Professional Documents
Culture Documents
MC LC .......................................................................... 1
LI M U .................................................................... 4
DANH MC HNH NH ..................................................... 6
DANH MC CC BNG ..................................................... 7
CHNG I TNG QUAN V GIAO THC HTTP ................ 8
1.1.Gii thiu chung .......................................................... 8
1.1.1. .................................. URI Uniform Resource Identifiers 8
1.1.2. ................................... Mt s phng thc thng dng: 9
1.2.Thng ip HTTP ....................................................... 13
1.2.1. .................................................. Cu trc thng ip HTTP 13
1.2.2. .......................................... Cc trng trong HTTP header 16
CHNG II - MODSECURITY.......................................... 18
2.1.Tm hiu v ModSecurity ............................................. 18
2.1.1. ........................................................ Khi nim Modsecurity 18
2.1.2. ......................................... Cc kh nng ca ModSecurity 18
2.1.3.Qu trnh x l cc request ca Apache v ModSecurity 20
2.2.Cc lut (Rules) ......................................................... 22
2.2.1. ........................................................ ModSecurity Core Rule 22
2.2.2. ......................................... Cu hnh cc ch th (Directive) 23
2.2.3. .................. Bin (Variables ) v b chn lc (Collection) 26
2.2.4. .........................................................Chc nng chuyn i 29
1
III
XY
DNG
CHNH
SCH
TRN
LI M U
Trong nhng nm gn y, ng dng Web pht trin rt mnh
m, hu nh mi ngi ai cng tng nghe v lm vic trn ng
dng web. Website tr nn ph bin v tr thnh mt phn quan
trng ca mi ngi nht l cc doanh nghip, t chc. ng dng
Web cng ph bin th cc cuc tn cng ng dng Web cng tr
nn ht sc phc tp. iu ny t ra vn v s cn thit ca
bo mt ng dng web. Nhiu t chc, cng ty xy dng tng
la ng dng web bo v h thng my ch ng dng web nh
sn phm Imperva, CheckPoint hay ModSecurity. Trong Imperva
v Checkpoint l sn phm thng mi, cn ModSecurity l mt sn
phm m ngun m.
Do trong ti ny nhm em xin thc hin nghin cu trin
khai Nghin cu, trin khai h thng ModSecurity . Vi mc ch xy
dng nn cc chnh sch phng chng mt s tn cng ph bin
ln ng dng Web hin nay nh tn cng HTTP Fingerprinting, tn
cng Brute Force, Cross Site Scripting (XSS), SQL Injection, tn
cng Dos Trong gii hn ca ti ny, nhm em xin trnh by
chuyn gm 3 phn chnh, nh sau:
Chng 1: Tng quan v giao thc HTTP
phn ny nhm em xin gii thiu v URI cng nh mt s
phng thc m HTTP thng dng, lm r c hot ng ca
HTTP v cu trc ca mt thng ip request / response
Chng 2: ModSecurity
phn ny nhm em xin gii thiu tng quan v ModSecurity
cch thc ModSecurity hot ng cng nh qu trnh x l request
ca Apache v Modsecurity. ng thi gii thiu c php ca mt
rule v cc thnh phn trong .
Chng 3: Xy dng chnh sch trn ModSecurity chng
li mt s tn cng ln ng dng web.
DANH MC HNH NH
Hnh 1- 1 C bn v giao thc HTTP .................................................... 8
Hnh 1- 2 Cu trc y ca URI ..................................................... 9
Hnh 1- 3 Phng thc GET...............................................................10
Hnh 1- 4 Web Forms POST ...............................................................10
Hnh 1- 5 Hot ng POST ...............................................................11
Hnh 1- 6 Hot ng ca PUT ............................................................11
Hnh 1- 7 Hot ng File Delection DELETE ......................................12
Hnh 1- 8 Cu trc thng ip HTTP Resquest .....................................14
Hnh 1- 9 Mt s v d v ni dung thng ip HTTP ............................14
Hnh 1- 10 V d c th v Request-Line .............................................15
Hnh 1- 11 Cu trc thng ip HTTP Response ...................................15
Hnh 1- 12 Response HTTP................................................................16
Hnh 1- 13 C th trng Status-Line .................................................16
Hnh 1- 14 V d v HTTP header .......................................................16
Hnh 2- 1 M hnh tng quan ModSecuriy ...........................................18
Hnh 2- 2 Qu trnh x l cc request ca Apache v Modsecurity ..........20
Hnh 2- 3 Trc khi cu hnh ModSecurity ...........................................41
Hnh 2- 4 Sau khi cu hnh c bn ModSecurity ...................................41
Hnh 3- 1 M hnh trin khai Modsecurity ............................................44
Hnh 3- 2 Kt qu tn cng HTTP Fingerprinting ..................................46
Hnh 3- 3 Kt qu ngn chn tn cng HTTP Fingerprinting ...................47
Hnh 3- 4 Kt qu ngn chn tn cng Brute-force...............................48
Hnh 3- 5 Kt qu tn cng XSS ........................................................49
Hnh 3- 6 Kt qu ngn chn tn cng XSS .........................................51
Hnh 3- 7 Kt qu tn cng SQL Injection ...........................................53
Hnh 3- 8 Kt qu ngn chn tn cng SQL Injection ...........................54
6
DANH MC CC BNG
Bng 2- 1 Cc loi ch th trong Modsecurity ............................... 24
Bng 2- 2 Cc chc nng chuyn i ca Modsecurity ................. 30
Bng 2- 3 Cc ton t String matching .................................... 31
Bng 2- 4 Cc ton t h tr so snh ........................................ 31
Bng 2- 5 Cc ton t kim tra ................................................. 32
Bng 2- 6 Ton t Miscellaneous ............................................... 32
Bng 3- 1 Cc k t nn m ho ngn chn tn cng XSS ....... 50
Bng 3- 2 Cc lnh thng c s dng trong tn cng SQL
Injection ................................................................................ 53
GET
c s dng Client ly mt i tng hoc ti nguyn no
POST
Trong khi GET cho php mt server gi thng tin n client, th
10
DELETE
Vi GET v PUT, giao thc HTTP tr thnh mt giao thc chuyn
12
HEAD
Cc hot ng ca HEAD ging nh GET, ngoi tr Server khng
13
thy
mt
thng
ip
HTTP
di
dng
vn
bn
khi
Dng u tin l
14
Hnh 1- 10 V d c th v Request-Line
15
1.2.2.
khng
trnh
by.
Cc
bn
http://tools.ietf.org/html/rfc2068
17
th
tham
kho
CHNG II - MODSECURITY
2.1. Tm hiu v ModSecurity
2.1.1.
Cc kh nng ca ModSecurity
19
2.1.3.
ModSecurity
20
Cc lut (Rules)
website
ca
ModSecurity
ti
website
www.modsecurity.org/projects/rules/
cung cp s bo v ng dng web mt cch bao qut, core
rule bao gm nhng ni dung sau:
-
Description
SecAction
SecDefaultAction
SecMarker
Creates a rule.
SecRuleInheritance
SecRuleRemoveById
SecRuleRemoveByMsg
SecRuleScript
SecRule
ARGS
<script>
log,deny,status:404
-
HTTP_User-Agent
"Mozilla"
"phase:1,deny,log,msg:'deny mozilla'"
2.2.3. Bin (Variables ) v b chn lc (Collection)
Hin nay c khong hn 70 bin c sn trong ModSecurity.
ModSecurity s dng 2 loi bin: bin standard (n gin ch cha
mt gi tr duy nht) v bin Collection (c th cha nhiu hn mt
gi tr). Mt v d v Collection l REQUEST_HEADERS, trong
cha tt c cc trng trng trong thng ip header m Client
gi ti Server, chng hn nh User-agent, hoc Referer.
26
REQUEST_HEADERS:User-agent
"hacker"
"log,deny,status:404"
Vi trng hp trn ta ch c th kim tra d liu trn trng
User-agent. c th kim tra ton b d liu trn tt c cc
collection ta s dng bin ARGS. V d ta mun kim tra s hin
din ca chui hacker trn tt c collection ta s dng lut sau:
SecRule ARGS hacker log,deny,status:404
Di y l mt s bin v collection c h tr:
HTTP: Bin ny l mt tin t c bit i theo sau phn u ca
header v c th c s dng chn truy cp vo cc request
header. V d:
SecRule
HTTP_referer
"at7a.kma/index.php"
"phase:2,deny,nolog,status:404"
ARGS: ARGS ging nh QUERY_STRING | POST_PAYLOAT l
URI pha sau du ? V d:
/index.php?i=10 th QUERY_STRING l i=10
REMOTE_HOST: Nu HostnameLookUps c thit lp l On,
th bin ny s nm gi tn host remote c phn gii bi DNS.
Nu n c thit lp Off th n s gi cc a ch IP. C th s
dng cc bin ny t chi cc client nguy him, cc mng
a vo blacklist, hoc ngc li cho php xc thc cc host.
-
ARGS_NAMES: l mt tp hp cc i s. C th tm kim, c
th tn i s m ngi qun tr mun cm. Trong mt kch bn
27
REQBODY_PROCESSOR_ERROR
"@eq
1"
deny,log,phase:2
-
REQUEST_BASENAME
"allow,log,msg:'dang nhap',phase:2"
28
"^login\.php$"
REQUEST_BODY
"^username=\w{25,}\&password=\w{6,}\&Login=
Login$"
REQUEST_COOKIES_NAMES:PHPSESSID
"@eq
1"
"phase:2,deny"
2.2.4. Chc nng chuyn i
ModSecurity cung cp mt s chc nng chuyn i m chng
ta c th p dng cho cc bin v cc collection. Nhng bin i
c thc hin trn mt bn sao ca d liu c kim tra, c
ngha l cc HTTP request hoc response ban u vn c gi
nguyn khng thay i. Chc nng ny rt quan trng. Nu chng
ta mun pht hin tn cng XSS, chng ta phi pht hin m
JavaScript bt k trng hp n c vit in hay vit thng.
lm iu ny chc nng chuyn i c th c p dng so snh
mt chui vit hoa vi chui vit thng. V d:
SecRule ARGS <script> deny,t:lowercase
Lut trn s chn tt c cc URL cha chui >, <, script bt k ch
hoa hay thng sCript, ScRipt, SCRIPT
Cc chc nng chuyn i ca ModSecurity nh sau
Chc nng chuyn
i
M t
Base64Encode
Base6Decode
Gii m t base64
Gii m k t CSS
escapeSeqDecode
hexEncode
hexDecode
htmlEntityDecode
jsDecode
Length
Lowercase
Md5
urlDecode
urlDecodeUni
30
Description
@begins With
@contains
@ends With
@rx
@pm
Description
@eq
Equal
@ge
Greater or equal
@gt
Greater than
@le
Less or equal
@lt
Less than
Bng 2- 4 Cc ton t h tr so snh
31
Description
@validateByteRange
@validateSchema
@validateDTD
@validateUrlEncoding
Description
@rbl
@verifyCC
@verifyCPF
@verifySSN
@ipMatch
32
Status: Khi
no th
s,
sau
khi
Modsecurity.conf,
thc
hin
gi
tr
cu
ca
hnh
trong
tp
tin
SecDefaultAction
REQUEST_BASENAME
"^login\.php$"
phase:2,log,auditlog,pass
Bng cch ny, ModSecurity gip bn trin khai mt rule d
dng hn m khng cn ch nh mt action lp i lp li nhiu ln
SecDefaultAction phase:2,log,deny,status:404
SecRule ARGS X1
SecRule ARGS X2
SecRule ARGS Xn
34
2.3. Logging
35
V d:
[11/Dec/2013:23:36:22 --0800] [at7a.kma/sid#f0cfa0][rid#b6972c18]
[/vulnerabilities/csrf/] [1] Access denied with code 403 (phase 2). Match
of "rx ^192\\.168\\.1\\.16" against "REMOTE_ADDR" required. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "104"]
SecAuditEngine On
SecAuditlog logs/audit_log
V d v Audit log:
36
Message: Access denied with code 403 (phase 2). Match of "rx
^192\\.168\\.1\\.16" against "REMOTE_ADDR" required. [file
"/etc/httpd/conf.d/Modsecurity.conf"] [line "104"]
Action: Intercepted (phase 2)
Stopwatch: 1386833782214868 4718 (2035 2927 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.15 (CentOS)
On log tt c cc request
37
dng
ca
biu
thc
chnh
quy
trong
Modsecurity
Qua trn ta thy c vic s dng biu thc chnh quy trong
vic lp trnh v c bit l ng dng vo vic thit lp cc lut cho
ModSecurity l rt hu ch. Biu thc chnh quy gip cho vic ti u
ha cc lut mt cch n gin nht m vn m bo c kh
nng kim tra lung d liu. Bnh thng da vo cc mu khng
phi l biu thc chnh quy th s k t s phi y , do di
ca mt lut s ln. Dn ti vic x l s chm i rt nhiu.
38
libxml2)
[root@webserver ~]#yum -y install pcre-devel(ci t pcre)
-
Gii nn tp tin
[root@webserver ~]#tar xfvz modsecurity-apache_2.5.12.tar.gz
Ci t ModSecurity
[root@webserver ~]#cd modsecurity-apache_2.5.12/apache2
[root@webserver apache2]# ./configure
[root@webserver apache2]# make
[root@webserver apache2]# make install
40
41
User-Agent
hacker.
Lut
th
dng
bin
REMOTE_ADDR ch nh ra a ch IP v trng hp ny l
192.168.1.15. S dng du (!) y c chc nng ph nh li lut
trn. Gi s nh lut th 2 ta khng s dng du chm than (!)
th 2 lut y s c ngha l User-Agent l hacker t a ch IP
192.168.1.15. Cn khi ta s dng du chm than (!) lut th 2
khi a ch IP 192.168.1.15 nu c User-agent l hacker s
42
Khi
dng
cc
hnh
ng
nh
lowercase,
UNION SELECT
43
3.2.1.
45
Thc hin tn cng trc khi vit lut ngn chn tn cng
S dng cng c httprecon thc hin tn cng server
at7a.kma
Kt qu tr v cho ta thy my ch s dng Apache phin
bn 2.2.15 v s dng h iu hnh CentOS:
3.2.2.
-
<LocationMatch ^/login.php>
47
# khi to collection IP
SecAction "initcol:ip=%{REMOTE_ADDR},pass,log,msg:'faile login'"
# pht hin ng nhp khng thnh cng
SecRule RESPONSE_BODY "Login failed" "phase:4,log,pass,
setvar:ip.brute_force=+1, expirevar:ip.brute_force=300"
# chuyn hng sang trang nobru.html nu ng nhp sai qu 3
ln
SecRule IP:BRUTE_FORCE "@gt 3" "redirect:/nobru.html"
</LocationMatch>
3.3.3.
http://at7a.kma/vulnerabilities/xss_r/?name=<script>alert(document.coo
kie)</script>
49
M ha HTML
<
<
>
>
(
)
#
&
&
"
'
SecRule
SecRule
SecRule
SecRule
SecRule
ARGS
ARGS
ARGS
ARGS
ARGS
"&\{.+}" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"<.+>" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"javascript:" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"script:" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
"alert" "t:lowercase,redirect:/noxss.html,msg:'XSS'"
50
3.3.4.
OR 1 = 1 -- Khi thc
52
SQL code
UNION SELECT
union\s+select
union\s+all\s+select
INTO OUTFILE
into\s+outfile
DROP TABLE
drop\s+table
ALTER TABLE
alter\s+table
LOAD_FILE
load_file
SELECT FROM
select\s+from
OR
or\s
AND
and\s
53
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
SecRule
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
ARGS
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://at7a.kma/vulnerabilities/sqli/
Cookie: PHPSESSID=m7i9tvtgtuve2ljsk14pou7ue0; security=low
Connection: keep-alive
55
KT LUN
Qua mt thi gian tm hiu ti Bo mt my ch ng dng
web vi ModSecurity nhm em c c hi tm hiu v tng la
ng dng, c th l phn mm m ngun m ModSecurity. Do iu
kin thi gian v thit b trin khai cn thiu do vy nhm em cha
c iu kin trin khai vo thc t c.
Trong ti ny nhm t c kt qu nht nh nh
sau:
V l thuyt tm hiu c tm quan trng ca
ModSecurity
Hiu c nguyn tc hot ng v nhim v ca
ModSecurity
C kh nng vit Rule.
V mt thc hnh nhm em tin hnh ci c cc dch
v Web v ModSecurity trn my ch CentOS, ng thi
thc hin vit rules ngn chn mt s tn cng nh: HTTP
FingerPrinting, tn cng Brute Force, XSS, SQL Injection.
Nhng vic cha lm c
Do cha c h thng my ch thc t, m hnh trin khai
lab ca ti ny ch mi xy dng trong mng LAN.
S dng cc rules cha c linh hot
Hng pht trin
Trin khai v pht trin thm cc lut cho thm mt s
hnh thc tn cng mi.
Kt hp ModSecurity v Iptable chng tn cng Dos v
DDos
Xy dng trin khai ModSecurity trn h thngWeb Server
thc t.
56
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-
Manual#args
57