Comments on: CORE GRASP - PHP Web Application Protection Software http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/ Ethical Hacking, Penetration Testing & Computer Security Thu, 04 Dec 2008 16:28:24 +0000 http://wordpress.org/?v=2.6.5 By: Ofer Shezaf http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-73043 Ofer Shezaf Thu, 15 Nov 2007 03:22:09 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-73043 @fazed: while I would be the 1st to tell you that no security solution, including a WAF is perfect, I think that your example is not relevant. First, if this is the risk you forecast in your application, you can easily write a rule to prevent it - just detect base64 (detecting long strings without spaces would do the work). Saying that, avoiding use of HTTP as a hidden channel between two points controlled by the bad guys is very very difficult. The strength of ModSecurity is that it can do whatever you want it to. The Core Rule Set, which is one example of such a use, does provide a pretty good solution for the problems it tries to address within its design limitations, namely: minimum false positives and minimal configuration. @fazed: while I would be the 1st to tell you that no security solution, including a WAF is perfect, I think that your example is not relevant.

First, if this is the risk you forecast in your application, you can easily write a rule to prevent it - just detect base64 (detecting long strings without spaces would do the work). Saying that, avoiding use of HTTP as a hidden channel between two points controlled by the bad guys is very very difficult.

The strength of ModSecurity is that it can do whatever you want it to. The Core Rule Set, which is one example of such a use, does provide a pretty good solution for the problems it tries to address within its design limitations, namely: minimum false positives and minimal configuration.

]]> By: Ofer Shezaf http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-73041 Ofer Shezaf Thu, 15 Nov 2007 03:15:07 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-73041 @dre: Fortify hooks to the application. SecureSphere does not. @dre: Fortify hooks to the application. SecureSphere does not.

]]> By: CORE GRASP para PHP at Share the information http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-72117 CORE GRASP para PHP at Share the information Wed, 07 Nov 2007 14:14:31 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-72117 [...] Fuente: Darknet [...] [...] Fuente: Darknet [...]

]]> By: dre http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71607 dre Wed, 31 Oct 2007 06:18:59 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71607 @fazed: hence why i was recommending fortifysoftware defender or imperva securesphere over mod_security - they go a little further by hooking into your application. of course, no WAF will ever stop many complex business logic flaws, session management issues - e.g. CSRF @fazed: hence why i was recommending fortifysoftware defender or imperva securesphere over mod_security - they go a little further by hooking into your application.

of course, no WAF will ever stop many complex business logic flaws, session management issues - e.g. CSRF

]]> By: dre http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71606 dre Wed, 31 Oct 2007 06:17:00 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71606 @fak3r: read the last link i provided to "web security gateway" or just go to the mod_security website. there's also tons of other resources such as <a href="http://www.apachesecurity.net" rel="nofollow">http://www.apachesecurity.net</a>, this <a href="http://www.thinkingstone.com/talks/Web_Intrusion_Detection_with_ModSecurity.pdf" rel="nofollow">PDF on APIDS</a> with ModSecurity by Ivan Ristic. Ryan Barnett also wrote a great book that covered mod_security well, <a href="http://www.awprofessional.com/bookstore/product.asp?isbn=0321321286&rl=1" rel="nofollow">Preventing Web Attacks with Apache</a>, which included some custom mod_security rules as well as linked to the now popular <a href="http://gotroot.com" rel="nofollow">gotroot rulset</a>. @fak3r: read the last link i provided to “web security gateway” or just go to the mod_security website.

there’s also tons of other resources such as http://www.apachesecurity.net, this PDF on APIDS with ModSecurity by Ivan Ristic. Ryan Barnett also wrote a great book that covered mod_security well, Preventing Web Attacks with Apache, which included some custom mod_security rules as well as linked to the now popular gotroot rulset.

]]> By: fazed http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71566 fazed Tue, 30 Oct 2007 17:23:53 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-71566 @Ofer Shezaf mod_security is actually very poor at security a system, although alot of sys admins rely on it there are many bypass's to get around its restrictions. for example an attacker could base64 encode their GET vars and pass them to a script he has placed on the server which decodes it and mod_security does not detect it. it does mean that the attacker must first have that file on the webserver some how but after this the rest is easy to bypass (such as base path restrictions) @Ofer Shezaf
mod_security is actually very poor
at security a system, although alot
of sys admins rely on it there are many
bypass’s to get around its restrictions.
for example an attacker could base64 encode
their GET vars and pass them to a script he
has placed on the server which decodes it
and mod_security does not detect it.
it does mean that the attacker must
first have that file on the webserver
some how but after this the rest is
easy to bypass (such as base path restrictions)

]]> By: fak3r http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-70937 fak3r Mon, 29 Oct 2007 21:08:55 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-70937 @Dre Thanks for the advice, I've moved to Lighty from Apache 2.x on Debian recently, and I run Varnish for a reverse proxy/http accelerator. Can you tell me how you'd run mod_security in this setup? Would Varnish intercept php requests and run them through mod_sec or would Lighty use it directly? If it's easier and you want to help more my email is my username at my username dot com Thanks! fak3r. @Dre
Thanks for the advice, I’ve moved to Lighty from Apache 2.x on Debian recently, and I run Varnish for a reverse proxy/http accelerator. Can you tell me how you’d run mod_security in this setup? Would Varnish intercept php requests and run them through mod_sec or would Lighty use it directly? If it’s easier and you want to help more my email is my username at my username dot com

Thanks!

fak3r.

]]> By: dre http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69630 dre Fri, 26 Oct 2007 21:25:20 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69630 @fak3r: there are multiple ways of running mod_security - the only way it wouldn't work with lighttpd is the apache loaded module that only works with a local installation of apache. probably the most common way deployed in your scenario (without apache) is in reverse-proxy mode @fak3r: there are multiple ways of running mod_security - the only way it wouldn’t work with lighttpd is the apache loaded module that only works with a local installation of apache.

probably the most common way deployed in your scenario (without apache) is in reverse-proxy mode

]]> By: fak3r http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69427 fak3r Fri, 26 Oct 2007 01:12:07 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69427 @Ofer Shezaf As to your performance issues: what rules are you using for ModSecurity? the popular gotroot rules are way to big an inefficient, but on the other hand offer you alot the GRASP does not do provide you, such as blacklists. You must have been watching over my shoulder, this is exactly the problem. I will try again with the core rules only next. So, is there any way to get mod_security to work with Lighttpd? Thanks Ofer! @Ofer Shezaf
As to your performance issues: what rules are you using for ModSecurity? the popular gotroot rules are way to big an inefficient, but on the other hand offer you alot the GRASP does not do provide you, such as blacklists.

You must have been watching over my shoulder, this is exactly the problem. I will try again with the core rules only next.

So, is there any way to get mod_security to work with Lighttpd?

Thanks Ofer!

]]> By: Sandeep Nain http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69394 Sandeep Nain Fri, 26 Oct 2007 00:24:13 +0000 http://www.darknet.org.uk/2007/10/core-grasp-php-web-application-protection-software/#comment-69394 I must say that modSecurity is the best WAF i have come across so far and that is because of the flexibility and powerful realtime traffic monitoring and analysis it provides. it will also give excellent results on big commercial web applications if implemented correctly and not just everyday websites. I must say that modSecurity is the best WAF i have come across so far and that is because of the flexibility and powerful realtime traffic monitoring and analysis it provides.

it will also give excellent results on big commercial web applications if implemented correctly and not just everyday websites.

]]>