Open source web entry server
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Open Source Web Entry Server PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on
  • Presentation posted in: General

Open Source Web Entry Server. Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“. Ivan Bütler [email protected] About me. Ivan Bütler ¦ E1.

Download Presentation

Open Source Web Entry Server

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Open source web entry server

Open Source Web Entry Server

  • Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“

Ivan Bütler

[email protected]


About me

About me

Ivan Bütler ¦ E1

  • Founder & Security Researcher for Compass SecuritySince 1999, Switzerland – www.csnc.ch

  • Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis

  • Speaker @ IT Underground Warsaw 2009Advanced Web Hacking

  • Speaker @ Swiss IT Leadership ForumNice2009Cyber Underground

  • Lead Swiss Cyber Storm2011Security Conference12-15. May 2011, Switzerland – www.swisscyberstorm.com

  • Board member of Information SecuritySociety Switzerland (ISSS)

  • Lecturing Activities: HSR & HSLU & FHSG


Open source web entry server

  • Win a Car! – Wargame!USD 30‘000 main prize

  • www.swisscyberstorm.com

  • May 12-15, 2011

  • Switzerland, near Zürich

  • OWASP Trainings planned!


Goal of this talk

Goal of this Talk

  • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization

  • We will play with Facebook as our backend application

  • The LiveCD includes all demos www.hacking-lab.com

Hacking-Lab

LiveCD


Pci dss requirement

PCI DSS Requirement


Without a web application firewall

Without a Web Application Firewall

Multiple connections into DMZ

Applications directly accessible


Web app firewall waf

Web App Firewall (WAF)

Demo with FB

Web Application Firewall

  • Reverse Proxy to FB

  • Security Checks

  • Content Rewriting

TOOL TIPmod_proxy


Demo 1 2

DEMO 1 + 2

demo movies shown here availablein Hacking-Lab – OWASP Eventwww.hacking-lab.com


Content rewriting

Content Rewriting

www.myproxy.com

  • Relative URL‘s are not a problem!

  • Content rewriting is not required

www.fb.com

<link href="/css/mystyle.css" rel="stylesheet" type="text/css">


Content rewriting1

Content Rewriting

www.myproxy.com

  • Absolute URLs must be rewritten

  • Cookie domain must be rewritten

  • Cookie values must be rewritten (in some cases)

www.fb.com

<a href="http://www.fb.com/css/01.css" type="text/css">

TOOL TIPmod_replace


Demo 4

Demo 4

Request Header PatchingCookie Value Patching


Web app firewall

Web App Firewall

www.myproxy.com

  • @inspectFile operator is simply a type of API that will allow you to inspect file attachments

www.fb.com

< requestfiltering | e.g. sql injection >

< responsefiltering | e.g. stacktraces >

< inspectfiles | e.g. pdfexploitanalysis >

TOOL TIPmod_security


Demo 5 6

Demo 5 + 6

ModSecurity


Web entry server

Web Entry Server

  • Pre-Authentication

  • Delegated Login Service (DLS)

  • Session Hiding

  • URL Access Control

  • Principal Delegation to Backend App

TOOL TIPmod_but


Web entry server swiss blueprint

Web Entry Server- Swiss Blueprint -

Web Entry Server

  • Backend requests are always authenticated!

  • Strong forensic and logging capabilities

Central Login Service


Pre authentication principal delegation

Pre-AuthenticationPrincipal Delegation

www.myproxy.com

www.fb.com

PRINCIPAL

login.myproxy.com

GET /app HTTP/1.0UserID=1234

RequestID=992x9833asr

Login=OKSet-Cookie: UserID=1234;


Pre authentication single sign on

Pre-AuthenticationSingle Sign On

IF SERVICES IS SSO ENABLED

Server gets initial request with UserID=1234 from WES

Server extracts UserID

Server creates a new, authenticated session

Server authorizes only

ALTERNATIVE:

User must authenticated twice (SSO disabled)

Delegated Login Service (DLS)

IMPORTANT

Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!


Pre authetication dls d elegated l ogin s ervice

Pre-Authetication - DLSDelegated Login Service

www.myproxy.com

www.fb.com

IMPORTANT

DLS authenticates on behalf oftheuserintowww.fb.com (knowsthecredentials out oftheuserrepository)

-> Non origin cookies are then set to www.myproxy.com

DLS

login.myproxy.com


Demo 7 sso

Demo 7 - SSO


Web forensics ntp is not enough

Web ForensicsNTP is not enough!

TOOL TIPmod_unique-id

mod_headers


Demo 7 uniqueid

Demo 7 - UniqueID


Url access control

URL Access Control

www.myproxy.com

login.myproxy.com

AuthorizationRegexp

Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);


Demo 8

Demo 8

Service Level ACL


Session management without session store

Session Managementwithout session store

Reverse Proxy

Without Session Cache


Session management with session hiding

Session Managementwith session hiding

Reverse Proxy

Session Cache (SHM)


Entry server toolkit

Entry Server ToolKit

http://media.hacking-lab.com/largefiles/livecd/

Hacking-Lab

LiveCD


Remember i

Remember (I)

  • Pre-Authentication reduces the attack surface of unauthenticated users

  • Unique-ID enables proper forensics

  • Cookie store hides insecure cookies

  • Service ACL is a second line of defence for the application authorization scheme


Remember ii

Remember (II)

  • Hacking-Lab LiveCD includes all tools you need to replay

  • Win a car! Qualification wargames have started at www.swisscyberstorm.com

  • All movies of this talk are available online at www.hacking-lab.com


Thank you ivan b tler e1

Thank youIvan Bütler, E1


  • Login