WebApp Sec mailing list archives
RE: The Santy worm and Application Security
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Sun, 2 Jan 2005 07:33:44 -0500
On Saturday, January 01, Paul Laudanski wrote:
On Fri, 31 Dec 2004, Ofer Shezaf wrote:I must point you to an interesting thread in bugtraq (see excerpts below) - as you can see, people writing rules for mod_security understand that the rules are limited to a specific worm but usually cannot handle potential variants. "Santy" and "phpInclude" emphasize the need for real application security measurements such as code review, application layer
scanning
and real time application layer security. Simpler IPS system such as mod_security (as well as commercial products that cost a lot of
money
such as CheckPoint Web Intelligence, IntruShield or Proventia)
cannot
effectively handle such attacks.Actually some of the rules like the ones I have written look for what
I've
found to be quite useful to protect against, characters such as: ' %25 %2527 ://
These signatures are very much prone to false positives. As an expert tailoring mod_security for a specific application you can use such signatures and still be confident you are not blocking legitimate users. But in many applications I know such signatures will block legitimate users. In order to use such signatures you have to carefully use mod_security location filters and use apache configuration to limit filtering of specific URLs, which is quite a task.
Filters such as these, that do not filter on "perl" or "wget"
effectively
catch not just the santy and phpinclude attacks, but all other kinds
of
GET injections. Based on the sheer number of attacks I've logged,
such
filters are effectively handling those attacks.
I would argue such as effectiveness measurement. In web site security catching many is not difficult as so many automatic exploitation attempts are carried out. The real problems are: (a) Catching zero day attacks (those that you don't have a specific signature for) (b) Catching targeted attacks that points specifically at your web site.
However, one must note that security is not about using a single
source of
protection, it is the art of security layering that is prudent to
apply.
mod_security is just a step in that process.
I agree, you are right, and mod_security is far superior to many commercial solutions out there (though more difficult to implement).
To your point, developers must pay more attention when coding to
ensure
that variables and arguments are properly sanitized. For PHP sites, mod_security has a mechanism to protect against register_globals as
well.
Here are quite a few you can read on: http://modsecurity.org/documentation/snortmodsec-rules.txt There are other sources of security that can be applied to Apache,
just as
mod_dosevasive and mod_require_host. On the excerpts you've quoted, I can understand and appreciate the
variety
of attacks that can be formed and sent. If history has taught us anything, in the real and online worlds, anything breachable. However, I'm not so sure that a blanket statement that products, like those you mention above, cannot handle such attacks is not a fair one
at
all. I suggest you read some of the articles on mod_security: ref: http://modsecurity.org/documentation/index.html http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html http://www.securityfocus.com/infocus/1739 http://modsecurity.org/documentation/apache-internal-chroot.html http://modsecurity.org/documentation/php-register-globals.html In your initial email you discuss real time application monitoring. I don't see how mod_security is any different as it inspects GETs and or POSTs real time.
I stand corrected. mod_security is a real time application security solution and is not part of the IPS products group. The reason I included it in the IPS group is that all the mod_security rules I've seen regarding Santy and phpInclude do not utilize mod_security application layer features. All of them could be written as snort rules. Mod_security is not different from IPS solutions in this case since unlike networks which are (relatively) simple and static, applications are complex and dynamic. A real time application security solution has to provide some sort of a dynamic policy that adapts automatically to the application. Otherwise security configuration will have to be performed constantly during the application life cycle. In other words - for you as a security expert with application knowledge it is a great solution. For an organization it is impractical.
If santy and phpinclude have accomplished anything positive, I hope
that
it highlights (no pun intended) to coders the need to refocus on
securing
their applications. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- <Possible follow-ups>
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 01)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 02)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 02)