BSidesTO2017 Victor Hora

yeah so quick presentation here on the upcoming release of mod security so has he just said Philippi is the lead developer of mod security but he couldn't come because you know he's in Brazil and the weather there is great so Sena not this time just a quick agenda and that's that's me I'm a member of the spider labs research team where maybe many different teams inside the spotlight research but I'm focused on the web service security and the team works with Wow there's two ops there's the torus wave up and there's mod security I only work with mod security I also contribute the choral set which is the most common rule set from what security if you ever used it

and I work in different roles before that and that's where I'm at Felipe that's Felipe and he's also part of the team and he is the main architect optimal security for the past five years yeah so just a little bit of what so there's many many different industry names so you know every every vendor likes to call their own but just when you see all those names it's basically a laugh and this is the definition that I like so a walk can be a virtual or physical appliance that prevents vulnerabilities in our applications from being exploited by outside threats this is a something nice that I like to put in slides so by 2020 more than 60% of

public web applications we protected by laughs I'm hoping for that so I can keep my job and just a quick overview of from I would say the minimal features of a WAP anomaly detection input validation the different security modules rule base in anomaly based models and this one I just wanted to highlight a little bit because that's what the difference when you are looking for let's see a signature base rules or just more generic rules like you have on the Alaska rule set in the sense that you know whenever you get a match you don't perform an action I immediately like a block or something you just add that that role she will score and then based on the score that

you define you're gonna decide at the end of the evaluation of the whole rules to decide if you're blocking or not state management action so you can track sessions in stuff like that response monitoring and virtual patching which is what's most of the commercial rules are focused on on virtual patching which in a nutshell is when you developed a specific signature to detect let's say something like the struts vulnerability which everyone maybe most of you are aware that you detect a specific payload and then you block based on that so much security it is I like to call it least as a Swiss Army knife of watts because it's very configurable you're not tied through winter face or something you can

just do whatever you want you can you know we run outside scripts when you're parsing rules and your party requests and stuff like that so if you're rounding like who's using Matz acuity these guys and many of them are actually users that you know or maybe customers from spider labs or just users that are active from the open source community formats activity but many of them are also uses modsecurity as a back-end engine so for instance Verizon engine acts can vastly CloudFlare so if you're using any of those services you're using much security in backend and this also at the same time as I'm proud seeing this slide I'm also very concerned and every time that I push

some code to github because I might break something so much security in a nutshell at least progression to it is open source file as a replication file currently we have support for Apache nginx and is so perversion to it was a web filter module for Apache and basically every other version like nginx or is was using the passion underneath and this is one of the reasons that we're not we don't like at least we wanted to rewrite modsecurity it is the most widely deployed Wow as I mentioned so we have this data from a few years ago and we know that is probably much more these days specifically because as I mentioned there are many vendors using mass

security in the backend so just like very quick of the basic features mod Security's being able to decode and data Phi file uploads parse JSON parsecs ml and this kind of stuff so you can you can easily use mod security rules to check for a specific payload or specific data set inside JSON or XML and be an ideal for virtual patching

well it is open sourced it's amazing I'm not gonna go over details like I assume most people know what mo open-source means and I just like to highlight there there's no upfront cost but it doesn't say that it's gonna be 100% free because you have to you know it's not like a set and forget you usually have to spend some time tuning and configure it for new environment and application fire always just as good as the rules right so if you don't have proper rules in place I'm not gonna have maybe the protection that you're looking for so well it it doesn't offer some so there's no rules from a molecule itself it's it's the engine so you have to get the

rules we usually most people use the car rule set and it is great I'm not sure if many of you or some of you used monster cute in the past but there was a major release of the car rule set last year and it's much better now like the false positive rate it's it's now what was reduce it like over 90 percent so it's working great I will recommend at least trying out there's also the commercial rules so some vendors provides commercial rules I spy the labs also do so please buy rules so I can keep my job and they're great because you don't have to so so the the core rules they're they are easy to deploy but it's not supposed

to prevent all kinds of vulnerabilities and the commercial rules from many different vendors tries to do that so there's no graphical user interface as well so it might be a so the learning curve is can be a bit intimidating at first but the flexibility that this provides I think it's it's better but there are third-party tools for that that you can you can try it out I can't name all of them because as many but yeah so there's no rule about developing platform as well so you have to develop rules mainly using CLI okay so it's mod security so cool like right react rewriting it from scratch which is what we're doing so there's there's a

few things and if you look at here it's the the current architecture for mod security 2.9 so if you're using for instance mod security for iis which is great but for you to deploy it you have to have all those intermediate layers over here so for instance you have to have Apache and multi queued Apache model on the left side here the Lib Apache runtime so even if you're not running Apache you have to have those all libraries and and components on your windows or your let's say engine acts web server and this is something that caused issues and and all the dependencies that we just didn't like and one of them was so we had a release

of version 2.9 dot to format security four months ago and I had to rebuild the package for iis and it was so because of those dependencies there was a bit of a headache and so you see like those green lines over here are all the dependencies that you have to be able to compile mod security you know so yeah and just getting results to do working was like two days of work maybe but yeah you have the package ready so if you want to put much security on is now it's easy just download the package but and if you want to get the bleeding edge version you know if maybe I knew some other features have to compile yourself

so you have to go to this not very nice process and for engine x4 engine X we don't recommend if you're if you if you are if you want to use mod cqd4 engine X we recommend you to go to perverse room tree because version 2 is simply not not stable enough we had many issues and some of them was because of this dependency you know over Apache and yeah don't use it gopher version tree so this is mod security version 3 so we had a release 3 release candidate over 1 year ago and we had a release candidate 3 months 2 months ago and we are looking to release a gold version hopefully this

year but it might be pushed to January we don't know yet but it's pretty stable we have you know there's many people using it already especially for nginx if you if you sign up to engine X plus for instance you have you have Lib modsecurity already embedded there easy for you to use you know have support from them so we had good feedback so the big difference here is you don't so if you see like you don't need to this middle layer here the mod security standalone which is a bar per between the the previous version and you don't need to the mod security Apache module anymore and you don't even need the the Apache runtime library so

you take many layers and many complexity you know so it's it's much better you still have these dependencies some of them are mandatory like lip injection which is what we used to detect cross-site scripting and sequel injection it works pretty well and pérot compatible run time for the red X it's also mandatory but the rest is it's not so it's it's so personal so it makes it a breeze the idea is that you know so you have the Apache connector or the engine X connector or the is connector which is basically we call it connector but it's basically like a module or add-on or something that you can figure on your web server and this connector

talks to the library and that's it so that's the installation process I just wanted to describe because it's it's really easy like the first step there is just downloading of getting your compiler and basic dependencies and I trust me it's it's if you follow that it's gonna it's gonna work so there's no no headache you know it's very very simple but that's for the library and this is just a simple yeah okay so this is simple example of a modsecurity connector so basically here you're including modsecurity headers and then you're instantiating on the variables you have your configuration file over there you're calling the mod security functions to to check the URL which is in this case is hard-coded because it's

just a simple example but it's just so like how simple it is to you know have your application or your web server or whatever it is talking too much security so on the right side there you just have like a simple mod security rule it's just it just this usually means action to detect a cross-site scripting XSS on the arguments from the from the request and if you if you copy and paste this code and run it this is what you're gonna see so so over the top there you can see like I detected a cross-site scripting and and then you hear this is the debug sorry this is the debug log from from our security so that's why it's so very

balls like that so I have a quick demo here and let's all pray oh okay good is it okay the sizer okay so here I'm just pasting the the rules and this is just basically saying to spit the the bug log to be out that's the ruler in this case of the Texaco injection actually well if you're familiar with much you give me those roser should be easy but

yeah so if you if you just look at it like in this case the request there's no arguments so it's just basically say that rule returns zero over there and it it running the operator Texaco injection in this case I'll run it again with argument of a equals B and again it has seen the value over there but it hasn't acted the sequel injection and now just gonna put a like a potential sequence action payload there and it instant instantly detected so this is a very simple example but just showing like how easy it is to write a connector from not security were nice so can you make it simpler to extend yes that's that's one

of the reasons also for limit security so in this case here we are using Python bindings for limit security so you can interface with mod security from Python so if you don't want to code in C if you're afraid of C like I am you can you can use Python for that so if you want to create like maybe in a web interface format security you know or whatever if you want to get your own CLI tool to manage mod security you can use that using Python so this simple script here just instantiated mod security loading the rules from a file and based on the number of mod security places printing the rules for each page of much faces is

so they're different phrases from our security one of them is processing request headers or the post party or logging and stuff like that

yeah my Python code is running and so yeah it's basically dumping the rules there and showing the rules ID and where it is located so it is based on swig so if you want to maybe create bindings from for other languages like Madden or maybe Ruby or whatever it should be simple to do that this was also available in version 2 but in version 3 we're getting where we're making some improvements actually last week Philippe spend a lot of time tuning and pushing some fixes and improvements for the lower interpreter so the idea with Lua it's it's different in this case is the scripting engine it's not like the bindings that we have pure Python

because on 4loo of the idea is that every rule that that matches that you know are being every request that gets analyzed you can run a script in Lua and it's precompiled in the sense that you're not gonna have you know the all the overhead of may be calling some external bash script or whatever so it is integrated inside Lib mod circuity so we can just do anything so in this case here it's very simple example just getting the variables from the request looking for documents applying the transformations to normalize data and then looking for a string with script and then returning like on the logs so suspected cross-site scripting so it's very simple case but just imagine you

can you know do something like okay if there is a file upload check if there is a potential malware or something run some scan on the file or whatever is you know can do anything you like so I we had written a code for just checking the Bitcoin for the price of Bitcoin and based on that change the behavior mod security you can do stuff like that yeah so can you make it faster yes so it's one of the reasons that so format security we have the concept of collections and the idea is for basically tracking user sessions so let's say if you want to check if a user is sending too many requests for a given

URL or stuff like that you can use the collections but the problem with version 2 is that these collections are started in a normal it's a like a database file and it had some issues especially for things like parallelism you know so sometimes you know have this database grows a lot and we had a tons of issues I'm gonna get all of it but we wanted to change that and for version 3 were using a lightning memory database and it has many cool features and it it allows concurrent processing you know distributing processing over different systems and stuff like that so this is already available and we had good results so far and it's available since

mid last year we have more collection backends to come and the idea here is so we want to implement them but there's just too much stuff to do so we don't know yet when they will come but it's basically community tune so if we see more users interest to see those backends we can definitely prioritize or if any of you are interested to you know contribute or whatever you're more than welcome so I just have a quick demo here for performance

oh yeah that's what I want okay this is just to make it a little bit smaller

okay so this is a comparison of speed of Mott's acuity on http/2 and the idea so this speed this picture that is loading is very intensive in the sense of like many megabytes in size or whatever and you can see the difference here so on the meter we have pure http/2 and then on the right side http/2 with modsecurity with the Karoo set which are the generic rules so they're very intensive they use a lot of collections you know there's many generic checks so this takes a lot of CPU time and for me the difference is negligible at least from my standards if you think like how many like the level of protection that you get just for putting the crs and

that's HTTP 1.1 so it's pretty because this making because it's 1.1 it's making like multiple requests to get the file that's why you have this major difference so so the video durations is like 50 yeah 56 seconds that's how long it

so can we make it safer yes it's one of the goals as well so for version 3 rebooting we are putting like unit tests and also regression testing for any new feature that we add so every new commit that goes to mod security you it's mandatory to have requesting testing and unit testing so that's very good we're very proud of it so if you see now we have almost I don't know almost 5,000 testing total for all the features and variables and you know transformations normalization and everything like that and we are also fuzzing it so there's a very cool blog post which was really a few months ago about the integrating posing with mod security and we're using

of course American fuzzy lab and this is something that we're very proud like it's it's been running for 140 days and it's checking the core and some very major functions of Tamotsu acuity and if you if you're not familiar with American fuzzy laughs it's a buzzer so just since okay I'm gonna say random but it's not the case which is simplified data and check how it behaves if it crashes and in which path is crash and stuff like that so it helps finding bugs so it's running for 140 days no crashes so far you can see in the right side it had run through almost 2 million cycles and 30 different paths inside the code and zero crashes so far so we're

very very proud of it so if you want to get more info on mod security like how to start how to use it and you know even some kind of support or involve in the community we have photos you know different github pages so for the moment for the nginx connector for the Apache connector and there's the blog despite lips blog where we post any new features and major stuff from our security there's a slack channel IRC Twitter whatever and if you want to help us even more come work with us we do have a position for my team in Mott security team and it's it's very nice I totally recommend like it's it's getting paid to work with open source

software so you don't you don't get that too often you know it's very cool stuff we have a lot of stuff to do that other positions open and yeah that that's it

time for questions no ok so any questions just you know email whatever