open source web entry server n.
Skip this Video
Loading SlideShow in 5 Seconds..
Open Source Web Entry Server PowerPoint Presentation
Download Presentation
Open Source Web Entry Server

Loading in 2 Seconds...

play fullscreen
1 / 29

Open Source Web Entry Server - PowerPoint PPT Presentation

  • Uploaded on

Open Source Web Entry Server. Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“. Ivan Bütler About me. Ivan Bütler ¦ E1.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Open Source Web Entry Server' - morey

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
open source web entry server
Open Source Web Entry Server
  • Ivan Bütler: „This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering capabilities with open-source software.“

Ivan Bütler

about me
About me

Ivan Bütler ¦ E1

  • Founder & Security Researcher for Compass SecuritySince 1999, Switzerland –
  • Speaker @ BlackHat Las Vegas 2008SmartCard (In) Security – APDU Analysis
  • Speaker @ IT Underground Warsaw 2009Advanced Web Hacking
  • Speaker @ Swiss IT Leadership ForumNice2009Cyber Underground
  • Lead Swiss Cyber Storm2011Security Conference12-15. May 2011, Switzerland –
  • Board member of Information SecuritySociety Switzerland (ISSS)
  • Lecturing Activities: HSR & HSLU & FHSG

Win a Car! – Wargame!USD 30‘000 main prize

  • May 12-15, 2011
  • Switzerland, near Zürich
  • OWASP Trainings planned!
goal of this talk
Goal of this Talk
  • Learn how to turn the Apache web server into a front-end web-application firewall with pre-authentication, session hiding and URL authorization
  • We will play with Facebook as our backend application
  • The LiveCD includes all demos



without a web application firewall
Without a Web Application Firewall

Multiple connections into DMZ

Applications directly accessible

web app firewall waf
Web App Firewall (WAF)

Demo with FB

Web Application Firewall

  • Reverse Proxy to FB
  • Security Checks
  • Content Rewriting

TOOL TIPmod_proxy

demo 1 2

DEMO 1 + 2

demo movies shown here availablein Hacking-Lab – OWASP

content rewriting
Content Rewriting

  • Relative URL‘s are not a problem!
  • Content rewriting is not required

<link href="/css/mystyle.css" rel="stylesheet" type="text/css">

content rewriting1
Content Rewriting

  • Absolute URLs must be rewritten
  • Cookie domain must be rewritten
  • Cookie values must be rewritten (in some cases)

<a href="" type="text/css">

TOOL TIPmod_replace

demo 4

Demo 4

Request Header PatchingCookie Value Patching

web app firewall
Web App Firewall

  • @inspectFile operator is simply a type of API that will allow you to inspect file attachments

< requestfiltering | e.g. sql injection >

< responsefiltering | e.g. stacktraces >

< inspectfiles | e.g. pdfexploitanalysis >

TOOL TIPmod_security

demo 5 6

Demo 5 + 6


web entry server
Web Entry Server
  • Pre-Authentication
  • Delegated Login Service (DLS)
  • Session Hiding
  • URL Access Control
  • Principal Delegation to Backend App

TOOL TIPmod_but

web entry server swiss blueprint
Web Entry Server- Swiss Blueprint -

Web Entry Server

  • Backend requests are always authenticated!
  • Strong forensic and logging capabilities

Central Login Service

pre authentication principal delegation
Pre-AuthenticationPrincipal Delegation


GET /app HTTP/1.0UserID=1234


Login=OKSet-Cookie: UserID=1234;

pre authentication single sign on
Pre-AuthenticationSingle Sign On


Server gets initial request with UserID=1234 from WES

Server extracts UserID

Server creates a new, authenticated session

Server authorizes only


User must authenticated twice (SSO disabled)

Delegated Login Service (DLS)


Principal ticket should be an encrypted/signed, timestampted value (against replay attacks) instead of plain-text UserID=1234!

pre authetication dls d elegated l ogin s ervice
Pre-Authetication - DLSDelegated Login Service


DLS authenticates on behalf (knowsthecredentials out oftheuserrepository)

-> Non origin cookies are then set to


web forensics ntp is not enough
Web ForensicsNTP is not enough!

TOOL TIPmod_unique-id


url access control
URL Access Control


Login=OKSet-Cookie: AUTHORIZATION=(^/app1|^/app2);

demo 8

Demo 8

Service Level ACL

session management without session store
Session Managementwithout session store

Reverse Proxy

Without Session Cache

session management with session hiding
Session Managementwith session hiding

Reverse Proxy

Session Cache (SHM)

entry server toolkit
Entry Server ToolKit



remember i
Remember (I)
  • Pre-Authentication reduces the attack surface of unauthenticated users
  • Unique-ID enables proper forensics
  • Cookie store hides insecure cookies
  • Service ACL is a second line of defence for the application authorization scheme
remember ii
Remember (II)
  • Hacking-Lab LiveCD includes all tools you need to replay
  • Win a car! Qualification wargames have started at
  • All movies of this talk are available online at