Open source web entry server
Sponsored Links
This presentation is the property of its rightful owner.
1 / 29

Open Source Web Entry Server PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on
  • Presentation posted in: General

Open Source Web Entry Server. Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“. Ivan Bütler [email protected] About me. Ivan Bütler ¦ E1.

Download Presentation

Open Source Web Entry Server

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Open Source Web Entry Server

  • Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“

Ivan Bütler

[email protected]


About me

Ivan Bütler ¦ E1

  • Founder & Security Researcher for Compass SecuritySince 1999, Switzerland – www.csnc.ch

  • Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis

  • Speaker @ IT Underground Warsaw 2009Advanced Web Hacking

  • Speaker @ Swiss IT Leadership ForumNice2009Cyber Underground

  • Lead Swiss Cyber Storm2011Security Conference12-15. May 2011, Switzerland – www.swisscyberstorm.com

  • Board member of Information SecuritySociety Switzerland (ISSS)

  • Lecturing Activities: HSR & HSLU & FHSG


  • Win a Car! – Wargame!USD 30‘000 main prize

  • www.swisscyberstorm.com

  • May 12-15, 2011

  • Switzerland, near Zürich

  • OWASP Trainings planned!


Goal of this Talk

  • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization

  • We will play with Facebook as our backend application

  • The LiveCD includes all demos www.hacking-lab.com

Hacking-Lab

LiveCD


PCI DSS Requirement


Without a Web Application Firewall

Multiple connections into DMZ

Applications directly accessible


Web App Firewall (WAF)

Demo with FB

Web Application Firewall

  • Reverse Proxy to FB

  • Security Checks

  • Content Rewriting

TOOL TIPmod_proxy


DEMO 1 + 2

demo movies shown here availablein Hacking-Lab – OWASP Eventwww.hacking-lab.com


Content Rewriting

www.myproxy.com

  • Relative URL‘s are not a problem!

  • Content rewriting is not required

www.fb.com

<link href="/css/mystyle.css" rel="stylesheet" type="text/css">


Content Rewriting

www.myproxy.com

  • Absolute URLs must be rewritten

  • Cookie domain must be rewritten

  • Cookie values must be rewritten (in some cases)

www.fb.com

<a href="http://www.fb.com/css/01.css" type="text/css">

TOOL TIPmod_replace


Demo 4

Request Header PatchingCookie Value Patching


Web App Firewall

www.myproxy.com

  • @inspectFile operator is simply a type of API that will allow you to inspect file attachments

www.fb.com

< requestfiltering | e.g. sql injection >

< responsefiltering | e.g. stacktraces >

< inspectfiles | e.g. pdfexploitanalysis >

TOOL TIPmod_security


Demo 5 + 6

ModSecurity


Web Entry Server

  • Pre-Authentication

  • Delegated Login Service (DLS)

  • Session Hiding

  • URL Access Control

  • Principal Delegation to Backend App

TOOL TIPmod_but


Web Entry Server- Swiss Blueprint -

Web Entry Server

  • Backend requests are always authenticated!

  • Strong forensic and logging capabilities

Central Login Service


Pre-AuthenticationPrincipal Delegation

www.myproxy.com

www.fb.com

PRINCIPAL

login.myproxy.com

GET /app HTTP/1.0UserID=1234

RequestID=992x9833asr

Login=OKSet-Cookie: UserID=1234;


Pre-AuthenticationSingle Sign On

IF SERVICES IS SSO ENABLED

Server gets initial request with UserID=1234 from WES

Server extracts UserID

Server creates a new, authenticated session

Server authorizes only

ALTERNATIVE:

User must authenticated twice (SSO disabled)

Delegated Login Service (DLS)

IMPORTANT

Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!


Pre-Authetication - DLSDelegated Login Service

www.myproxy.com

www.fb.com

IMPORTANT

DLS authenticates on behalf oftheuserintowww.fb.com (knowsthecredentials out oftheuserrepository)

-> Non origin cookies are then set to www.myproxy.com

DLS

login.myproxy.com


Demo 7 - SSO


Web ForensicsNTP is not enough!

TOOL TIPmod_unique-id

mod_headers


Demo 7 - UniqueID


URL Access Control

www.myproxy.com

login.myproxy.com

AuthorizationRegexp

Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);


Demo 8

Service Level ACL


Session Managementwithout session store

Reverse Proxy

Without Session Cache


Session Managementwith session hiding

Reverse Proxy

Session Cache (SHM)


Entry Server ToolKit

http://media.hacking-lab.com/largefiles/livecd/

Hacking-Lab

LiveCD


Remember (I)

  • Pre-Authentication reduces the attack surface of unauthenticated users

  • Unique-ID enables proper forensics

  • Cookie store hides insecure cookies

  • Service ACL is a second line of defence for the application authorization scheme


Remember (II)

  • Hacking-Lab LiveCD includes all tools you need to replay

  • Win a car! Qualification wargames have started at www.swisscyberstorm.com

  • All movies of this talk are available online at www.hacking-lab.com


Thank youIvan Bütler, E1


  • Login