Open Source Web Entry Server - Hacking
Download
Report
Transcript Open Source Web Entry Server - Hacking
Open Source Web Entry Server
Ivan Bütler: „This talk is about
web-application firewalls with
pre-authentication, session
hiding, content rewriting and
filtering capabilities with opensource software.“
Ivan Bütler
[email protected]
About me
Ivan Bütler ¦ E1
•
•
•
•
•
•
•
Founder & Security Researcher for Compass Security
Since 1999, Switzerland – www.csnc.ch
Speaker @ BlackHat Las Vegas 2008
SmartCard (In) Security – APDU Analysis
Speaker @ IT Underground Warsaw 2009
Advanced Web Hacking
Speaker @ Swiss IT Leadership Forum Nice 2009
Cyber Underground
Lead Swiss Cyber Storm 2011 Security Conference
12-15. May 2011, Switzerland – www.swisscyberstorm.com
Board member of Information Security
Society Switzerland (ISSS)
Lecturing Activities:
HSR & HSLU & FHSG
• Win a Car! – Wargame!
USD 30‘000 main prize
•
•
•
•
www.swisscyberstorm.com
May 12-15, 2011
Switzerland, near Zürich
OWASP Trainings planned!
Goal of this Talk
• Learn how to turn the Apache web
server into a front-end web-application
firewall with pre-authentication, session
hiding and URL authorization
• We will play with Facebook as our
backend application
• The LiveCD includes all demos
www.hacking-lab.com
PCI DSS Requirement
Without a Web
Application Firewall
Multiple connections into DMZ
Applications directly accessible
Web App Firewall (WAF)
Demo with
FB
Web Application Firewall
Reverse Proxy to FB
Security Checks
Content Rewriting
DEMO 1 + 2
demo movies shown here available
in Hacking-Lab – OWASP Event
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
Content Rewriting
www.myproxy.com
www.fb.com
<link href="/css/mystyle.css" rel="stylesheet" type="text/css">
• Relative URL‘s are not a problem!
• Content rewriting is not required
Content Rewriting
www.myproxy.com
www.fb.com
<a href="http://www.fb.com/css/01.css" type="text/css">
• Absolute URLs must be rewritten
• Cookie domain must be rewritten
• Cookie values must be rewritten
(in some cases)
Demo 4
Request Header Patching
Cookie Value Patching
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
Web App Firewall
www.myproxy.com
www.fb.com
< request filtering | e.g. sql injection >
< response filtering | e.g. stack traces >
< inspect files | e.g. pdf exploit analysis >
• @inspectFile operator is simply a type
of API that will allow you to inspect
file attachments
Demo 5 + 6
ModSecurity
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
Web Entry Server
• Pre-Authentication
• Delegated Login Service (DLS)
• Session Hiding
• URL Access Control
• Principal Delegation to Backend App
Web Entry Server
- Swiss Blueprint Web Entry Server
Backend requests are
always authenticated!
Strong forensic and
logging capabilities
Central Login
Service
Pre-Authentication
Principal Delegation
www.myproxy.com
www.fb.com
PRINCIPAL
login.myproxy.com
Login=OK
Set-Cookie: UserID=1234;
GET /app HTTP/1.0
UserID=1234
RequestID=992x9833asr
Pre-Authentication
Single Sign On
IF SERVICES IS SSO ENABLED
1.
2.
3.
IMPORTANT
Principal ticket should be an
encrypted/signed,
timestampted value (against
replay attacks) instead of
plain-text UserID=1234!
4.
Server gets initial request with
UserID=1234 from WES
Server extracts UserID
Server creates a new, authenticated
session
Server authorizes only
ALTERNATIVE:
1.
2.
User must authenticated twice (SSO
disabled)
Delegated Login Service (DLS)
Pre-Authetication - DLS
Delegated Login Service
www.myproxy.com
www.fb.com
IMPORTANT
DLS authenticates on behalf
of the user into www.fb.com
(knows the credentials out of
the user repository)
-> Non origin cookies are
then set to www.myproxy.com
DLS
login.myproxy.com
Demo 7 - SSO
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
Web Forensics
NTP is not enough!
FW
Internet
Correlation
key
FW
Entry Tier
FW
Presentation
Tier
access.log:
- Time
- IP Address
- User Id
- Request Id
- URL
access.log:
- Time
- IP Address
- User Id
- Request Id
- URL
referer.log:
- Time
- IP Address
- User Id
- Request Id
- Referer URL
business.log:
- Time
- IP Adresse
- User Id
- Request Id
- Use Case Id
- Parameters
FW
Business
Tier
Data &
Service
Tier
business.log:
- Time
- IP Address
- User Id
- Request-Id
- Transaction
- Parameters
- Transactionstate
business.log:
- Time
- IP Address
- User Id
- Request-Id
- Transaction
- Parameters
- Transactionstate
Demo 7 - UniqueID
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
URL Access Control
www.myproxy.com
login.myproxy.com
Authorization Regexp
Login=OK
Set-Cookie: AUTHORIZATION=(^/app1|^/app2);
Demo 8
Service Level ACL
Movie: https://www.hackinglab.com/news/newspage/2010_appse
cdc.html
Session Management
without session store
Reverse Proxy
Without Session Cache
Session Management
with session hiding
Reverse Proxy
Session Cache (SHM)
Entry Server ToolKit
http://media.hacking-lab.com/largefiles/livecd/
Feature
Reverse Proxy
Web App Firewall
Forensic Correlation
Content Rewriting
Pre-Authentication
Session Hiding
URL Authorization
Apache Module
mod_proxy
mod_security2
mod_unique_id
mod_headers
mod_replace
mod_but
mod_but
mod_but
Remember (I)
• Pre-Authentication reduces the attack
surface of unauthenticated users
• Unique-ID enables proper forensics
• Cookie store hides insecure cookies
• Service ACL is a second line of defence
for the application authorization scheme
Remember (II)
• Hacking-Lab LiveCD includes
all tools you need to replay
• Win a car! Qualification
wargames have started at
www.swisscyberstorm.com
• All movies of this talk are
available online at
www.hacking-lab.com
Thank you
Ivan Bütler, E1