Open source web entry server
Sponsored Links
This presentation is the property of its rightful owner.
1 / 29

Open Source Web Entry Server PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Open Source Web Entry Server. Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“. Ivan Bütler [email protected] About me. Ivan Bütler ¦ E1.

Download Presentation

Open Source Web Entry Server

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Open Source Web Entry Server

  • Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“

Ivan Bütler

[email protected]

About me

Ivan Bütler ¦ E1

  • Founder & Security Researcher for Compass SecuritySince 1999, Switzerland –

  • Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis

  • Speaker @ IT Underground Warsaw 2009Advanced Web Hacking

  • Speaker @ Swiss IT Leadership ForumNice2009Cyber Underground

  • Lead Swiss Cyber Storm2011Security Conference12-15. May 2011, Switzerland –

  • Board member of Information SecuritySociety Switzerland (ISSS)

  • Lecturing Activities: HSR & HSLU & FHSG

  • Win a Car! – Wargame!USD 30‘000 main prize


  • May 12-15, 2011

  • Switzerland, near Zürich

  • OWASP Trainings planned!

Goal of this Talk

  • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization

  • We will play with Facebook as our backend application

  • The LiveCD includes all demos



PCI DSS Requirement

Without a Web Application Firewall

Multiple connections into DMZ

Applications directly accessible

Web App Firewall (WAF)

Demo with FB

Web Application Firewall

  • Reverse Proxy to FB

  • Security Checks

  • Content Rewriting

TOOL TIPmod_proxy

DEMO 1 + 2

demo movies shown here availablein Hacking-Lab – OWASP

Content Rewriting

  • Relative URL‘s are not a problem!

  • Content rewriting is not required

<link href="/css/mystyle.css" rel="stylesheet" type="text/css">

Content Rewriting

  • Absolute URLs must be rewritten

  • Cookie domain must be rewritten

  • Cookie values must be rewritten (in some cases)

<a href="" type="text/css">

TOOL TIPmod_replace

Demo 4

Request Header PatchingCookie Value Patching

Web App Firewall

  • @inspectFile operator is simply a type of API that will allow you to inspect file attachments

< requestfiltering | e.g. sql injection >

< responsefiltering | e.g. stacktraces >

< inspectfiles | e.g. pdfexploitanalysis >

TOOL TIPmod_security

Demo 5 + 6


Web Entry Server

  • Pre-Authentication

  • Delegated Login Service (DLS)

  • Session Hiding

  • URL Access Control

  • Principal Delegation to Backend App

TOOL TIPmod_but

Web Entry Server- Swiss Blueprint -

Web Entry Server

  • Backend requests are always authenticated!

  • Strong forensic and logging capabilities

Central Login Service

Pre-AuthenticationPrincipal Delegation


GET /app HTTP/1.0UserID=1234


Login=OKSet-Cookie: UserID=1234;

Pre-AuthenticationSingle Sign On


Server gets initial request with UserID=1234 from WES

Server extracts UserID

Server creates a new, authenticated session

Server authorizes only


User must authenticated twice (SSO disabled)

Delegated Login Service (DLS)


Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!

Pre-Authetication - DLSDelegated Login Service


DLS authenticates on behalf (knowsthecredentials out oftheuserrepository)

-> Non origin cookies are then set to


Demo 7 - SSO

Web ForensicsNTP is not enough!

TOOL TIPmod_unique-id


Demo 7 - UniqueID

URL Access Control


Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);

Demo 8

Service Level ACL

Session Managementwithout session store

Reverse Proxy

Without Session Cache

Session Managementwith session hiding

Reverse Proxy

Session Cache (SHM)

Entry Server ToolKit



Remember (I)

  • Pre-Authentication reduces the attack surface of unauthenticated users

  • Unique-ID enables proper forensics

  • Cookie store hides insecure cookies

  • Service ACL is a second line of defence for the application authorization scheme

Remember (II)

  • Hacking-Lab LiveCD includes all tools you need to replay

  • Win a car! Qualification wargames have started at

  • All movies of this talk are available online at

Thank youIvan Bütler, E1

  • Login