Open Source Web Entry Server - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Open Source Web Entry Server

Description:

Open Source Web Entry Server Ivan B tler: This talk is about web-application firewalls with pre-authentication, session hiding, content rewriting and filtering ... – PowerPoint PPT presentation

Number of Views:307
Avg rating:3.0/5.0
Slides: 30
Provided by: owaspOrg
Category:
Tags: entry | open | server | source | web

less

Transcript and Presenter's Notes

Title: Open Source Web Entry Server


1
Open Source Web Entry Server
  • Ivan Bütler This talk is about web-application
    firewalls with pre-authentication, session
    hiding, content rewriting and filtering
    capabilities with open-source software.

Ivan Bütler Ivan.buetler_at_csnc.ch
2
About me
Ivan Bütler E1
  • Founder Security Researcher for Compass
    SecuritySince 1999, Switzerland www.csnc.ch
  • Speaker _at_ BlackHat Las Vegas 2008SmartCard (In)
    Security APDU Analysis
  • Speaker _at_ IT Underground Warsaw 2009Advanced Web
    Hacking
  • Speaker _at_ Swiss IT Leadership Forum Nice
    2009Cyber Underground
  • Lead Swiss Cyber Storm 2011 Security
    Conference12-15. May 2011, Switzerland
    www.swisscyberstorm.com
  • Board member of Information SecuritySociety
    Switzerland (ISSS)
  • Lecturing Activities HSR HSLU FHSG

3
  • Win a Car! Wargame!USD 30000 main prize
  • www.swisscyberstorm.com
  • May 12-15, 2011
  • Switzerland, near Zürich
  • OWASP Trainings planned!

4
Goal of this Talk
  • Learn how to turn the Apache web server into a
    front-end web-application firewall with
    pre-authentication, session hiding and URL
    authorization
  • We will play with Facebook as our backend
    application
  • The LiveCD includes all demos www.hacking-lab.com

Hacking-Lab LiveCD
5
PCI DSS Requirement
6
Without a Web Application Firewall
Multiple connections into DMZ Applications
directly accessible
7
Web App Firewall (WAF)
Web Application Firewall
  • Reverse Proxy to FB
  • Security Checks
  • Content Rewriting

TOOL TIPmod_proxy
8
DEMO 1 2
  • demo movies shown here availablein Hacking-Lab
    OWASP Event www.hacking-lab.com

9
Content Rewriting
www.myproxy.com
  • Relative URLs are not a problem!
  • Content rewriting is not required

www.fb.com
ltlink href"/css/mystyle.css" rel"stylesheet"
type"text/css"gt
10
Content Rewriting
www.myproxy.com
  • Absolute URLs must be rewritten
  • Cookie domain must be rewritten
  • Cookie values must be rewritten (in some cases)

www.fb.com
lta href"http//www.fb.com/css/01.css"
type"text/css"gt
TOOL TIPmod_replace
11
Demo 4
  • Request Header PatchingCookie Value Patching

12
Web App Firewall
www.myproxy.com
  • _at_inspectFile operator is simply a type of API
    that will allow you to inspect file attachments

www.fb.com
lt request filtering e.g. sql injection gt lt
response filtering e.g. stack traces gt lt
inspect files e.g. pdf exploit analysis gt
TOOL TIPmod_security
13
Demo 5 6
  • ModSecurity

14
Web Entry Server
  • Pre-Authentication
  • Delegated Login Service (DLS)
  • Session Hiding
  • URL Access Control
  • Principal Delegation to Backend App

TOOL TIPmod_but
15
Web Entry Server- Swiss Blueprint -
Web Entry Server
  • Backend requests are always authenticated!
  • Strong forensic and logging capabilities

Central Login Service
16
Pre-AuthenticationPrincipal Delegation
www.myproxy.com
www.fb.com
login.myproxy.com
17
Pre-AuthenticationSingle Sign On
  • IF SERVICES IS SSO ENABLED
  • Server gets initial request with UserID1234 from
    WES
  • Server extracts UserID
  • Server creates a new, authenticated session
  • Server authorizes only
  • ALTERNATIVE
  • User must authenticated twice (SSO disabled)
  • Delegated Login Service (DLS)

IMPORTANT Principal ticket should be an
encrypted/signed, timestampted value (against
replay attacks) instead of plain-text UserID1234!
18
Pre-Authetication - DLSDelegated Login Service
www.myproxy.com
www.fb.com
IMPORTANT DLS authenticates on behalf of the user
into www.fb.com (knows the credentials out of the
user repository) -gt Non origin cookies are then
set to www.myproxy.com
DLS
login.myproxy.com
19
Demo 7 - SSO
20
Web ForensicsNTP is not enough!
TOOL TIPmod_unique-id mod_headers
21
Demo 7 - UniqueID
22
URL Access Control
www.myproxy.com
login.myproxy.com
23
Demo 8
  • Service Level ACL

24
Session Managementwithout session store
Reverse Proxy Without Session Cache
25
Session Managementwith session hiding
Reverse Proxy Session Cache (SHM)
26
Entry Server ToolKit
http//media.hacking-lab.com/largefiles/livecd/
Hacking-Lab LiveCD
27
Remember (I)
  • Pre-Authentication reduces the attack surface of
    unauthenticated users
  • Unique-ID enables proper forensics
  • Cookie store hides insecure cookies
  • Service ACL is a second line of defence for the
    application authorization scheme

28
Remember (II)
  • Hacking-Lab LiveCD includes all tools you need to
    replay
  • Win a car! Qualification wargames have started at
    www.swisscyberstorm.com
  • All movies of this talk are available online at
    www.hacking-lab.com

29
Thank youIvan Bütler, E1
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Open Source Web Entry Server" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!