WebApp Sec mailing list archives
RE: The Santy worm and Application Security
From: Paul Laudanski <zx () castlecops com>
Date: Fri, 31 Dec 2004 21:21:22 -0500 (EST)
On Fri, 31 Dec 2004, Ofer Shezaf wrote:
I must point you to an interesting thread in bugtraq (see excerpts below) - as you can see, people writing rules for mod_security understand that the rules are limited to a specific worm but usually cannot handle potential variants. "Santy" and "phpInclude" emphasize the need for real application security measurements such as code review, application layer scanning and real time application layer security. Simpler IPS system such as mod_security (as well as commercial products that cost a lot of money such as CheckPoint Web Intelligence, IntruShield or Proventia) cannot effectively handle such attacks.
Actually some of the rules like the ones I have written look for what I've found to be quite useful to protect against, characters such as: ' %25 %2527 :// Filters such as these, that do not filter on "perl" or "wget" effectively catch not just the santy and phpinclude attacks, but all other kinds of GET injections. Based on the sheer number of attacks I've logged, such filters are effectively handling those attacks. However, one must note that security is not about using a single source of protection, it is the art of security layering that is prudent to apply. mod_security is just a step in that process. To your point, developers must pay more attention when coding to ensure that variables and arguments are properly sanitized. For PHP sites, mod_security has a mechanism to protect against register_globals as well. Here are quite a few you can read on: http://modsecurity.org/documentation/snortmodsec-rules.txt There are other sources of security that can be applied to Apache, just as mod_dosevasive and mod_require_host. On the excerpts you've quoted, I can understand and appreciate the variety of attacks that can be formed and sent. If history has taught us anything, in the real and online worlds, anything breachable. However, I'm not so sure that a blanket statement that products, like those you mention above, cannot handle such attacks is not a fair one at all. I suggest you read some of the articles on mod_security: ref: http://modsecurity.org/documentation/index.html http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html http://www.securityfocus.com/infocus/1739 http://modsecurity.org/documentation/apache-internal-chroot.html http://modsecurity.org/documentation/php-register-globals.html In your initial email you discuss real time application monitoring. I don't see how mod_security is any different as it inspects GETs and or POSTs real time. If santy and phpinclude have accomplished anything positive, I hope that it highlights (no pun intended) to coders the need to refocus on securing their applications. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- <Possible follow-ups>
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 01)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 02)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 02)