You are on page 1of 17

Defending Web Services using Mod Security (Apache

)
Methodology and Filtering Techniques

Abstract
Web services are vulnerable to several attacks. These attacks can lead to information leakage and further aid in remote command execution. By using WSDL an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. If these inputs are not defended well at the source code level, they can be compromised and exploited. ModSecurity operates as an Apache Web server module, ideal for defending web services against attacks that also include malicious POST variable content. This paper describes techniques to defend your web services layer using mod_security.

Pre-requisites
Familiarity with the Apache Web server, the basics of web services (WSDL, SOAP and HTTP) and working knowledge of mod_security is required in order to understand the content included in this paper.

Shreeraj Shah
Co-Author: "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and published several advisories on security flaws. shreeraj@net-square.com http://www.net-square.com

.....................................................................xml: .................................................................................................................................................................................................................................................................................................................................................................................. 3 Sending HEAD request to server: ...................................................................... 12 Blocking SQL injection attacks: ............. 7 DEFENDING WEB SERVICES INPUTS . 1 PRE-REQUISITES... 10 Filtering meta characters:........................... 5 METHOD/INTERFACE INFORMATION DERIVED FROM WSDL.......................................................................................................................................................................................................................................................... 7 DEFENDING WEB SERVICE ........................................................................................................................................................................................................... 3 Tomcat integrated with Apache: .......................................................................................................................................................................................................... 3 DEPLOYMENT SCENARIO: .................................................................... 3 Axis web................................................................................................................................................................................................................................................................................... 4 APPLYING DIRECTIVES: AN EXAMPLE ................................................. 15 CONCLUSION ....Net Square TABLE OF CONTENTS ABSTRACT............................................................................................................................................................................................................................................................................................................................................. .............................................. Shreeraj Shah Defending web services using mod_secrurity [2] ..................... 6 Request sent to 192............................................... 3 Loading mod security ......................................................................................................................................................................................................................................................................................... 6 INVOKING THE WEB SERVICE OVER HTTP ....................................................... 14 Blocking fault codes from leaking out:................................... 7 GLUING WEB SERVICES RESOURCE INTO MOD_SECURITY ..................................................................................................................... ................................................... 17 Acknowledgement Lyra Fernandes for her help on documentation..............7..................... 9 Trapping id using regex: ............ 6 Response from server...... 1 INTRODUCTION .............................................................. 4 SAMPLE WEB SERVICE................................................................................................................................................................................................................... 9 Locking variable length: ..............168..50 over port 80..............

0 HTTP/1.0. Apache httpd.en Vary: negotiate.4 Content-Location: index.html.so JkSet config.7d mod_jk2/2. <servlet-mapping> <servlet-name>AxisServlet</servlet-name> <url-pattern>*. a web service may be running on Tomcat/Axis and plugged into Apache Web server.properties … Axis web.0. 03 Jan 2005 18:58:32 GMT Shreeraj Shah Defending web services using mod_secrurity [3] .accept-language. 03 Jan 2005 18:58:32 GMT Server: Apache/2. The simplest of web services is created using java code (.50 (Unix) mod_ssl/2.file /usr/local/apache2/conf/workers2.xml: All jws files will be processed by AxisServlet and provide a web services deployment framework.conf must be modified to allow support for Tomcat requests.1c4e6-961-8562af00" Accept-Ranges: bytes Content-Length: 1456 Connection: close Content-Type: text/html. For example.9. charset=ISO-8859-1 Content-Language: en Expires: Mon.1 200 OK Date: Mon.Net Square Introduction Deployment Scenario: Web services are deployed in many different ways.accept-charset TCN: choice Last-Modified: Fri.7.50 80 HEAD / HTTP/1. 04 May 2001 00:01:18 GMT ETag: "1c4d0-5b0-40446f80.jws</url-pattern> </servlet-mapping> Sending HEAD request to server: C:\>nc 192.conf LoadModule jk2_module modules/mod_jk2.168.50 OpenSSL/0.jws extension) Tomcat integrated with Apache: The Apache configuration file httpd.0.

0.conf to apply filtering rules.modsecurity.50 (Unix) and supported by the Tomcat module mod_jk2/2. The following line in httpd. we need to modify httpd.log.conf loads the security module.c> # Turn the filtering engine On or Off SecFilterEngine On SecFilterDefaultAction "deny.status:500" SecFilterScanPOST On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 1 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" Shreeraj Shah Defending web services using mod_secrurity [4] .conf LoadModule security_module … modules/mod_security.0.4. Loading mod security To provide a defense at the web services level. we have loaded the mod_security module that provides application filtering capabilities.so Next.org. Apache httpd.conf where directives for mod_security are applied. The screenshot below shows the section where the directives need to be applied. <IfModule mod_security. Installation of mod_security and other relevant information can be found on http://www. Applying directives: An example A section of the configuration file httpd.Net Square The above request suggests that the web server is Apache/2.

xmlsoap.org/soap/encoding/" namespace="http://192.org/2001/XMLSchema"> <wsdl:message name="getInputResponse"> <wsdl:part name="getInputReturn" type="xsd:string"/> </wsdl:message> <wsdl:message name="getInputRequest"> <wsdl:part name="id" type="xsd:string"/> </wsdl:message> <wsdl:portType name="modsec"> <wsdl:operation name="getInput" parameterOrder="id"> <wsdl:input message="impl:getInputRequest" name="getInputRequest"/> <wsdl:output message="impl:getInputResponse" name="getInputResponse"/> </wsdl:operation> </wsdl:portType> <wsdl:binding name="modsecSoapBinding" type="impl:modsec"> <wsdlsoap:binding style="rpc" transport="http://schemas.168.168. Sample web service For our example.7.7.168. we shall consider a sample web service at the following URL: http://192.168.xmlsoap.jws" use="encoded"/> </wsdl:output> Shreeraj Shah Defending web services using mod_secrurity [5] .xmlsoap.org/soap/http"/> <wsdl:operation name="getInput"> <wsdlsoap:operation soapAction=""/> <wsdl:input name="getInputRequest"> <wsdlsoap:body encodingStyle="http://schemas.jws" xmlns="http://schemas.xmlsoap.50/axis/modsec.50/axis/modsec.xmlsoap.50/axis/modsec.w3. Restart Apache Web server and make sure everything is in place.7.7.jws We can obtain a WSDL response for this specific web service from following URL http://192.Net Square SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$" </IfModule> We now have the entire defense plan in place.xmlsoap.168.jws" xmlns:soapenc="http://schemas.50/axis/modsec.org/wsdl/" xmlns:wsdlsoap="http://schemas.apache.org/xml-soap" xmlns:impl="http://192.7.org/soap/encoding/" namespace="http://DefaultNamespace" use="encoded"/> </wsdl:input> <wsdl:output name="getInputResponse"> <wsdlsoap:body encodingStyle="http://schemas.org/soap/encoding/" xmlns:wsdl="http://schemas.50/axis/modsec. We have Apache running with Tomcat/Axis on which any web services can be deployed.168.7.jws" xmlns:intf="http://192.org/wsdl/" xmlns:apachesoap="http://xml.org/wsdl/soap/" xmlns:xsd="http://www.0" encoding="UTF-8"?> <wsdl:definitions targetNamespace="http://192.jws?wsdl <?xml version="1.xmlsoap. At the same time we have ModSecurity loaded on the server.50/axis/modsec.

<wsdl:message name="getInputResponse"> <wsdl:part name="getInputReturn" type="xsd:string"/> </wsdl:message> <wsdl:message name="getInputRequest"> <wsdl:part name="id" type="xsd:string"/> </wsdl:message> Invoking the web service over HTTP Request sent to 192.jws"/> </wsdl:port> </wsdl:service> </wsdl:definitions> Method/Interface information derived from WSDL We scrutinize the WSDL response obtained as a result of the http request passed in the previous step.168.50/axis/modsec. POST /axis/modsec.jws" use="encoded"/> </wsdl:output> getInput is the invocation method.168. The parameter is also disclosed – “id” which accepts and sends a string as output. charset=utf-8 SOAPAction: "" Content-Length: 573 Expect: 100-continue Shreeraj Shah Defending web services using mod_secrurity [6] .org/soap/encoding/ namespace="http://DefaultNamespace" use="encoded"/> </wsdl:input> <wsdl:output name="getInputResponse"> <wsdlsoap:body encodingStyle=http://schemas.7.xmlsoap.0 Content-Type: text/xml.xmlsoap.Net Square </wsdl:operation> </wsdl:binding> <wsdl:service name="modsecService"> <wsdl:port binding="impl:modsecSoapBinding" name="modsec"> <wsdlsoap:address location="http://192.7. This is a very simple echo web service. Of specific interest here is the invocation method for this web service. <wsdl:operation name="getInput"> <wsdlsoap:operation soapAction=""/> <wsdl:input name="getInputRequest"> <wsdlsoap:body encodingStyle=http://schemas.168.50 over port 80.7.50/axis/modsec.jws HTTP/1.org/soap/encoding/ namespace="http://192.

168.w3.50 OpenSSL/0.xmlsoap.168.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.9.jws/encodedTypes" xmlns:xsi="http://www.status:500" [7] Shreeraj Shah Defending web services using mod_secrurity .xmlsoap.w3.168.jws" xmlns:types="http://192.org/2001/XMLSchema" xmlns:xsi="http://www.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.7.7.org/soap/encoding/" xmlns:ns1="http://DefaultNamespace"> <ns1:getInputReturn xsi:type="xsd:string">hi</ns1:getInputReturn> </ns1:getInputResponse> </soapenv:Body> </soapenv:Envelope> Gluing web services resource into mod_security We have our web service resource loaded at the following URL.168.charset=utf-8 Connection: close <?xml version="1.50 <?xml version="1.7.50/axis/modsec.jws It’s generally a good idea to create a rule set for this resource.org/2001/XMLSchema-instance" xmlns:xsd="http://www.0.xmlsoap. Path=/axis Content-Type: text/xml.7.0.xmlsoap.org/2001/XMLSchema-instance"> <soapenv:Body> <ns1:getInputResponse soapenv:encodingStyle="http://schemas. http://192.Net Square Host: 192.4 Set-Cookie: JSESSIONID=69C6540CC427A8B064C0795ADDFC20EA.50/axis/modsec.7d mod_jk2/2.log.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas. To do so we have to glue our resource into httpd.conf in following way.w3.org/soap/encoding/" xmlns:tns="http://192. HTTP/1.50 (Unix) mod_ssl/2.w3.org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas. 03 Jan 2005 19:24:10 GMT Server: Apache/2.org/soap/envelope/" xmlns:xsd="http://www.0.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:string">hi</id></q1:getInput> </soap:Body></soap:Envelope> Response from server. <IfModule mod_security.50/axis/modsec.1 200 OK Date: Mon.c> SecFilterEngine On SecFilterDefaultAction "deny.

SecFilterInheritance Off Shreeraj Shah Defending web services using mod_secrurity [8] .Net Square SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 SecAuditEngine RelevantOnly SecAuditLog logs/audit_log SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" SecFilterSelective HTTP_Transfer-Encoding "!^$" # ------.log. These will add the required placeholders for the defense of the web service and are specified in the <Location> block.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On </Location> #--------------------------------------------------------------</IfModule> The following directive block will apply filtering criteria for /axis/modsec.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On </Location> #--------------------------------------------------------------</IfModule> Explained below are two of the directives.log.jws> SecFilterInheritance Off SecFilterDefaultAction "deny.jws> SecFilterInheritance Off SecFilterDefaultAction "deny. # ------.Rules for web services -------------------------<Location /axis/modsec.Rules for web services -------------------------<Location /axis/modsec.jws.

org/2001/XMLSchema"><soap:Body soap:encodingStyle="http://schemas.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:string">hi</id></q1:getInput> </soap:Body></soap:Envelope> In the above block <id xsi:type="xsd:string">hi</id> is the key XML block in which value can be passed. Objective is to define value passed in parameter called “id” and reject suspicious values in it.org/soap/encoding/" xmlns:tns="http://192.org/2001/XMLSchema-instance" xmlns:xsd="http://www. charset=utf-8 SOAPAction: "" Content-Length: 573 Expect: 100-continue Host: 192.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.168.7. we are enabling POST filtering using the line below: SecFilterScanPOST On Defending web services inputs The following input will be passed to the web service.0 Content-Type: text/xml.xmlsoap.w3. is shown below: <Location /axis/modsec.7.168.jws> SecFilterInheritance Off SecFilterDefaultAction "deny.7. Web services invocation methods go over POST.168.50/axis/modsec. Hence.jws" xmlns:types="http://192.jws/encodedTypes" xmlns:xsi="http://www. POST /axis/modsec.log.xmlsoap. Trapping id using regex: ModSsecurity provides ways to trap a value passed through a POST request. One of the ways to trap the request made for “id” using filters.xmlsoap.50/axis/modsec.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain Shreeraj Shah Defending web services using mod_secrurity [9] .50 <?xml version="1.w3.jws HTTP/1.Net Square This line will turn off all other rules and provide a clean space for a new rule set. specific to this location only.org/soap/envelope/" xmlns:soapenc="http://schemas.

}</\s*id\s*>" "deny. charset=utf-8 SOAPAction: "" Content-Length: 576 Expect: 100-continue Host: 192. Request: hello POST /axis/modsec.Net Square </Location> In above directive block.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>. The following rule will defend variable “id” against precisely this type of attack <Location /axis/modsec.{6.jws> SecFilterInheritance Off SecFilterDefaultAction "deny. let us send across two responses.log. This regex pattern will capture the data block with “id” call and proceed with the rest of the checks since a “chain” directive is also applied. In order to ascertain the effect of the above directive block.status:500" </Location> In above directive. somewhere down the line during execution. one that matches the buffer length set and the other exceeding the buffer length set in the directive block shown above. the following line will trap the request made to “id” SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain “POST_PAYLOAD” will intercept the POST data block and look for regular expression pattern ("<\s*id[^>]*>”).50 <?xml version="1.7.{6.jws HTTP/1. Locking variable length: One of the major security issues is passing a large buffer to a variable. This is so because this large buffer may cause the application to misbehave and/or crash.}</\s*id\s*>" will restrict the buffer and only allow a buffer of 5 characters.168.0" encoding="utf-8"?> Shreeraj Shah Defending web services using mod_secrurity [10] .0 Content-Type: text/xml. the regular expression pattern "<\s*id[^>]*>.

Net Square <soap:Envelope xmlns:soap="http://schemas.w3.50/axis/modsec.org/soap/encoding/" xmlns:ns1="http://DefaultNamespace"> <ns1:getInputReturn xsi:type="xsd:string">hello</ns1:getInputReturn> </ns1:getInputResponse> </soapenv:Body> </soapenv:Envelope> In the above case.w3. a buffer of 5 characters was able to pass and we got a response hello.org/soap/envelope/" xmlns:xsd="http://www.jws" xmlns:types="http://192. instead of hello and assess the response: Request: hello1 POST /axis/modsec.org/2001/XMLSchema-instance"> <soapenv:Body> <ns1:getInputResponse soapenv:encodingStyle="http://schemas.charset=utf-8 Connection: close <?xml version="1.jws/encodedTypes" xmlns:xsi="http://www.w3. echoed back.0 Content-Type: text/xml.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:string">hello</id></q1:getInput> </soap:Body> </soap:Envelope> Response HTTP/1.0.50 OpenSSL/0.jws HTTP/1.xmlsoap.org/soap/encoding/" xmlns:tns="http://192.50 (Unix) mod_ssl/2.7d mod_jk2/2.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.xmlsoap. charset=utf-8 SOAPAction: "" Content-Length: 577 Expect: 100-continue Shreeraj Shah Defending web services using mod_secrurity [11] .0.168.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas. Path=/axis Content-Type: text/xml. 03 Jan 2005 22:00:21 GMT Server: Apache/2.org/soap/envelope/" xmlns:soapenc="http://schemas.0.org/2001/XMLSchema" xmlns:xsi="http://www.xmlsoap.7. Now let’s try sending across a request hello1 (six characters).7.xmlsoap. sent in our request block.1 200 OK Date: Mon.9.168.50/axis/modsec.4 Set-Cookie: JSESSIONID=DD892724132D7525362A2543F2C29B4C.

50 <?xml version="1.1 500 Internal Server Error Date: Mon.168.7d mod_jk2/2. thereby providing a sound defense against any kind of buffer overflow. and anything you might have done that may have caused the error.168.7.50 OpenSSL/0.50 Port 80</address> </body></html> This request is rejected by mod_security module and status 500 was sent back. single quote (‘) or double quotes (“) etc.w3.7.</p> <p>Please contact the server administrator.com and inform them of the time the error occurred.50/axis/modsec.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.50/axis/modsec.</p> <hr /> <address>Apache/2.0.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:string">hello1</id></q1:getInput> </soap:Body></soap:Envelope> Response HTTP/1. This indicates that the request never hit the web services level.7.4 Content-Length: 657 Connection: close Content-Type: text/html.w3.0.50 (Unix) mod_ssl/2.0. Filtering meta characters: Another major threat to variables are meta characters like %.org/2001/XMLSchema-instance" xmlns:xsd="http://www.168.4 Server at 192.0.9.xmlsoap.jws" xmlns:types="http://192.org/soap/encoding/" xmlns:tns="http://192.org/soap/envelope/" xmlns:soapenc="http://schemas.0.168. the most common and often ignored vulnerability.xmlsoap. 03 Jan 2005 22:00:33 GMT Server: Apache/2.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.50 OpenSSL/0. Shreeraj Shah Defending web services using mod_secrurity [12] . charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.9.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request. These characters can cause SQL injection attacks to occur and may also cause unnecessary information leakage.7.jws/encodedTypes" xmlns:xsi="http://www. you@example.0.Net Square Host: 192.50 (Unix) mod_ssl/2.</p> <p>More information about this error may be available in the server error log.xmlsoap.7d mod_jk2/2.

0 Content-Type: text/xml.{6.50 OpenSSL/0.status:500" </Location> The regular expression pattern "<\s*id[^>]*>.status:500" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.w3.168.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.org/2001/XMLSchema-instance" xmlns:xsd="http://www.7.168.50 (Unix) mod_ssl/2.Net Square Adopting the following strategy will provide a sound defense against such attacks.0.0.+['\"%][^<]*</\s*id\s*>" denies serving an HTTP response if a variable’s POST PAYLOAD consists of any of the following characters: ‘ or “ or %.50/axis/modsec. 03 Jan 2005 22:00:33 GMT Server: Apache/2.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.jws HTTP/1. Request: hi’hi POST /axis/modsec.0.168.50 <?xml version="1.9.xmlsoap.7.1 500 Internal Server Error Date: Mon.log.org/soap/envelope/" xmlns:soapenc="http://schemas.}</\s*id\s*>" "deny.jws> SecFilterInheritance Off SecFilterDefaultAction "deny.jws/encodedTypes" xmlns:xsi="http://www.7d mod_jk2/2.+['\"%][^<]*</\s*id\s*>" "deny.jws" xmlns:types="http://192.50/axis/modsec. <Location /axis/modsec.w3.org/soap/encoding/" xmlns:tns="http://192.7.4 Shreeraj Shah Defending web services using mod_secrurity [13] .org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:string">hi'hi</id></q1:getInput> </soap:Body> </soap:Envelope> Response: 500 Internal Server Error HTTP/1.xmlsoap.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas. charset=utf-8 SOAPAction: "" Content-Length: 576 Expect: 100-continue Host: 192.xmlsoap.

*select.50 (Unix) mod_ssl/2. it is also possible to lock down variable types using appropriate regex patterns containing \d or \w.{6.log.+from[^<]*</\s*id\s*>" "deny.jws> SecFilterInheritance Off SecFilterDefaultAction "deny.0.0.}</\s*id\s*>" "deny.status:500" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>. you@example.9.}</\s*id\s*>" "deny.</p> <hr /> <address>Apache/2. Concatenating together many SQL statements is possible.50 OpenSSL/0.status:500" can be used to restrict inputs to integer values only.+from[^<]*</\s*id\s*>" "deny. If input is not sanitized.com and inform them of the time the error occurred.*select.4 Server at 192. and anything you might have done that may have caused the error.50 Port 80</address> </body></html> Similarly.+['\"%][^<]*</\s*id\s*>" "deny.7. often with disastrous consequences. additional SQL statements can be appended to existing SQL queries.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator. Block SQL injection attacks by adding the following directives: <Location /axis/modsec.status:500" Shreeraj Shah Defending web services using mod_secrurity [14] .status:500" </Location> SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>. charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain #SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>. Blocking SQL injection attacks: It is also possible to inject SQL statements in variables.Net Square Content-Length: 657 Connection: close Content-Type: text/html.168.</p> <p>More information about this error may be available in the server error log. For example SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>\d{6.0.status:500" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.7d mod_jk2/2.

charset=utf-8 SOAPAction: "" Content-Length: 569 Expect: 100-continue Host: 192.charset=utf-8 Connection: close <?xml version="1.0.org/2001/XMLSchema" xmlns:xsi="http://www.168.w3.7d mod_jk2/2. .org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.1 500 Internal Server Error Date: Tue.50 (Unix) mod_ssl/2.w3.0 Content-Type: text/xml.org/2001/XMLSchema-instance" xmlns:xsd="http://www.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas. Request: a POST /axis/modsec.” clause and if detected.168.9. Blocking fault codes from leaking out: One of the major sources of information in web services is faultcode. 04 Jan 2005 16:22:14 GMT Server: Apache/2.w3.jws" xmlns:types="http://192.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.0.org/soap/envelope/" xmlns:xsd="http://www.xmlsoap.50/axis/modsec.org/soap/encoding/"> <q1:getInput xmlns:q1="http://DefaultNamespace"><id xsi:type="xsd:int">a</id></q1:getInput> </soap:Body> </soap:Envelope> In the above case we are requesting for character “a” in variable id which expects an integer as input. Similarly.7.jws HTTP/1. Path=/axis Content-Type: text/xml.7.jws/encodedTypes" xmlns:xsi="http://www. SQL statements for delete. A forced error on the server can create faultcode.Net Square The above line will look for the “select * from . will send back 500.xmlsoap. Response: 500 Internal Server Error HTTP/1.50/axis/modsec. update etc can also be added.w3.4 Set-Cookie: JSESSIONID=1CAF4CD0ED0F38FB40ECBC7BDAB56C75.50 <?xml version="1.userException</faultcode> Shreeraj Shah Defending web services using mod_secrurity [15] .org/2001/XMLSchema-instance"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server. .0.xmlsoap.7.168.org/2001/XMLSchema"> <soap:Body soap:encodingStyle="http://schemas.org/soap/encoding/" xmlns:tns="http://192.50 OpenSSL/0.

7d mod_jk2/2.{6.1 500 Internal Server Error Date: Mon. Now if we send the above request again with “a” in the integer field we will get a response that resembles the output shown below: HTTP/1.a&quot.50 (Unix) mod_ssl/2.log.NumberFormatException: For input string: &quot.status:500" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>. faultcode may disclose critical internal information – reason enough to define an apply filters.}</\s*id\s*>" "deny. we apply the following rules: <Location /axis/modsec.status:500" SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.status:500" </Location> SecFilterScanOutput On This line will scan an output data block and apply defined filters. SecFilterSelective OUTPUT "faultcode" "deny.50 OpenSSL/0.</faultstring> <detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope> As we can see from the response screenshot above.4 Content-Length: 657 Connection: close Content-Type: text/html.0.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> Shreeraj Shah Defending web services using mod_secrurity [16] .status:500" SecFilterScanOutput On SecFilterSelective OUTPUT "faultcode" "deny.0.status:500" This will block out going traffic which has “faultcode” in it.+['\"%][^<]*</\s*id\s*>" "deny.9.lang.Net Square <faultstring>java.jws> SecFilterInheritance Off SecFilterDefaultAction "deny. charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2. In our example. 03 Jan 2005 22:00:33 GMT Server: Apache/2.0.

Users are free to choose their own techniques of defending web services.0.0. However. and anything you might have done that may have caused the error.</p> <hr /> <address>Apache/2.4 Server at 192.50 (Unix) mod_ssl/2. While providing intrusion detection and defense capabilities at the HTTP layer.9.50 OpenSSL/0.Net Square <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>More information about this error may be available in the server error log. mod_security also allows POST PAYLOAD filtering capabilities.7.168. the advantage mod_security offers is allowing developers and web administrators to defend web services without actually modifying the source code. Shreeraj Shah Defending web services using mod_secrurity [17] .0. but there is a subtle advantage over other security tools already available.com and inform them of the time the error occurred. This does not mean that shabby code is tolerable.7d mod_jk2/2.</p> <p>Please contact the server administrator. you@example.50 Port 80</address> </body></html> Conclusion ModSecurity may seem like just another tool in the security firmament. it simply means that an effective defense of web services can be mounted without having to run through numerous lines of code. This paper focused on just one of the techniques securing web services and an effective one too.