RE: The Santy worm and Application Security

[Paul Laudanski <zx () castlecops com>]

On Fri, 31 Dec 2004, Ofer Shezaf wrote:

> I must point you to an interesting thread in bugtraq (see excerpts
> below) - as you can see, people writing rules for mod_security
> understand that the rules are limited to a specific worm but usually
> cannot handle potential variants.
>
> "Santy" and "phpInclude" emphasize the need for real application
> security measurements such as code review, application layer scanning
> and real time application layer security. Simpler IPS system such as
> mod_security (as well as commercial products that cost a lot of money
> such as CheckPoint Web Intelligence, IntruShield or Proventia) cannot
> effectively handle such attacks.

Actually some of the rules like the ones I have written look for what I've 
found to be quite useful to protect against, characters such as:

'
%25
%2527
://

Filters such as these, that do not filter on "perl" or "wget" effectively 
catch not just the santy and phpinclude attacks, but all other kinds of 
GET injections.  Based on the sheer number of attacks I've logged, such 
filters are effectively handling those attacks.

However, one must note that security is not about using a single source of 
protection, it is the art of security layering that is prudent to apply.  
mod_security is just a step in that process.

To your point, developers must pay more attention when coding to ensure 
that variables and arguments are properly sanitized.  For PHP sites, 
mod_security has a mechanism to protect against register_globals as well.

Here are quite a few you can read on:

http://modsecurity.org/documentation/snortmodsec-rules.txt

There are other sources of security that can be applied to Apache, just as 
mod_dosevasive and mod_require_host.

On the excerpts you've quoted, I can understand and appreciate the variety 
of attacks that can be formed and sent.  If history has taught us 
anything, in the real and online worlds, anything breachable.  

However, I'm not so sure that a blanket statement that products, like 
those you mention above, cannot handle such attacks is not a fair one at 
all.  I suggest you read some of the articles on mod_security:

ref: http://modsecurity.org/documentation/index.html

http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html
http://www.securityfocus.com/infocus/1739
http://modsecurity.org/documentation/apache-internal-chroot.html
http://modsecurity.org/documentation/php-register-globals.html

In your initial email you discuss real time application monitoring.  I 
don't see how mod_security is any different as it inspects GETs and or 
POSTs real time.

If santy and phpinclude have accomplished anything positive, I hope that 
it highlights (no pun intended) to coders the need to refocus on securing 
their applications.

-- 
Regards,

Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.