MC LC

MC LC .......................................................................... 1
LI M U .................................................................... 4
DANH MC HNH NH ..................................................... 6
DANH MC CC BNG ..................................................... 7
CHNG I TNG QUAN V GIAO THC HTTP ................ 8
1.1.Gii thiu chung .......................................................... 8
1.1.1. .................................. URI Uniform Resource Identifiers 8
1.1.2. ................................... Mt s phng thc thng dng: 9
1.2.Thng ip HTTP ....................................................... 13
1.2.1. .................................................. Cu trc thng ip HTTP 13
1.2.2. .......................................... Cc trng trong HTTP header 16
CHNG II - MODSECURITY.......................................... 18
2.1.Tm hiu v ModSecurity ............................................. 18
2.1.1. ........................................................ Khi nim Modsecurity 18
2.1.2. ......................................... Cc kh nng ca ModSecurity 18
2.1.3.Qu trnh x l cc request ca Apache v ModSecurity 20
2.2.Cc lut (Rules) ......................................................... 22
2.2.1. ........................................................ ModSecurity Core Rule 22
2.2.2. ......................................... Cu hnh cc ch th (Directive) 23
2.2.3. .................. Bin (Variables ) v b chn lc (Collection) 26
2.2.4. .........................................................Chc nng chuyn i 29
1

2.2.5. ............................................................ Ton t (Operators) 30

2.2.6. ........................................................... Hnh ng (Actions) 33
2.3.Logging .................................................................... 35
2.3.1. ............................................................................. Debug Log 35
2.3.2. ......................................................................... Audit logging 36
2.2.3. ......................................................... Tu bin thng tin log 37
2.4.Biu thc chnh quy (Regular expressions)..................... 37
2.4.1. ..................................... Gii thiu v biu thc chnh quy 37
2.4.2. .. ng dng ca biu thc chnh quy trong Modsecurity 38
2.5.Ci t v cu hnh c bn ModSecurity trn my ch
CentOs .......................................................................... 39
2.5.1. ............................................................ Ci t ModSecurity 39
2.5.2. ................................................................... Cu hnh c bn 40
2.6.Vit v phn tch mt s lut c bn ............................. 41
CHNG

III

XY

DNG

CHNH

SCH

TRN

MODSECURITY CHNG LI MT S TN CNG LN NG

DNG WEB .................................................................... 44
3.1.M hnh trin khai ModSecurity v xy dng kch bn Demo44
3.1.1. .................................................... Xy dng kch bn demo 44
3.2.Xy dng chnh sch trn ModSecurity chng li mt s tn
cng ln ng dng Web .................................................... 45
3.2.1. ......................................... Ngn chn HTTP Fingerprinting 45
3.2.2. ....................................... Ngn chn tn cng Brute Force 47
3.3.3. ............ Ngn chn tn cng Cross-Site Scripting (XSS) 48
2

3.3.4. .................................... Ngn chn tn cng SQL injection 52

KT LUN ...................................................................... 56
TI LIU THAM KHO .................................................... 57

LI M U
Trong nhng nm gn y, ng dng Web pht trin rt mnh
m, hu nh mi ngi ai cng tng nghe v lm vic trn ng
dng web. Website tr nn ph bin v tr thnh mt phn quan
trng ca mi ngi nht l cc doanh nghip, t chc. ng dng
Web cng ph bin th cc cuc tn cng ng dng Web cng tr
nn ht sc phc tp. iu ny t ra vn v s cn thit ca
bo mt ng dng web. Nhiu t chc, cng ty xy dng tng
la ng dng web bo v h thng my ch ng dng web nh
sn phm Imperva, CheckPoint hay ModSecurity. Trong Imperva
v Checkpoint l sn phm thng mi, cn ModSecurity l mt sn
phm m ngun m.
Do trong ti ny nhm em xin thc hin nghin cu trin
khai Nghin cu, trin khai h thng ModSecurity . Vi mc ch xy
dng nn cc chnh sch phng chng mt s tn cng ph bin
ln ng dng Web hin nay nh tn cng HTTP Fingerprinting, tn
cng Brute Force, Cross Site Scripting (XSS), SQL Injection, tn
cng Dos Trong gii hn ca ti ny, nhm em xin trnh by
chuyn gm 3 phn chnh, nh sau:
Chng 1: Tng quan v giao thc HTTP
phn ny nhm em xin gii thiu v URI cng nh mt s
phng thc m HTTP thng dng, lm r c hot ng ca
HTTP v cu trc ca mt thng ip request / response
Chng 2: ModSecurity
phn ny nhm em xin gii thiu tng quan v ModSecurity
cch thc ModSecurity hot ng cng nh qu trnh x l request
ca Apache v Modsecurity. ng thi gii thiu c php ca mt
rule v cc thnh phn trong .
Chng 3: Xy dng chnh sch trn ModSecurity chng
li mt s tn cng ln ng dng web.

Phn ny, nhm a ra mt s tp lut nhm chng li mt s

tn cng ln ng dng web ph bin nh XSS, Brute force, SQL
Injection, Dos

DANH MC HNH NH
Hnh 1- 1 C bn v giao thc HTTP .................................................... 8
Hnh 1- 2 Cu trc y ca URI ..................................................... 9
Hnh 1- 3 Phng thc GET...............................................................10
Hnh 1- 4 Web Forms POST ...............................................................10
Hnh 1- 5 Hot ng POST ...............................................................11
Hnh 1- 6 Hot ng ca PUT ............................................................11
Hnh 1- 7 Hot ng File Delection DELETE ......................................12
Hnh 1- 8 Cu trc thng ip HTTP Resquest .....................................14
Hnh 1- 9 Mt s v d v ni dung thng ip HTTP ............................14
Hnh 1- 10 V d c th v Request-Line .............................................15
Hnh 1- 11 Cu trc thng ip HTTP Response ...................................15
Hnh 1- 12 Response HTTP................................................................16
Hnh 1- 13 C th trng Status-Line .................................................16
Hnh 1- 14 V d v HTTP header .......................................................16
Hnh 2- 1 M hnh tng quan ModSecuriy ...........................................18
Hnh 2- 2 Qu trnh x l cc request ca Apache v Modsecurity ..........20
Hnh 2- 3 Trc khi cu hnh ModSecurity ...........................................41
Hnh 2- 4 Sau khi cu hnh c bn ModSecurity ...................................41
Hnh 3- 1 M hnh trin khai Modsecurity ............................................44
Hnh 3- 2 Kt qu tn cng HTTP Fingerprinting ..................................46
Hnh 3- 3 Kt qu ngn chn tn cng HTTP Fingerprinting ...................47
Hnh 3- 4 Kt qu ngn chn tn cng Brute-force...............................48
Hnh 3- 5 Kt qu tn cng XSS ........................................................49
Hnh 3- 6 Kt qu ngn chn tn cng XSS .........................................51
Hnh 3- 7 Kt qu tn cng SQL Injection ...........................................53
Hnh 3- 8 Kt qu ngn chn tn cng SQL Injection ...........................54
6

DANH MC CC BNG
Bng 2- 1 Cc loi ch th trong Modsecurity ............................... 24
Bng 2- 2 Cc chc nng chuyn i ca Modsecurity ................. 30
Bng 2- 3 Cc ton t String matching .................................... 31
Bng 2- 4 Cc ton t h tr so snh ........................................ 31
Bng 2- 5 Cc ton t kim tra ................................................. 32
Bng 2- 6 Ton t Miscellaneous ............................................... 32
Bng 3- 1 Cc k t nn m ho ngn chn tn cng XSS ....... 50
Bng 3- 2 Cc lnh thng c s dng trong tn cng SQL
Injection ................................................................................ 53

CHNG I TNG QUAN V GIAO THC HTTP

1.1. Gii thiu chung

HTTP (Hypertext Transfer Protocol) l giao thc thuc lp ng

dng trong m hnh tham chiu OSI. HTTP cho php giao tip gia
nhiu loi server/client vi nhau ch yu thng qua b giao thc
TCP/IP. Cng giao tip chun l 80, tuy nhin c th dng bt k
cng khc. Giao tip gia client v server da vo mt cp
request/reponse. Client khi to HTTP request v nhn HTTP
response t server gi v.

Hnh 1- 1 C bn v giao thc HTTP

HTTP request bao gm 2 thnh phn quan trng l URI v

phng thc c gi t client. pha ngc li, server tr v
HTTP response trong cha m trng thi (Status code) v
Message body
1.1.1.

URI Uniform Resource Identifiers

Ta thng quen thuc vi nh ngha URL (Uniform Resource

Locators). V d http://www.at7a.kma. Khng c nhiu khc bit
gia hai khi nim URL v URI, URL ch l mt loi ca URI. URI l
mt c t k thut ca giao thc HTTP

Hnh 1- 2 Cu trc y ca URI

Protocol: xc nh cc giao thc v cc ng dng cn thit

truy cp ti nguyn, trong trng hp ny l giao thc HTTP

Username: Nu giao thc h tr khi nim v tn ngi dng th

username cung cp tn ngi dng chng thc truy cp ti
nguyn.

Password: mt khu truy cp ti nguyn

Host: tn min truyn thng cho webserver

Port: l port cho cc giao thc lp ng dng, v d nh HTTP l

cng 80

Path: ng dn phn cp n ti nguyn c t trn Server

File: tn cc tp tin ti nguyn trn Server

Query: cc truy vn them thng tin v ti nguyn ca Client

Fragment: mt v tr no trong ti nguyn

1.1.2.

Mt s phng thc thng dng:

GET
c s dng Client ly mt i tng hoc ti nguyn no

trn Server. c ch ra trong URI

Hnh 1-3, client khi to v gi thng ip GET n server,
thng ip ny nh danh i tng m Client yu cu Server p
ng bng mt URI. Server c th tr v ti nguyn m client yu
cu vi mt m trng thi 200 OK. Nu server khng p ng c
9

cc yu cu client th n s gi v mt s m trng thi khc c

m t mc cc trng thi (link ti phn m trng thi)

Hnh 1- 3 Phng thc GET

POST
Trong khi GET cho php mt server gi thng tin n client, th

hot ng ca POST cung cp mt cch client gi thng tin n

cc server. Trnh duyt s dng POST gi ni dung cc Form n
Web Server.

Hnh 1- 4 Web Forms POST

10

Hnh 1- 5 Hot ng POST

Hnh 1-5. Hot ng ca POST n gin nh phng thc GET.

Client gi mt thng ip POST v bao gm thng tin m n mun
gi n server. Cng ging nh GET, mt phn ca thng ip
POST l URI. Nhng trong trng hp ny, URI xc nh cc i
tng trn server c th x l thng tin.
-

File Upload PUT

PUT cung cp mt cch client gi thng tin n cc server.

Hay ni cch khc PUT dng upload d liu ln server

Hnh 1- 6 Hot ng ca PUT

Nh hnh 1-6 cho thy, n hot ng rt ging vi phng thc

POST. Vi POST client gi bao gm mt URI v d liu. Web server
tr v m trng thi , ty chn km theo v d liu. S khc bit
gia POST v PUT ch URI : vi POST, cc URI xc nh mt i
tng trn server m c th x l d liu. Vi PUT, cc URI xc nh
i tng trong cc server nn t d liu
-

DELETE
Vi GET v PUT, giao thc HTTP tr thnh mt giao thc chuyn

file n gin. Hot ng DELETE s hon thnh chc nng ny bng

cch gip client xa cc i, ti nguyn t cc server.
11

Nh hnh di cho thy, client gi mt thng ip DELETE cng

vi cc URI ca i tng m server nn xa. Cc server p ng
vi mt m trng thi v d liu km theo.

Hnh 1- 7 Hot ng File Delection DELETE

12

HEAD
Cc hot ng ca HEAD ging nh GET, ngoi tr Server khng

tr li i tng thc t yu cu. C th, server s tr v mt m

trng thi nhng khng c d liu. (HEAD c ngha l tiu
ngha l server ch tr v thng ip cha tiu ch khng cha
d liu)
Client c th s dng thng ip HEAD khi mun xc minh rng
mt i tng c tn ti hay khng.
V d: C th s dng thng ip HEAD m bo lin kt n
mt i tng hp l m khng tiu tn bng thng. Cache trong
trnh duyt cng c th s dng thng ip HEAD xem mt i
tng thay i hay khng, nu khng thay i th hin th thng
tin c lu trc y, nu thay i th s thc hin GET ly
d liu v t Server
1.2. Thng ip HTTP

Phn ny s trnh by cu trc tng th ca thng ip HTTP.

Chng ta s thy, mt thng ip HTTP bt u vi mt line hay
mt m trng thi, c th c theo sau bi cc tiu (header)
khc nhau v phn thn (body) ca thng ip.
1.2.1.

Cu trc thng ip HTTP

HTTP c hai tc nhn l client v server. Cc client gi yu cu

(request) v server tr li (response). V vy, chng ta s phn tch
hai thng ip chnh l HTTP Requests v HTTP Responses.
HTTP Request

13

Hnh 1- 8 Cu trc thng ip HTTP Resquest

Hnh trn cho thy cu trc c bn ca HTTP Requests. Mt

HTTP Requests. bt u bi Request-Line. Request-Line c th c
theo sau bi mt hoc nhiu header v body. C th hn, hnh 1-9
cho

thy

mt

thng

ip

HTTP

di

dng

dng firefox truy cp trang http://at7a.kma

vn

bn

khi

Dng u tin l

Request-Line, v tiu thng ip to nn phn cn li ca vn

bn.

Hnh 1- 9 Mt s v d v ni dung thng ip HTTP

Hnh 1-10 phn tch c th hn Request-Line, bao gm 3 phn:

Method phng thc ca thng ip, URI, v Version- phin bn
ca HTTP

14

Hnh 1- 10 V d c th v Request-Line

Phng thc c th xut hin u tin trong Request-Line.

Trong v d trn y l mt phng thc GET. Mc tiu tip theo
trong Request-Line l Request-URI. Request-URI cha ngun ti
nguyn cn truy cp. Trong v d trn, Request-URI l (/), ch ra
mt yu cu i vi cc ngun ti nguyn gc. Phn cui cng ca
Request-Line l phin bn HTTP. Nh v d trn cho thy, HTTP
phin bn 1.1
HTTP Response
Request Resonse bt u bi Status-Line (dng m trng thi).
Sau l phn thng tin ca Header v mt dng trng. Cui cng
l phn body

Hnh 1- 11 Cu trc thng ip HTTP Response

Status-Line bt u bi s phin bn ca HTTP (trng hp ny

l HTTP/1.1), sau l m trng thi(trng hp ny l 200 OK).
V d tr v ca request HTTP ti http://at7a.kma

15

Hnh 1- 12 Response HTTP

Hnh 1- 13 C th trng Status-Line

1.2.2.

Cc trng trong HTTP header

Hnh 1- 14 V d v HTTP header

Nh chng ta thy cc phn trc, HTTP Request v HTTP

Reponse c th bao gm mt hoc nhiu thng ip header.
Message header bt u vi mt tn trng v du hai chm. Nh
v d trn, cc Message header l Accept, Accept-Language
Trong HTTP header c rt nhiu trng m nhn cc tnh nng,
mc ch khc nhau. Bi vit ny ch mang tnh gii thiu nn s
16

khng

trnh

by.

Cc

bn

http://tools.ietf.org/html/rfc2068

17

th

tham

kho

CHNG II - MODSECURITY
2.1. Tm hiu v ModSecurity

2.1.1.

Khi nim Modsecurity

ModSecurity l mt open source web application firewall c

Ivan Ristic pht trin dnh cho Apache Web Server. N c xem l
mt b my pht hin v phng chng xm nhp dnh cho cc ng
dng web. Hot ng nh mt module ca Web Server Apache
hoc c th ng c lp mt mnh nh mt reverse proxy bo
v nhiu loi webserver nh l IIS, Tomcat, Apache.

Hnh 2- 1 M hnh tng quan ModSecuriy

ModSecurity c s dng di hai hnh thc l Open source

hoc thng mi vi nhiu h tr t nh cung cp. N c th hot
ng tt trn hng lot cc h iu hnh nh: Linux, Windows,
Solaris, FreeBSD, Mac OS.
2.1.2.

Cc kh nng ca ModSecurity

Lc cc request (Request filtering): Tt c cc request gi n

web server u c phn tch v cn lc (filter) trc khi chng
c a n cc modules khc x l
Chng cc k thut tn cng (Anti-evasion techniques): ng
dn (paths) v thng s (parameters) c chun ha trc khi
phn tch chng cc k thut tn cng.
Hiu giao thc HTTP (Understanding of the HTTP protocol):
ModSecurity l mt tng la ng dng nn n c kh nng hiu
18

c giao thc HTTP. ModSecurity c kh nng cn lc da trn cc

thng tin HTTP Header hay c th xem xt n tng thng s hay
cookies ca cc request...
Phn tch ni dung ca phng thc POST (POST payload
analysis): Ngoi vic cn lc da trn HTTP Header, ModSecurity c
th da trn ni dung (payload) ca POST requests.
T ng ghi log (Audit logging): Mi requests u c th c
ghi li (bao gm c POST) ngi qun tr c th theo di nu
cn.
Lc giao thc HTTPS (HTTPS filtering): ModSecurity c th phn
tch HTTPS.
Phn tch nhng yu cu c nn (Compressed content
filtering) ModSecurity s phn tch sau khi gii nn cc cc d
liu c yu cu.

19

2.1.3.

Qu trnh x l cc request ca Apache v

ModSecurity

Hnh 2- 2 Qu trnh x l cc request ca Apache v Modsecurity

ModSecurity cho php chng ta t rule ti mt trong nm thi

im trong chu k x l ca Apache nh sau:
-

Phase Request Header (phase 1): Cc lut c t ti y s

c thc hin ngay sau khi Apache c request header (Postread-request), lc ny phn request body vn cha c c.
Phn ny kh quan trng phn tch cc khai thc da vo
HTTP method cng nh da vo URL nh SQL Injection, Local
file include, Cross Site Script (XSS)

Phase Request Body (phase 2): y l thi im cc thng tin

chc nng chung a vo c phn tch v xem xt, cc lut
mang tnh ng dng hng kt ni (application-oriented) thng
c t y. thi im ny, Server nhn cc thng s
ca request v phn request body c c. Mc ch chung

20

ca phase ny l phn tch u vo d liu, dch URI, kim tra

header, kim tra truy cp, xc thc
ModSecurity h tr ba loi m ho request body sau:
o Application/x-www-form-urlencoded: Dng truyn form
d liu
o Multipart/form-data: Dng truyn file
o Text/xml: Dng phn tch d liu XML
-

Phase Response Header (phase 3): y l thi im ngay sau

khi phn response header c gi tr v cho client. Chng ta
t lut y nu mun gim st qu trnh sau khi phn
response c gi i.

Phase Response Body (phase 4): Sau khi ModSecurity hon

thnh vic kim tra ti response header th ni dung trong phn
body s c kim tra so trng vi mu trong tp lnh. Vic ny
kh hiu qu pht hin v phng chng xm nhp trong
trng hp 1 v 2 khng pht hin tn cng.
V d: trong khai thc SQL Injection, nu hacker c gng s

dng mt s k thut nhm n i th vic pht hin khi request l

kh khn, Khi khai thc thnh cng, ModSecurity s phn tch kt
qu trong gi tin tr v pht hin nu nh cu truy vn thnh
cng.
-

Phase logging (phase 5): L thi im cc hot ng log c

thc hin, cc lut t y s nh r vic log s nh th no,
n s kim tra cc thng bo li ca Apache. y cng l thi
im cui cng chng ta chn cc kt ni khng mong mun,
kim tra cc response header m chng ta khng th kim tra
phase 3 v phase 4.
Mt lut c thc ng tng phase theo th t. iu ny c

ngha l ModSecurity s duyt tt c cc lut trong phase 1, sau

n phase 2, phase 3, phase 4 v cui cng l phase 5. Trong mi
phase, cc lut c x l theo th t m chng xut hin trong cc
21

tp tin cu hnh. Chng ta c th hiu khi c request, ModSecurity

s duyt cc tp tin nm ln, mi ln cho mt phase. Trong thi
gian x l ModSecurity ch xem xt cc lut thuc pha ang x l.
Phase logging c bit ch n lun lun c thc hin c khi
request c cho php hay t chi trong cc phase trc .
Ngoi ra, mt khi phase logging bt u, chng ta khng th thc
hin bt k mt hng ng ngn chn no v khi response
c gi cho ngi truy cp
V vy, cn phi cn thn khng cho bt k hnh ng no
tri quy nh c truyn vo lut phase 5. Nu khng s li lm
cho Apache khng khi ng c. khc phc iu ny ta c th
t lut sau y trc cc lut thuc phase 5 (nhng cn phi t
sau cc lut ca phase trc )
SecDefaultAction phase:5,pass
2.2.

Cc lut (Rules)

2.2.1. ModSecurity Core Rule

ModSecurity l mt tng la ng dng do vy bn thn n mc
nh cng khng c kh nng chng cc tn cng nu khng c cc
lut c cu hnh cn thn. tn dng trit nhng tnh
nng ca Modsecurity, tp on Breach Security xy dng sn
mt tp lut kh cht ch v y , v min ph. Khc vi h
thng pht hin xm nhp khc, ch da trn nhng du hiu, c
im c th t nhng tn cng trc, cc core rule ny c cung
cp s bo v chung nht t nhng tn hi cha c bit ti
thng thy cc ng dng web. Core rule mi nht c tm thy
ti

website

ca

ModSecurity

ti

website

www.modsecurity.org/projects/rules/
cung cp s bo v ng dng web mt cch bao qut, core
rule bao gm nhng ni dung sau:
-

Bo v lung d liu HTTP pht hin cc hnh vi vi phm ca

cc giao thc HTTP v chnh sch s dng c nh ngha
22

Phng chng cc tn cng ph bin vo web server pht hin

cc tn cng vo ng dng web server. T ng pht hin pht
hin bots, cc cng c d tm v cc m c hi

Phng chng Trojan pht hin truy cp ca Trojan horses

Cc li n cc thng bo t web server

Cu hnh lut ca ModSecurity bao gm cc thng tin khc nhau

cc thit t khc nhau v nhiu ni dung.

Cu trc Core Rule bao gm ch th, cc bin, cc hm chuyn

i, cc ch k (signature) v cc hnh ng (Action) tng ng
cho php, khng cho php, ghi log.

Yu cu v logic l pht hin cc cuc tn cng.

Thit t chnh sch a ra hnh ng x l nu pht hin ra tn

cng

Thng tin v cc cuc tn cng

2.2.2. Cu hnh cc ch th (Directive)
ModSecurity l mt tng la ng dng thuc loi rules-based,

ngha l ngi qun tr cn thit lp cc lut. Khi ModSecurity chy

s cn c vo lut ny thc hin cc yu cu, m bo cho h
thng c an ton. Cc lut ny c th hin di dng cc
directives (ch th) v c th t trc tip trong file cu hnh Apache
(thng thng l httpd.conf).
ModSecurity nh ngha 9 loi ch th ngi dng c th trin
khai cc tnh nng lc linh ng cho h thng web.
Directive

Description

SecAction

Performs an unconditional action. This

directive is essentially a rule that always
matches.

SecDefaultAction

Specifies the default action list, which will

be used in the rules that follow.

SecMarker

Creates a marker that can be used in

conjunction with the skipAfteraction. A
23

marker creates a rule that does nothing,

but has an ID assigned to it.
SecRule

Creates a rule.

SecRuleInheritance

Controls whether rules are inherited in a

child configuration context.

SecRuleRemoveById

Removes the rule with the given ID.

SecRuleRemoveByMsg

Removes the rule whose message

matches the
given regular
expression.

SecRuleScript

Creates a rule implemented using Lua.

SecRuleUpdateActionById Updates the action list of the rule with

the given ID.
Bng 2- 1 Cc loi ch th trong Modsecurity

Cc ch th ny ng vai tr rt quan trng trong cc lut. Tng

ng vi mi yu cu cn thit cho mt lut l cc ch th tng ng
c s dng. Mt trong s ch th c dng rt nhiu l SecRule,
SecAction, SecRuleEngine. Cc request s b t chi nu phm vo
mt trong cc ch th ny nh request phm vo giao thc HTTP,
cc request c ni dung bt thng. Nhng lut ny, cng vi cc
file core rule khng nn t cng file cu hnh http.conf ca
Apache. iu ny s lm cho vic nng cp d hn v nhng file
core rule mi u c cng ty Breach Security public trang web
ca ModSecurity.Di y l mt s cc ch th quan trng.
SecRuleEngine
Mc nh th trong filtering engine b disable. kch hot
ModSecurity ta cn thm ch th sau vo file cu hnh.
SecRuleEngine On
Ch th ny dng iu khin filter engine, ngi qun tr c
th thit t cc ty chn l On, Off hoc DynamicOnly.
On: Cc lut ca ModSecurity c p dng cho tt c cc ni
dung
24

Off: V hiu ha Modsecurity

DynamicOnly: Cc lut ca ModSecurity khng c p dng
cho ni dung tnh (static content) nh cc file.html m ch p dng
cho cc request tr v ni dung ng nh request n cc file php
SecAction
M t: Sec Action s x l v iu kin danh sch cc hnh ng
m n nhn c nh tham s u tin v duy nht. N chp nhn
mt tham s, c php ca tham s ny ging tham s th ba ca
SecRule.
C php: SecAction action1, action2, action3
V d:

SecAction "log,deny,msg:'chan truy cap'"

SecAction s dng tt nht khi thc thi mt hnh ng v iu

kin. Bnh thng cc hnh dng ny c kch hot c iu kin c
bn trn d liu yu cu v tr li (request/reponse)
SecRule
M t: SecRule l ch th chnh ca Modsecurity. N c s
dng phn tch d liu v thc hin cc hnh ng c bn v
a ra kt qu.
Cu trc chun ca mt lut trong ModSecurity nh sau:
SecRule VARIABLES OPERATOR [ACTION]
V d:

SecRule

ARGS

<script>

log,deny,status:404
-

VARIABLES: Xc nh v tr d liu m ModSecurity s tm kim

mu. Trong v d trn, tham s ARGS nhm ch nh tm kim
mu trong tt c cc tham s trong request.

OPERATOR: ch nh cch m ModSecurity s tm kim mu. Cc

ton t c dng theo dng biu thc chnh quy nhm to nn
c ch phn tch linh ng cho cc lut
ACTION: ch nh hnh ng m modsecurity s thc hin khi c

mt mu c so trng. Trong v d trn, phn action c vit log,

25

deny, status:404 c ngha l khi trng mu <script> trong gi tin

th thc hin gi log, chn gi tin bng cc s dng m trng thi
404 (Not found).
V d: di y l mt HTTP request
GET /document/index.html HTTP/1.1
Host=www.kmasecurity.net
User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101
Firefox/25.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.
8
Accept-Language=vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Content-Type=application/x-www-form-urlencoded; charset=UTF-8
Referer=http://www.kmasecurity.net/xforce/index.php
Content-Length=20
Cookie=xf_session=9e9b13d4955a3e03f46d173e5bc02935
POSTDATA=rndval=1386222108554

T request trn thy cc HTTP Header nh l: GET, Host,

User-Agent, Accept, Referer, Content Length, Cookie, POSTDATA

Chng hn ta vit rules cm cc request c chc t admin

SecRule REQUEST_URI "admin" "phase:2,deny,log,msg:'khu vuc
cam truy cap'"

Hay khng cho php User-Agent c t Mozilla

SecRule

HTTP_User-Agent

"Mozilla"

"phase:1,deny,log,msg:'deny mozilla'"
2.2.3. Bin (Variables ) v b chn lc (Collection)
Hin nay c khong hn 70 bin c sn trong ModSecurity.
ModSecurity s dng 2 loi bin: bin standard (n gin ch cha
mt gi tr duy nht) v bin Collection (c th cha nhiu hn mt
gi tr). Mt v d v Collection l REQUEST_HEADERS, trong
cha tt c cc trng trng trong thng ip header m Client
gi ti Server, chng hn nh User-agent, hoc Referer.

26

 truy cp vo mt trng trong collection, chng ta ghi tn

collection, tip theo l du hai chm v sau l tn ca trng
hoc ty chn m chng ta mun truy cp. v d:
SecRule

REQUEST_HEADERS:User-agent

"hacker"

"log,deny,status:404"
Vi trng hp trn ta ch c th kim tra d liu trn trng
User-agent. c th kim tra ton b d liu trn tt c cc
collection ta s dng bin ARGS. V d ta mun kim tra s hin
din ca chui hacker trn tt c collection ta s dng lut sau:
SecRule ARGS hacker log,deny,status:404
Di y l mt s bin v collection c h tr:
HTTP: Bin ny l mt tin t c bit i theo sau phn u ca
header v c th c s dng chn truy cp vo cc request
header. V d:
SecRule

HTTP_referer

"at7a.kma/index.php"

"phase:2,deny,nolog,status:404"
ARGS: ARGS ging nh QUERY_STRING | POST_PAYLOAT l
URI pha sau du ? V d:
/index.php?i=10 th QUERY_STRING l i=10
REMOTE_HOST: Nu HostnameLookUps c thit lp l On,
th bin ny s nm gi tn host remote c phn gii bi DNS.
Nu n c thit lp Off th n s gi cc a ch IP. C th s
dng cc bin ny t chi cc client nguy him, cc mng
a vo blacklist, hoc ngc li cho php xc thc cc host.
-

REMOTE_PORT: Bin ny cha thng tin v cng ngun m

client s dng khi bt u cho kt ni n Web Server.

ARGS_COMBINED_SIZE: Bin ny cho php bit thm nhiu

kt lun v gi tr trn tng dung lng ca cc i s, so vi
bnh thng th ch th cu Apache l c gii hn.

ARGS_NAMES: l mt tp hp cc i s. C th tm kim, c
th tn i s m ngi qun tr mun cm. Trong mt kch bn
27

vi chnh sch r rng, ngi qun l c th thit lp mt danh

sch trng.
-

AUTH_TYPE: Bin ny cha cc phng php xc thc c s

dng xc nhn tnh hp l ca ngi s dng. V d:
SecRule AUTH_TYPE "basic" log,deny,phase:1

FILES: Cha mt tp hp cc tn tp hp cc tp tin ban u.

Ch : Ch sn sng khi cc file c trch t request body. V
d:
SecRule FILES "\.conf$" log,deny,status:404,phase:2

FILES_COMBINED_SIZE: Gi tr n. Tng dung lng ca 1

file upload. Ch : Ch sn sng khi cc file c trch xut t
request body.

QUERY_STRING: Bin ny cha s liu mu thng qua

script/header bng cch ni thm d liu vo sau cu hi
c nh du. V d:
SecRule QUERY_STRING "or" "phase:1,log,deny,status:403"

REMOTE_ADDR: Bin ny cha cc a ch IP ca cc client t

xa. V d:
SecRule REMOTE_ADDR "^192\.168\.1\.15$" "deny"

REMOTE_USER: Bin ny gi cc tn ngi s dng xc thc.

REQBODY_PROCESSOR: Xy dng x l cc URL c m

ha MULTIPART v XML.

REQBODY_PROCESSOR_ERROR: 0 (no error) hoc 1 (error)

Nu ngi qun l mun qu trnh x l mt li phi t lut ny
trong phase 2. V d:
SecRule

REQBODY_PROCESSOR_ERROR

"@eq

1"

deny,log,phase:2
-

REQUEST_BASENAME: Bin ny ch l mt phn ca tp tin

tn REQUEST_FILENAME. V d:
SecRule

REQUEST_BASENAME

"allow,log,msg:'dang nhap',phase:2"
28

"^login\.php$"

REQUEST_BODY: Bin ny cha d liu trong request body (

Bao gm c POST_PAYLOAD data). REQUEST_BODY nn c s
dng. V d:
SecRule

REQUEST_BODY

"^username=\w{25,}\&password=\w{6,}\&Login=

Login$"

"phase:2,log,deny,msg:'truy cap tu choi'"

-

REQUEST_COOKIES: bin ny bao gm tp hp tt c d liu

cookie. V d:
SecRule REQUEST_COOKIES "@eq 1" "phase:2,deny,log"

REQUEST_COOKIES-NAME: Bin ny l tp hp cc tn Cookie

trong cc request header.
SecRule

REQUEST_COOKIES_NAMES:PHPSESSID

"@eq

1"

"phase:2,deny"
2.2.4. Chc nng chuyn i
ModSecurity cung cp mt s chc nng chuyn i m chng
ta c th p dng cho cc bin v cc collection. Nhng bin i
c thc hin trn mt bn sao ca d liu c kim tra, c
ngha l cc HTTP request hoc response ban u vn c gi
nguyn khng thay i. Chc nng ny rt quan trng. Nu chng
ta mun pht hin tn cng XSS, chng ta phi pht hin m
JavaScript bt k trng hp n c vit in hay vit thng.
lm iu ny chc nng chuyn i c th c p dng so snh
mt chui vit hoa vi chui vit thng. V d:
SecRule ARGS <script> deny,t:lowercase
Lut trn s chn tt c cc URL cha chui >, <, script bt k ch
hoa hay thng sCript, ScRipt, SCRIPT
Cc chc nng chuyn i ca ModSecurity nh sau
Chc nng chuyn
i

M t

Base64Encode

M ha chui sang base64

29

Base6Decode

Gii m t base64

compressWhitespace Chuyn tab, dng mi, space, v nhiu space

lin tip sang mt du space
cssDecode

Gii m k t CSS

escapeSeqDecode

Gii m ANSI C escape sequences

(\n,\r,\\,\?,\ )

hexEncode

M ha chui bng cch s dng m Hex

hexDecode

Gii m chui hex

htmlEntityDecode

Gii m HTML (v d: chuyn &lt thnh <)

jsDecode

Gii m JavaScript escape sequences

Length

Chuyn mt chui thnh di ca chui

Lowercase

Chuyn chui sang tt c k t thng

Md5

Chuyn k t nhp vo sang MD5

urlDecode

Gii m mt chui URL

urlDecodeUni

Ging urlDecode, nhng x l c m ha

kiu k t Unicode

Bng 2- 2 Cc chc nng chuyn i ca Modsecurity

2.2.5. Ton t (Operators)

Cc ton t kim tra trong ModSecurity c nhim v phn tch
cc bin u vo Variables ra quyt nh. Hu ht cc rule s s
dng cc biu thc chnh quy cho vic phn tch, nhng trong mt
s trng hp c th th cc phn tnh ton t khc s hu ch hn.
Ta xt trng hp cn so snh cc gi tr l s th vic s dng
biu thc chnh quy l kh bt li cho vic to rule v ti nguyn
khi thc thi so snh rule. ModSecurity h tr mt nhm phng
thc so snh khc nhau nhm tng hiu nng cho phn kim tra.
Trong hp ny th ny vic s dng cc ton t v s hc s hiu
qu hn so vi biu thc chnh quy.
ModSecurity h tr 4 nhm sau:

30

Ton t String matching: ton t ny dng phn tch cc d

liu u vo t cc bin. Ton t @rx v @pm thng c s
dng nhiu trong cc rule phn tch.
Operator

Description

@begins With

Input begins with parameter

@contains

Input contains parameter

@ends With

Input ends with parameter

@rx

Regular patterns match in input

@pm

Parallel patterns matching, with patterns read

from a file
Bng 2- 3 Cc ton t String matching

Ton t Numerical: Cc ton t h tr so snh cc gi tr s

Operator

Description

@eq

Equal

@ge

Greater or equal

@gt

Greater than

@le

Less or equal

@lt

Less than
Bng 2- 4 Cc ton t h tr so snh

31

Ton t Validation: Cc ton t kim tra m ModSecurity h tr

c lit k sau
Operator

Description

@validateByteRange

Validates that parameter consists only of

allowed byte values

@validateSchema

Vallidates XML payload against a schema

@validateDTD

Validates XML payload against a DTD

@validateUrlEncoding

Validates an URL-encoder string

@validateUtf8Encoding Validates an UTF-8-encoded string

Bng 2- 5 Cc ton t kim tra

Ton t Miscellaneous: ton t ny cho php bn to ra mt s

rule vi cc chc nng lc kh hu dng nh: pht hin l thng tin
credit card (@verifyCC), kim tra vng a l ca IP ngi dng
(@geoLookup)
Operator

Description

@geoLookup Determines the physical location of an IP address

@inspectFile

Nvokes an external script to inspect a file

@rbl

Looks up the parameter against a RBL (real- time

block list)

@verifyCC

Checks whether the parameter is a valid credit card

number

@verifyCPF

Checks Whether the parameter is a valid brazilian

social security number

@verifySSN

Checks wherther the parameter is a valid US social

security number

@ipMatch

Matches input against one or more IP addresses or

network segment
Bng 2- 6 Ton t Miscellaneous

32

2.2.6. Hnh ng (Actions)

Khi request vi phm mt lut no th ModSecurity s thc thi
mt hnh ng (action). Khi action khng c ch r trong lut th
lut s s dng default action. C 3 loi actions:
Primary Actions
Primary Actions s quyt nh cho php request tip tc hay
khng. Mi lut ch c mt Primary Actions. C 5 Primary Actions :
-

Deny: Request s b ngt, ModSecurity s tr v HTTP status

code 500 hoc l status code ca ngi qun tr thit lp ch th
status. V d:
SecRule REQUEST_URI hacker deny,status:403

Pass: Cho php request tip tc c x l cc lut tip theo.

V d:
SecRule secret log,pass

Allow: Cho php truy cp ngay lp tc v b qua cc phase khc

(tr pha logging). Nu mun ch cho qua phase hin ti th cn
ch r allow phase. Khi s vn c kim tra bi cc lut ti
cc phase sau. Ch cho php truy cp ti cc request. V d:
SecRule REMOTE_ADDR "^192\.168\.1\.15$" "allow"

Redirect: Redirect mt request n mt url no . V d:

SecRule ARGS <script> Redirect:/noxss.html

Drop: Ngay lp tc kt ni, hnh ng dng mt kt ni TCP v

gi mt gi FIN
Secondary Actions
Secondary Actions s b sung cho Primary Actions, mt lut c

th c nhiu Secondary Actions.

-

Status: Khi

mt Request vi phm mt lut

no th

ModSecurity c th tr v cc HTTP status code n thay v status

code 500 mc nh. Ngi qun tr c th to ring mt trang tr
li vi status code, khi request vi phm cc lut.
33

Exec: Thc thi mt lnh no nu mt request vi phm

Log: Ghi nhn nhng request vi phm lut

Nolog: Khng ghi log

Pause: ModSecurity s i mt thi gian n (mili giy) ri mi tr

v kt qu
Flow Actions

Chain: Kt ni 2 hay nhiu lut li vi nhau

Skipnext: ModSecurity s b qua n lut theo sau n

Default Action
Khi mt lut khng ch r action th lut s dng default

action c thit lp trong SecDefaultAction.

Gi

s,

sau

khi

Modsecurity.conf,

thc

hin

gi

tr

cu
ca

hnh

trong

tp

tin

SecDefaultAction

phase:2,log,auditlog,pass. Ta c mt rule n gin khng c ch

nh action nh sau:
SecRule REQUEST_BASENAME "^login\.php$"
Khi ModSecurity hot ng, th lut trn s c hiu nh sau:
SecRule

REQUEST_BASENAME

"^login\.php$"

phase:2,log,auditlog,pass
Bng cch ny, ModSecurity gip bn trin khai mt rule d
dng hn m khng cn ch nh mt action lp i lp li nhiu ln
SecDefaultAction phase:2,log,deny,status:404
SecRule ARGS X1
SecRule ARGS X2

SecRule ARGS Xn

34

2.3. Logging

2.3.1. Debug Log

S dng ch th SecDebugLog la chn file ghi li cc thng
tin debug:
SecDebugLog logs/modsec_debug_log
Ngi qun tr c th thay i mc chi tit cc thng tin c
log thng qua ch th:
SevDebuglevel 9
Gi tr log c th thay i t 0-9:
0 khng ghi log.
1 Ch lit k cc request b chn.
2 Cnh bo.
3 Thng bo cho admin
4 Chi tit v cc transaction c x l.
5 - Cng ging nh 4, nhng n a ra thng tin log chi tit
hn
9 Ghi li mi th, rt chi tit v y v ton b thng tin.

35

V d:
[11/Dec/2013:23:36:22 --0800] [at7a.kma/sid#f0cfa0][rid#b6972c18]
[/vulnerabilities/csrf/] [1] Access denied with code 403 (phase 2). Match
of "rx ^192\\.168\\.1\\.16" against "REMOTE_ADDR" required. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "104"]

2.3.2. Audit logging

Apache log t thng tin v th n khng cho php ngi qun tr
c th ln ngc cc bc ca k tn cng. ModSecurity h tr
audit logging vi y thng tin v t c th ln ngc li qu
trnh ca k tn cng, cng nh l chnh sa cc lut cho hp l
trnh b false positive. C 2 directives:
-

SecAuditEngine On

SecAuditlog logs/audit_log
V d v Audit log:

--e2456e72-A-[11/Dec/2013:23:36:22 --0800] UqlndsCoAWMAADUbGHEAAAAA

192.168.1.15 54625 at7a.kma 80
--e2456e72-B-GET /vulnerabilities/csrf/ HTTP/1.1
Host: at7a.kma
User-Agent: hacker (Windows NT 6.1; rv:25.0) Gecko/20100101
Firefox/25.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-vn,vi;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://at7a.kma/vulnerabilities/sqli/
Cookie: PHPSESSID=ssj74gomhhnbaeg88eabnu3t50; security=high
Connection: keep-alive
--e2456e72-F-HTTP/1.1 403 Forbidden
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1
--e2456e72-H--

36

Message: Access denied with code 403 (phase 2). Match of "rx
^192\\.168\\.1\\.16" against "REMOTE_ADDR" required. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "104"]
Action: Intercepted (phase 2)
Stopwatch: 1386833782214868 4718 (2035 2927 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15 (CentOS)

2.2.3. Tu bin thng tin log

SecAuditEngine chp nhn 4 gi tr sau:
-

On log tt c cc request

Off khng ghi log

RelevantOnly ch log nhng g c sinh ra bi cc filtering

rules

DynamicOrRelevanl log nhng request to ra ni dung hoc

nhng request c sinh ra bi cc filtering rules.
2.4. Biu thc chnh quy (Regular expressions)

2.4.1. Gii thiu v biu thc chnh quy

Biu thc chnh quy (regular expression) l mt biu thc m n
s i din cho mt tp hp cc chui k t, theo nhng quy tc c
php nht nh. N thng c dng trong cc trnh bin tp vn
bn v cc tin ch tm kim v x l vn bn da trn cc mu
c quy nh. Nhiu ngn ng lp trnh cng h tr biu thc
chnh quy trong vic x l chui, chng hn nh Perl c b my
mnh m x l biu thc chnh quy c xy dng trc tip
trong c php ca chng
C bn biu thc chnh quy c 5 loi sau:
-

K hiu (sysbol): Dng din t mt thnh ng ch cha duy

nht k t m thi. Th loi ny thng c dng din
t nhng ch vit thng hay mt nhm ch c xc nh.

37

V d: biu thc chnh quy a din t thnh ng ch cha mt

ch ci l a. hay biu thc chnh quy abc din t thnh ng
cha abc
-

Thay th (Alternation): Dng din t tnh ci ny hoc ci

kia (OR). K t | c dng din t thay
V d: Gi s biu thc chnh quy A nhn k t a v biu thc

chnh quy B nhn k t b, th thay th th ca A v B hay A | B s

l mt biu thc chnh quy mi v nhn a hoc b. Vit ngn gn A |
B m t thnh ng {a,b}
-

Kt hp (Concatenation): Dng din t tnh cht AND. Du

chm (.) c dng din t AND
V d: Gi s A and B l 2 biu thc chnh quy, th kt hp ca A

v B hay l A.B. y kt hp l du chm (.). Nu biu thc

chnh quy A nhn k t a v biu thc chnh quy B nhn k t b, th
kt hp ca A v B hay A.B s l mt biu thc chnh quy mi nhn
a v b
-

Epsilon: Dng din t chui k t trng. du (epsilon) c

dung din t chui k t trng
V d: (ab | e) m t thnh ng (,ab)

Lp i lp li (Repetition): Dng din t s lp i lp li ca

k t. C vi du hiu dng din t s lp li
2.4.2. ng

dng

ca

biu

thc

chnh

quy

trong

Modsecurity
Qua trn ta thy c vic s dng biu thc chnh quy trong
vic lp trnh v c bit l ng dng vo vic thit lp cc lut cho
ModSecurity l rt hu ch. Biu thc chnh quy gip cho vic ti u
ha cc lut mt cch n gin nht m vn m bo c kh
nng kim tra lung d liu. Bnh thng da vo cc mu khng
phi l biu thc chnh quy th s k t s phi y , do di
ca mt lut s ln. Dn ti vic x l s chm i rt nhiu.
38

2.5. Ci t v cu hnh c bn ModSecurity trn my ch

CentOs
2.5.1. Ci t ModSecurity
Trc khi ci t, chng ta cn phi m bo Web Server
Apache hot ng tt. ModSecurity hin nay c th ci t trn
nhiu h iu hnh, sau y nhm em xin gii thiu v cch ci t
ModSecurity trn my ch CentOS (6.5).
Download ModSecurity ti website:
https://www.modsecurity.org/tarball/2.5.12/modsecurityapache_2.5.12.tar.gz
-

Cc th vin cn thit cho vic ci t ModSecurity: apxs,

libxml2, pcre v cn file mod_unique_id.so
[root@webserver ~]# yum -y install http-devel (ci t apxs)
[root@webserver ~]#yum y install libxml2-devel (ci t

libxml2)
[root@webserver ~]#yum -y install pcre-devel(ci t pcre)
-

Thm dng sau vo file http.conf (/etc/http/conf/http.conf) dng

sau:
LoadModule unique_id_module module/mod_unique_id.so

Gii nn tp tin
[root@webserver ~]#tar xfvz modsecurity-apache_2.5.12.tar.gz

Ci t ModSecurity
[root@webserver ~]#cd modsecurity-apache_2.5.12/apache2
[root@webserver apache2]# ./configure
[root@webserver apache2]# make
[root@webserver apache2]# make install

Tch hp Modesecurity vi Apache

39

Sau khi ci t thnh cng tp tin mod_security2.so s c to

trong th mc /etc/httpd/modules/. Tip tc ta cn thm vo file
httpd.conf thc hin load module ModSecurity bng cc thm
dng sau v restart li dch v httpd
LoadModule security2_module modules/mod_security2.so
[root@webserver ~]#service httpd restart
2.5.2. Cu hnh c bn
ModSecurity l mt tng la ng dng thuc loi rules-based,
chng ta cn phi thit lp cc lut ModSecurity hot ng. Cc
rules ny c th hin di dng cc ng dn (directive) v c
th t trc tip trong tp tin cu hnh Apache (httpd.conf). Ngoi
ra ta c th t cc cu hnh ny vo mt tp tin ring bng cch
copy file modsecurity.conf-minimal vo th mc conf.d v i tn
thnh Modsecurity.conf :
cp modsecurity.conf-minimal /etc/httpd/conf.d/Modsecurity.conf
Tip theo ta cn thm vo tp tin httpd.conf
Include conf.d/Modsecurity.conf
Theo mc nh th rule engine b disable. kch hot
ModSecurity ta cn thm cc ch th sau vo file cu hnh
SecRuleEngine On
kim tra hot ng ca ModSecurity ta xy dng mt kch
bn nh sau: Tin hnh to hai file trong th mc web
(Attacker.html v index.html). Khi chng ta truy cp vo file
index.html th trnh duyt tr v kt qu bnh thng cn khi truy
cp vo hacker.html th trnh duyt bo li 403

40

Hnh 2- 3 Trc khi cu hnh ModSecurity

Hnh trn cho ta thy khi cha cu hnh ModSecurity chn cc

request c cha t Attacker th ngi dng vn truy cp 2 trang
web bnh thng. Tin hnh kim tra bng cch thm rule sau vo
file Modsecurity.conf sau khi ng li Apache v kim tra kt
qu:
#xy dng rule th nghim block tt c request c uri cha Hacker
SecRule REQUEST_URI hacker phase:2,deny,log,status:403

Hnh 2- 4 Sau khi cu hnh c bn ModSecurity

Kt qu hnh trn cho ta thy ModSecurity hot ng. Khi

ngi dng truy cp ti http://at7a.kma/hacker.html b chn bi
ModSecurity v a ra thng bo li.
2.6. Vit v phn tch mt s lut c bn

V d 1: cm cc request c cha t script

SecRule REQUEST_URI "script" "phase:2,deny,status:404"

41

Vi biu thc so snh nh trn th ModSecurity thc thi kim tra

d liu trong URI t pha ngi dng v xc nh c s tn ti ca
chui script hay khng. Nu nh chui script xut hin trong
URI th cc hnh ng (action) c thc hin. Trong trng hp
ny, ta s dng 2 hnh ng l deny v status cm cc truy cp
y ti server v a ra thng bo m trng thi li 404 (Not
found).
Ch : Mt rule c th khng tn ti action hoc nhiu hn mt
action. Nu ta s dng nhiu action trong mt rule, ta c th phn
cch bng du phy (,) hay khong trng gia cc action
Lin kt cc lut (chain) v S dng ton t ph nh
ModSecurity cho php lin kt cc SecRule ring l vi nhau
thnh mt SecRule duy nht thng qua t kha chain. Lin kt
ny s gim thiu cc tnh hung cnh bo khng chnh xc, gip
n gin ha vic vit lut trong trng hp cn kim tra cc iu
kin mang tnh tun t. Ngoi ra ModSecurity cn cho php s
dng phng php ph nh mt thnh phn bt k trong rule.
V d 2: Ngi qun tr web server mun chn tt c ngi
dng truy cp c User-Agent l hacker , Tr a ch IP
192.168.1.15 l c truy cp ta vit nh sau:
SecRule HTTP_User-Agent "hacker" "chain,deny"
SecRule REMOTE_ADDR "!^192\.168\.1\.15"
Trong v d trn ta s dng chain lin kt 2 lut vi nhau.
Lut th nht ta s dng bin HTTP_User-Agent lc User-Agent
c tn l hacker. V thc hin hnh ng deny chn truy cp
nu

User-Agent

hacker.

Lut

th

dng

bin

REMOTE_ADDR ch nh ra a ch IP v trng hp ny l
192.168.1.15. S dng du (!) y c chc nng ph nh li lut
trn. Gi s nh lut th 2 ta khng s dng du chm than (!)
th 2 lut y s c ngha l User-Agent l hacker t a ch IP
192.168.1.15. Cn khi ta s dng du chm than (!) lut th 2
khi a ch IP 192.168.1.15 nu c User-agent l hacker s
42

vn c truy cp ti server, cn li cc a ch IP khc nu c

User-Agent l hacker s b cm
V d 3: Khi hacker s dng k thut bin i d liu nhm thc
hin cu truy vn trong tn cng SQL Injection nh sau
id=1&UniON%20SeLeCT%201,2,3,4,5,6
Trong trng hp ny ta cn chuyn i cc k t sang ch
thng (lowercase) trc khi kim tra. V d ta s dng lut sau:
SecRule ARGS "@contains union select " "phase:2,t:lowercase,
t:compressWhitespace,deny,status:404"
lut trn ta a ra chui union select y khng phi l mt
biu thc so snh, bi v chng khng cha k t c bit xc
nh y l mt mu biu thc. ti u hn ta s dng ton t
@contains.

Khi

dng

cc

hnh

ng

nh

lowercase,

compressWhitespace ModSecurity s thc hin lc cc t kha c

dng sau:
union select
uNioN SeLect

UNION SELECT

43

CHNG III - XY DNG CHNH SCH TRN

MODSECURITY CHNG LI MT S TN CNG LN
NG DNG WEB
3.1. M hnh trin khai ModSecurity v xy dng kch bn
Demo

Hnh 3- 1 M hnh trin khai Modsecurity

Trong m hnh trin khai gm c:

My ch Web Apache c IP private 10.0.0.11 s dng h iu
hnh CentOS 6.5 ci t Apache Server, v ci t ng dng Damn
Vulnerable Web App (DVWA) y l ng dng to cc l hng
web ph bin phc v cho vic demo tn cng. V ti Web Server
c ci t ModSecurity bo v cc tn cng ln ng dng web.
Gatewall Firewall dng chia s Web Server ra ngoi y s
dng tng la pfSense ( y l mt gii php m ngun m dng
bo v mng bn trong, nh tuyn, lc gi tin, ) trong m
hnh ny pfSense c s dng vi mc ch nh tuyn l chnh,
cn cc chc nng firewall b v hiu ha. Gateway c 2 card mng
card bn trong c a ch 10.0.0.1 v a ch dng public web
server ra ngoi internet c IP 192.168.234.123
Attacker c th l 1 ngi no trn internet. Attacker s dng
cc k thut khai thc l hng v tn cng ln my ch Web
3.1.1.

Xy dng kch bn demo

Attacker s dng cc k nng thc hin tn cng ln ng

dng my ch Web xem kh nng chng tr ca Web Server.
u tin Attacker s dng cng c thc hin HTTP FingerPrinting
nhm khai thc thng tin v Web Server sau Attacker s thc
44

hin phn tch cc l hng c th trn website, Attacker thc hin

cc cuc tn cng nh HTTP Fingerprinting, Brute Force, SQL
Injection, XSS, Dos.
V pha ngi qun tr sau khi pht hin website t trn my
ch Web b tn cng. khc phc nhng im yu ngi qun
tr ci t ModSecurity v tin hnh thit lp cc Lut (Rule)
ngn chn cc cuc tn cng tng t c th xy ra sau ny.
3.2. Xy dng chnh sch trn ModSecurity chng li mt s
tn cng ln ng dng Web

3.2.1.

Ngn chn HTTP Fingerprinting

HTTP Fingerprinting hot ng bng cch gi cc request ti

web server v kim tra cc c tnh ring ca web server bng cc
response tr v khi thm d c v ly cc thng tin thu thp
c em so snh vi mt c s d liu v thng tin cho cc web
server c bit n xc nh tn web server v phin bn m
n ang chy. C nhiu cch cc phn mm HTTP Fingerprinting
c th pht hin phin bn ca web server ang chy trn h
thng. Sau y l mt s phng php ph bin sau:
-

Server banner: l mt chui tr v bi server trong response

header (v d: Server: Apache/2.2.15 (CentOS)) mang thng tin
ca phn mm chy web server cng nh h iu hnh ca
server .

Cc response ca giao thc HTTP: ly c thng tin web

server, c th s dng cc request phi tiu chun (non standard) hoc request bt thng web server gi v cc
response km theo thng tin v server cn thu thp. Cc request
c th s dng ly thng tin t web server nh:
Request HTTP DELETE khng hp l
Request sai phin bn HTTP
Request sai giao thc

45

Xy dng chnh sch trn ModSecurity phng chng tn cng

HTTP Fingerprinting

tng: S dng ModSecurity ty chnh cc thng s ca

web server nh la cng c HTTP Fingerprinting nhm cung
cp mt thng tin sai lch cho Attacker. C th nh sau:
Ch cho php cc phng thc GET, POST v HEAD
Chn cc request vi cc giao thc ngoi tr giao thc
HTTP 1.0 v 1.1
Chn cc request khng cha Host header
i thng tin server thnh Microsoft-IIS/6.0

Thc hin tn cng trc khi vit lut ngn chn tn cng
S dng cng c httprecon thc hin tn cng server
at7a.kma
Kt qu tr v cho ta thy my ch s dng Apache phin
bn 2.2.15 v s dng h iu hnh CentOS:

Hnh 3- 2 Kt qu tn cng HTTP Fingerprinting

- Sau khi pht hin tn cng, da vo tng phn tch trn

xy dng tp lut
# Ch cho php GET,POST v HEADv phin bn HTTP 1.0,1.1
SecRule REQUEST_METHOD !^(GET|POST|HEAD)$
"phase:1,t:lowerCase,deny"
46

SecRule REQUEST_PROTOCOL !^HTTP/1\.(0|1)$

"phase:1,t:lowercase,deny"
# T chi cc request khng cha host,accept header
SecRule &REQUEST_HEADERS:Host "@eq 0" "phase:1,deny"
SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny"
#Thay i ch k server thnh Microsoft-IIS/6.0
SecServerSignature "Microsoft-IIS/6.0"

Kt qu sau khi vit lut thng tin server c thay i thnh

Microsoft-IIS/6.0, cc request thm d ti server b chn
(thng ip tr v m li 403 Forbidden)

Hnh 3- 3 Kt qu ngn chn tn cng HTTP Fingerprinting

3.2.2.
-

Ngn chn tn cng Brute Force

Bn cht ca tn cng ny l k tn cng (Attacker) thc hin

on cc thng tin ng nhp nh tn ngi dng, mt khu,
email ca nn nhn v thc hin ng nhp n khi no thng
tin ng nhp l ng. Hu ht ngi dng u s dng thng
tin ng nhp ging nhau trn tt c cc website m h thng
ng nhp, dn n ti khon ca h b xm nhp trn hng lot
cc website khi thng tin ng nhp b l bi mt website khc.

ngn chn hnh thc tn cng ny cch tt nht l gii hn s

ln ng nhp khng ng. V d nu ngi s dng ng nhp
khng ng qu 3 ln, s thc hin kha ng nhp ca ngi
ny trong 5 pht hoc lu hn.

Sau y l cc rules ca ModSecurity cho php ta thc hin iu

ny.

<LocationMatch ^/login.php>
47

# khi to collection IP
SecAction "initcol:ip=%{REMOTE_ADDR},pass,log,msg:'faile login'"
# pht hin ng nhp khng thnh cng
SecRule RESPONSE_BODY "Login failed" "phase:4,log,pass,
setvar:ip.brute_force=+1, expirevar:ip.brute_force=300"
# chuyn hng sang trang nobru.html nu ng nhp sai qu 3
ln
SecRule IP:BRUTE_FORCE "@gt 3" "redirect:/nobru.html"
</LocationMatch>

Cc lut trn da vo im tr v ca website khi ngi ta truy

cp khng thnh cng Login failed. Cc lut trn s khi to
collection IP v tng gi tr bin ip.brute_force ln mt n v sau
mi ln ng nhp khng thnh cng. Action expirevar s thit lp
bin ip.brute_force v 0 sau 5 pht. V vy, khi bin BRUTE_FORCE
ln hn hoc bng 3, rule cui s kho ng nhp ca ngi dng
trong 5 pht.
Kim tra tp lut trn bng cch thc hin ng nhp 3 ln sai
lin tip vo trang http://at7a.kma/login.php. Kt qu tr v
redirect ti trang cnh bo nobru.html lut cui cng ch nh.
Nh vy ngn chn tn cng brute force thnh cng

Hnh 3- 4 Kt qu ngn chn tn cng Brute-force

3.3.3.

Ngn chn tn cng Cross-Site Scripting (XSS)

Bn cht ca tn cng XSS l cc request c gi t cc my

client ti server nhm chn vo cc thng tin vt qu tm kim
sot ca server. N c th l mt request c gi t cc form d
liu hoc cng c nm trong request URI, v d:
48

http://at7a.kma/vulnerabilities/xss_r/?name=<script>alert(document.coo
kie)</script>

v d trn attacker thc hin mt cu lnh javascript n

gin truyn vo URL nhm hin ln cookie ca phin lm vic.
Kt qu ca vic tn cng m t hnh sau:

Hnh 3- 5 Kt qu tn cng XSS

XSS ch gy tn hi i vi website pha client m nn nhn

trc tip l nhng ngi khch duyt site . Tt nhin i khi cc
Attacker cng s dng k thut ny chim quyn iu khin cc
website nhng vn ch tn cng vo b mt ca website. XSS l
nhng Client-Side Script, nhng on m ny s ch chy bi trnh
duyt pha client do XSS khng lm nh hng n h thng
website nm trn server. Mc tiu tn cng ca XSS l ngi s
dng khc ca website, khi h v tnh vo cc trang c cha cc
on m nguy him do cc Attacker li, h c th b chuyn ti
cc website khc, t li trang ch, hay nng hn l mt mt khu,
mt cookie thm ch my tnh ngi truy cp c th s b ci cc
loi virus, backdoor, worm
ngn chn tn cng XSS, ta phi m bo tt c d liu m
ngi dng gi ln u c cn lc. C th, chng ta c th thay
th hoc loi b cc k t, cc chui thng c s dng trong tn
cng XSS nh du ln hn (>), nh hn (<), script

49

Sau y l danh sch cc k t nn m ha khi c client cung

cp lu vo c s d liu
K t

M ha HTML

<

&lt;

>

&gt;

&#40;

&#41;

&#35;

&

&amp;

&quot;

&#39;

Bng 3- 1 Cc k t nn m ho ngn chn tn cng XSS

Tp lut thc hin chn tn cng XSS

SecRule
SecRule
SecRule
SecRule
SecRule

ARGS
ARGS
ARGS
ARGS
ARGS

"&\{.+}" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"<.+>" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"javascript:" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"script:" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"alert" "t:lowercase,redirect:/noxss.html,msg:'XSS'"

Sau khi cu hnh chn tn cng XSS thc hin li tn cng v d

trn kim tra kt qu:
http://at7a.kma/vulnerabilities/xss_r/?name=<script>alert(document.
cookie)</script>

Kt qu sau khi vit rules ngn chn tn cng XSS

50

Hnh 3- 6 Kt qu ngn chn tn cng XSS

Kim tra Audit log thy r hn ModSecurity thc hin

redirect khi gp tn cng XSS
--efb35936-A-[29/Apr/2014:03:22:56 +0700] U164oAoAAAsAAJKNOnsAAAAA
192.168.234.1 52699 10.0.0.11 80
--efb35936-B-GET
/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%28document.cookie%2
9%3C%2Fscript%3E+ HTTP/1.1
Host: at7a.kma
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://at7a.kma/vulnerabilities/xss_r/
Cookie: PHPSESSID=m7i9tvtgtuve2ljsk14pou7ue0; security=low
Connection: keep-alive
--efb35936-F-HTTP/1.1 302 Found
Location: /noxss.html
Content-Length: 195
Connection: close
Content-Type: text/html; charset=iso-8859-1
--efb35936-H-Message: Access denied with redirection to /noxss.html using status 302
(phase 2). Pattern match "<.+>" at ARGS:name. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "84"] [msg "XSS"]
51

Action: Intercepted (phase 2)

Stopwatch: 1398716576868009 991 (444 689 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15
--efb35936-Z--

3.3.4.

Ngn chn tn cng SQL injection

Bn cht tn cng SQL Injection l mt k thut cho php

Attacker li dng l hng ca vic kim tra d liu u vo trong
cc ng dng web v cc thng bo li ca h qun tr c s d liu
tr v tim vo cc cu lnh SQL bt hp php.
V d, ta xt cu lnh truy vn khi thc hin ng nhp di
y:
SELECT * FROM user WHERE username = '%s' AND password =
'%s';
Vi truy vn trn, nu Attacker mun ng nhp vo vi ti
khon admin m cha bit mt khu, Attacker s thc hin nhp
tn ng nhp l admin v mt khu l

OR 1 = 1 -- Khi thc

hin truy vn, thng tin ng nhp c a vo s tr thnh:

SELECT * FROM user WHERE username = 'admin' AND password
= ' OR 1 = 1
Cu lnh trn c ngha: Truy vn ly thng tin tt c cc trng
t bng user vi iu kin trng username c gi tr l admin v
mt khu l trng hoc 1 = 1. M 1 = 1 l lun ng nn mc d
mt khu khng ng, cu lnh trn vn c thc thi v truy vn
ly thng tin user admin thnh cng. ng nhp s c chp
nhn.
Sau y l bng lit k danh sch cc lnh thng c s dng
trong tn cng SQL Injection cng vi cc biu thc chnh quy dng
ngn chn.

52

SQL code

Biu thc chnh quy

UNION SELECT

union\s+select

UNION ALL SELECT

union\s+all\s+select

INTO OUTFILE

into\s+outfile

DROP TABLE

drop\s+table

ALTER TABLE

alter\s+table

LOAD_FILE

load_file

SELECT FROM

select\s+from

OR

or\s

AND

and\s

Bng 3- 2 Cc lnh thng c s dng trong tn cng SQL Injection

Thc hin tn cng SQL Injection trc khi xy dng tp lut. S

dng truy vn 1' UNION SELECT DATABASE(),USER() # tim vo
URL
http://at7a.kma/vulnerabilities/sqli/?id=1'+UNION+SELECT+DAT
ABASE(),USER()+#&Submit=Submit#

Hnh 3- 7 Kt qu tn cng SQL Injection

53

Xy dng tp lut ModSecurity phng chng tn cng SQL

Injection

SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule

ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS

"union\s+select" "t:lowercase, redirect:/nosql.html"

"union\s+all\s+select" "t:lowercase, redirect:/nosql.html "
"into\s+outfile" "t:lowercase,redirect:/nosql.html"
"drop\s+table" "t:lowercase,redirect:/nosql.html"
"alter\s+table" "t:lowercase,redirect:/nosql.html"
"load_file" "t:lowercase,redirect:/nosql.html"
"select\s+from" "t:lowercase,redirect:/nosql.html"
"or\s" "t:lowercase,redirect:/nosql.html"
"and\s" "t:lowercase,redirect:/nosql.html"

Kt sau khi cu hnh ModSecurity

Hnh 3- 8 Kt qu ngn chn tn cng SQL Injection

- Kim tra Audit Log thy r hn hnh ng m ModSecurity

thc hin
--f9cd6132-A-[29/Apr/2014:03:29:42 +0700] U166NgoAAAsAAJNbH9UAAAAB
192.168.234.1 52740 10.0.0.11 80
--f9cd6132-B-GET
/vulnerabilities/sqli/?id=1%27+UNION+SELECT+DATABASE%28%29%2C
USER%28%29+%23&Submit=Submit HTTP/1.1
Host: at7a.kma
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
54

Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://at7a.kma/vulnerabilities/sqli/
Cookie: PHPSESSID=m7i9tvtgtuve2ljsk14pou7ue0; security=low
Connection: keep-alive

--f9cd6132-F-HTTP/1.1 302 Found

Location: /nosql.html
Content-Length: 195
Connection: close
Content-Type: text/html; charset=iso-8859-1
--f9cd6132-H-Message: Access denied with redirection to /nosql.html using status 302
(phase 2). Pattern match "union\s+select" at ARGS:id. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "91"]
Action: Intercepted (phase 2)
Stopwatch: 1398716982044622 849 (418 544 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15
--f9cd6132-Z-

55

KT LUN
Qua mt thi gian tm hiu ti Bo mt my ch ng dng
web vi ModSecurity nhm em c c hi tm hiu v tng la
ng dng, c th l phn mm m ngun m ModSecurity. Do iu
kin thi gian v thit b trin khai cn thiu do vy nhm em cha
c iu kin trin khai vo thc t c.
Trong ti ny nhm t c kt qu nht nh nh
sau:
V l thuyt tm hiu c tm quan trng ca
ModSecurity
Hiu c nguyn tc hot ng v nhim v ca
ModSecurity
C kh nng vit Rule.
V mt thc hnh nhm em tin hnh ci c cc dch
v Web v ModSecurity trn my ch CentOS, ng thi
thc hin vit rules ngn chn mt s tn cng nh: HTTP
FingerPrinting, tn cng Brute Force, XSS, SQL Injection.
Nhng vic cha lm c
Do cha c h thng my ch thc t, m hnh trin khai
lab ca ti ny ch mi xy dng trong mng LAN.
S dng cc rules cha c linh hot
Hng pht trin
Trin khai v pht trin thm cc lut cho thm mt s
hnh thc tn cng mi.
Kt hp ModSecurity v Iptable chng tn cng Dos v
DDos
Xy dng trin khai ModSecurity trn h thngWeb Server
thc t.

56

TI LIU THAM KHO

[1]. ModSecurity 2.5 - Securing your Apache installation and web
applications, Packt Publishing Ltd, Magnus Mischel (11-2009).
[2]. Modsecurity Handbook: The Complete Guide to the Popular
Open Source Web Application Firewall. Ristic, Ivan. S.l.: Feisty
Duck, 2010. Web
[3]. ti tm hiu ModSecurity Hc vin k thut Mt M
[4]. Bo mt Web server Apache vi modsecurity din n HVA
http://www.hvaonline.net/hvaonline/posts/list/1754.hva
[5].

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-

Manual#args

57