HTTP interaction process so that the program ape has the opportunity to hook up some key processing logic and process the data sent by the user before entering the core code.

Http://codeigniter.org.cn/user_guide/general/routing.html

Filters can also be implemented using the programming language of the Web application. The module code can be executed between the request and the response phase.

Asp. NET's System.Web.IHttpModule interface:

Http://msdn.microsoft.com/zh-cn/library/system.web.ihttpmodule (vs.80). aspx

http://msdn.microsoft.com/zh-cn/library/ms227673 (v=vs.90). aspx

(Actually, we can use it.) NET's native interface to develop its own HTTP server or receive processing module)

Javax.servlet.Filter interface

Http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html

public class Sqlinjdetectionfilter implements Filter
{public
    void Dofilter (ServletRequest req, Servletresponse Res, Filterchain chain) throws IOException, Servletexception 
    {
       //check request data for maliious Characters
       Dedetectsqli (rep, res);
       Call next filter
       in the chain Chain.dofilter (ServletRequest, servletresponse);
    } 

Add this interface code to the application and explicitly activate them in the application configuration file (Web.xml). Each request/response is then "automatically" invoked to request the Java EE Web source (. jsp, servlet) file. This is the benefit of interface programming, because the Java EE originally implemented this filter mechanism, and provided an interface specification, we simply inherit the implementation of this interface in our code, we can put the code into a materialized, thus customizing our own security processing logic.

OWASP Stinger

Https://www.owasp.org/index.php/Category:OWASP_Stinger_Project

An open source of Java-ee filter

Security Parameter Filter (SPF)

http://spf.codeplex.com/

A asp.net httpmodule

3. Characteristics of WAF

3.1 Anomaly Detection Protocol

The Web application firewall detects HTTP requests abnormally and rejects requests that do not conform to HTTP standards. Also, it can allow only some of the HTTP protocol's options to be passed, thereby reducing the impact of the attack. Even some Web application firewalls can strictly limit the options that are too loose or not fully developed in the HTTP protocol.

The RFC has a clear definition of the HTTP packet format: Http://www.rfc-editor.org/rfc/rfc2068.txt. Normally, the HTTP packets received should be within the scope of this provision, in addition, in the specific application of the HTTP header in the field data type and parameter length are clearly defined, if more than this category, can also cause security problems.

Use the scenario:

1 Http split Attack (one of the CRLF attacks) Http://resources.infosecinstitute.com/http-response-splitting-attack (  The mechanism of the HTTP protocol format is exploited by the server to inject CRLF into the HTTP packet to partition the current HTTP data into 2 packets, giving the attacker the opportunity to control the current HTTP response and the next HTTP response 2)

Using cookie information beyond a certain length limit to circumvent the HttpOnly (XSS attack) in Doug's white Hat web security is referred to as a server Limit dos attack. HTTP://HI.BAIDU.COM/AULLIK5/ITEM/938F60FB7747B16E3C1485CA (because the application system does not detect a flaw in the length of the parameters in the HTTP header) 3) Based on Content-length dos attack http://ha.ckers.org/slowloris/(the principle is to send HTTP requests to the server at a very low speed, in the normal HTTP header, the HTTP is represented by two CLRF End of the header section. Because the Web server receives only one \ r \ n, it will assume that the HTTP header section does not end and keep the connection intact, and continue to wait for the full request to create the same attack effect as the TCP semi-open connection DDoS attack, which should be said to be the same principle 4) X-forward-for injection http://sebug.net/vuldb/ssvid-8427 (Some applications record the IP address or proxy server where the user is logged in, and save it to the database, if the mandatory constraint is not used in the IP format. May cause SQL Injection) 5 local variable coverage attacks when the target application has Register_global, uses extract (), or uses a dynamic variable locally registered simulation Register_global, the number and range of parameters sent by the user are not limited.

That is, it is possible for local variables to overwrite vulnerabilities by distinguishing between which should be allowed and which are not allowed to be committed. Local variable overrides can cause very serious code logic to bypass, because the code often uses a similar if ($var) {...} Such a form to control the logic of the Code, and through the local variable overlay can change the value of $var or even data types, that is, the key jump in the code is controlled by the attacker, it is easy to cause critical defense code isBypass. Http://sebug.net/vuldb/ssvid-15146 (This is a two-segment attack, cleverly leveraging local variable overrides leading to the example of Wirite file final Getshell) 6) Variable type causes the target application to run an error message leak attack http:/ /sebug.net/vuldb/ssvid-1080 (failure to detect the data type of the submitted parameter) 7) HTTP Parameter Pollution HPP attack, submitting two identical parameters when initiating a request to the server via a GET or post
Then the server will produce some special behavior.
Http://www.80sec.com/%E6%B5%85%E8%B0%88%E7%BB%95%E8%BF%87waf%E7%9A%84%E6%95%B0%E7%A7%8D%E6%96%B9%E6%B3%95.html Http://www.freebuf.com/articles/web/5908.html HTTP://HI.BAIDU.COM/AULLIK5/ITEM/860DA508A90709843C42E2CA

Here is a digression:

We should consider an input validation strategy that divides application input into editable and non-editable categories to treat differently. and locks non-editable input so that they cannot be manipulated. Non-editable input means that the end user does not need to modify the input directly, such as hidden form fields, URI and query string parameters, cookies, etc. (or if you are a normal user, you are not going to modify the variable, so that the attacker can be targeted defense, reflecting the user's balance of security principles).

A technical example for implementing this strategy is the HDIV (HTTP data Integrity Validator HTTP Integrity Validator) and SPF (Security Parameter filter). You can use Hdiv to protect most Java EE Web applications that follow the MVC pattern.
http://www.hdiv.org/

3.2 Enhanced Input validation

Input validation is a useful tool for guaranteeing application security. It can be viewed as a part of defense in depth.

1 Use white list input validation in the application input layer to verify that all user input conforms to the content that the application will receive. Application allows only incoming input that conforms to the desired format
2 The same white list filtering policy is performed on the client browser (saving round-trip traffic)
3 Use blacklist and whitelist input validation (in the form of vulnerability "signature" and "experienced" behavior) at the Web application Firewall (WAF) level to provide intrusion detection/blocking capabilities and monitoring application attacks
4 The use of parameterized statements from the beginning to the end in the application to ensure the execution of secure SQL execution
5 use of the escape technology in database queries (pay attention to the coding problem across the system, the defense based on the character encoding bit width bypass: wide byte injection)
6 encodes the data before sending it to the UI.

http://code.google.com/p/owasp-esapi-php/
Http://www.oschina.net/p/owasp-esapi-java

In the WAF, these rules are abstracted into positive and negative models. This is the complementary use of whitelist and blacklist.

Http://www.nsfocus.com/waf/jishu/js_01.html

3.3 Timely Patches

At any time, follow the security Code specification http://www.php.net/manual/zh/security.php and conduct a rigorous code audit http://code.google.com/p/pasc2at/wiki/ SimplifiedChinese is the best way. The source of the vulnerability is also patched. However, in the face of the 0DAY Attack of emergency, code defense often can not adapt to the needs of rapid response, so need a fast run-time protection mechanism. WAF can act as a virtual patch or patching solution in this scenario. A hot patch is prepared by writing an emergency response defense rule for a specific vulnerability scenario.

Http://security.zdnet.com.cn/security_zone/2012/0208/2077704.shtml

3.4 rule-based Protection and exception-based protection

rule-based Protection provides security rules for a variety of Web applications, and the WAF production chambers maintain this rule base and update it from time to time. Users can test the application in all aspects according to these rules.

Modsecurity

Https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Configuration_Directives

And

Phpids is a protected mode that uses rules.

http://phpids.org/docs/

Other products can be based on the legitimate application of data model, and based on this to determine the application of data anomalies. But this needs to the user enterprise application has the very thorough understanding only then may achieve. It is often necessary to combine the self learning idea in pattern recognition, early use of a large number of samples of the parser to learn, so as to establish a probability statistics identification mode, more is the behavior pattern, such as the normal user URL jump process, send the number of HTTP requests per minute, the average size of the HTTP packet.

3.5 State Administration

WAF is able to determine whether the user is first accessed and redirects the request to the default login page and logs the event. We can identify the attack more easily by detecting the user's entire operational behavior. The state management model can also detect unusual events, such as landing failures, and process them when the limit is reached. This is very beneficial to the identification and response of violent attacks.

Refer to the following iptables rules:

# iptables-i input-p TCP--dport 80-m iplimit--iplimit-above mb--iplimit-mask 24-j  
# REJECT INPUT- P TCP--dport 23-m iplimit--iplimit-above 2-j REJECT 
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACC EPT 
# iptables-a input-p tcp--syn-m limit--limit 1/s-j ACCEPT  
# iptables-a forward-p TCP--tcp-flags Syn,a Ck,fin,rst rst-m limit--limit 1/s-j ACCEPT 
# iptables-a forward-p ICMP--icmp-type echo-request-m limit--limit 1/S-j ACCEPT

3.6 URL Policy/page layer policy

WAF can make virtual patches for vulnerable URLs or pages without modifying the source code.

1. Page Overwrite
If the page is vulnerable and needs to be replaced, you can create an alternate page or class that is submitted at run time, which can be implemented by modifying the configuration in the Web application configuration file. In asp.net applications, you can use HTTP handles to accomplish this task.

 
2. URL Rewrite
URL rewriting is a technique that is similar to a page overwrite. You can configure the Web server or application framework to receive requests that are sent to vulnerable pages or URLs and redirect them to an alternate version of the page. The new version of the page implements the original page logic in a secure way. This redirection should be implemented on the server side to maintain seamless connection with the client. Depending on the Web server and the application platform, there are several ways to accomplish this task.

Apache's Mod_rewrite module

Http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

And

. urlmappings elements of the NET Framework

http://msdn.microsoft.com/zh-cn/library/ms228302 (vs.85). aspx

is two examples.







4. Modsecurity Configuration and Analysis

Https://github.com/SpiderLabs/Mod

In fact, the standard of WAF is open source modsecurity. Modsucirty was developed into a module of Apache.

4.1 Installation:

Https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Windows_MS_VC_8

Linux can be installed directly from the data source:

$ sudo yum install mod_security
$ sudo/etc/init.d/httpd Restart
 
You need to download the. dll file under Windows

http://www.apachelounge.com/download/

Put in the specified directory (E:\wamp\bin\apache\Apache2.4.4\modules depending on your environment)

Modify the Add-in loaded by the module in httpd.conf.

LoadModule Security2_module modules/mod_security2.so
 

4.2 Configuration

Modsecurity configuration directives can be added directly to your configuration file (typically in httpd.conf files). But he may not be convinced that the module is activated or that it is disabled when the Web server is started (distributed configuration file mechanism. htaccess). It usually puts the configuration information inside the <IfModule> container. It allows Apache to skip this configuration container when it is not activated.


<ifmodule security2_module>
    Include conf/security2/security2.conf
</IfModule>
 

Since Apache allows a set of configuration data to be saved in one (for example, modsecurity.conf) configuration file, it is then httpd.conf to use the Include method invocation. Notice this path here:

E:\wamp\bin\apache\Apache2.4.4\conf\security2\security2.conf (depending on your specific circumstances)

After saving, restart Apache: