1 / 29

Open Source Web Entry Server

Open Source Web Entry Server. Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“. Ivan Bütler Ivan.buetler@csnc.ch. About me. Ivan Bütler ¦ E1.

morey
Download Presentation

Open Source Web Entry Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Open Source Web Entry Server • Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“ Ivan Bütler Ivan.buetler@csnc.ch

  2. About me Ivan Bütler ¦ E1 • Founder & Security Researcher for Compass SecuritySince 1999, Switzerland – www.csnc.ch • Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis • Speaker @ IT Underground Warsaw 2009Advanced Web Hacking • Speaker @ Swiss IT Leadership ForumNice2009Cyber Underground • Lead Swiss Cyber Storm2011Security Conference12-15. May 2011, Switzerland – www.swisscyberstorm.com • Board member of Information SecuritySociety Switzerland (ISSS) • Lecturing Activities: HSR & HSLU & FHSG

  3. Win a Car! – Wargame!USD 30‘000 main prize • www.swisscyberstorm.com • May 12-15, 2011 • Switzerland, near Zürich • OWASP Trainings planned!

  4. Goal of this Talk • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization • We will play with Facebook as our backend application • The LiveCD includes all demos www.hacking-lab.com Hacking-Lab LiveCD

  5. PCI DSS Requirement

  6. Without a Web Application Firewall Multiple connections into DMZ Applications directly accessible

  7. Web App Firewall (WAF) Demo with FB Web Application Firewall • Reverse Proxy to FB • Security Checks • Content Rewriting TOOL TIPmod_proxy

  8. DEMO 1 + 2 demo movies shown here availablein Hacking-Lab – OWASP Eventwww.hacking-lab.com

  9. Content Rewriting www.myproxy.com • Relative URL‘s are not a problem! • Content rewriting is not required www.fb.com <link href="/css/mystyle.css" rel="stylesheet" type="text/css">

  10. Content Rewriting www.myproxy.com • Absolute URLs must be rewritten • Cookie domain must be rewritten • Cookie values must be rewritten (in some cases) www.fb.com <a href="http://www.fb.com/css/01.css" type="text/css"> TOOL TIPmod_replace

  11. Demo 4 Request Header PatchingCookie Value Patching

  12. Web App Firewall www.myproxy.com • @inspectFile operator is simply a type of API that will allow you to inspect file attachments www.fb.com < requestfiltering | e.g. sql injection > < responsefiltering | e.g. stacktraces > < inspectfiles | e.g. pdfexploitanalysis > TOOL TIPmod_security

  13. Demo 5 + 6 ModSecurity

  14. Web Entry Server • Pre-Authentication • Delegated Login Service (DLS) • Session Hiding • URL Access Control • Principal Delegation to Backend App TOOL TIPmod_but

  15. Web Entry Server- Swiss Blueprint - Web Entry Server • Backend requests are always authenticated! • Strong forensic and logging capabilities Central Login Service

  16. Pre-AuthenticationPrincipal Delegation www.myproxy.com www.fb.com PRINCIPAL login.myproxy.com GET /app HTTP/1.0UserID=1234 RequestID=992x9833asr Login=OKSet-Cookie: UserID=1234;

  17. Pre-AuthenticationSingle Sign On IF SERVICES IS SSO ENABLED Server gets initial request with UserID=1234 from WES Server extracts UserID Server creates a new, authenticated session Server authorizes only ALTERNATIVE: User must authenticated twice (SSO disabled) Delegated Login Service (DLS) IMPORTANT Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!

  18. Pre-Authetication - DLSDelegated Login Service www.myproxy.com www.fb.com IMPORTANT DLS authenticates on behalf oftheuserintowww.fb.com (knowsthecredentials out oftheuserrepository) -> Non origin cookies are then set to www.myproxy.com DLS login.myproxy.com

  19. Demo 7 - SSO

  20. Web ForensicsNTP is not enough! TOOL TIPmod_unique-id mod_headers

  21. Demo 7 - UniqueID

  22. URL Access Control www.myproxy.com login.myproxy.com AuthorizationRegexp Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);

  23. Demo 8 Service Level ACL

  24. Session Managementwithout session store Reverse Proxy Without Session Cache

  25. Session Managementwith session hiding Reverse Proxy Session Cache (SHM)

  26. Entry Server ToolKit http://media.hacking-lab.com/largefiles/livecd/ Hacking-Lab LiveCD

  27. Remember (I) • Pre-Authentication reduces the attack surface of unauthenticated users • Unique-ID enables proper forensics • Cookie store hides insecure cookies • Service ACL is a second line of defence for the application authorization scheme

  28. Remember (II) • Hacking-Lab LiveCD includes all tools you need to replay • Win a car! Qualification wargames have started at www.swisscyberstorm.com • All movies of this talk are available online at www.hacking-lab.com

  29. Thank youIvan Bütler, E1

More Related