Reading Time: 6 minutes
Contents:
1. Introduction
2. Preparing the environment
3. Attack analysis and prevention
4. Conclusion
1) Introduction
Web applications are arguably the most important element of today’s online infrastructure. They are used to power many features which are critical to online business, including dynamic content, payment systems, web-mail, online stores, software-as-a-service, forums, social media and more.
Unfortunately, the importance of web-applications also makes them a prime target for attackers. A successful breach of an important web-application could lead to financial devastation, loss of intellectual property, compromised customer data or severe reputation damage. Strong, persistent protection for web-applications is therefore an important consideration for any business with an online presence.
This article shows how you can use mod_security rules and Comodo Web Application Firewall (CWAF) to quickly and easily set up powerful, real-time protection for your web-apps. We also test the system we have set up by illustrating how it protects against a number of well known attacks.
Download and install Comodo Web Application Firewall for free at https://waf.comodo.com/
2) Preparing the environment
System requirements:
- A Linux system with an internet connection. In our example we shall use CentOS 7.x;
- 1Gb of free hard drive space;
- 512Mb of free RAM;
We shall use Docker as the emulation environment, which gives us the ability to quickly configure our testing environment. Be aware that software contained in the image is vulnerable and MAY NOT BE USED for any production system.
Console commands to prepare the environment:
# yum install docker
# docker pull comodo63/b_centos_63
# docker run -p 8080:80 -it comodo63/b_centos_63 /bin/bash
The last command redirects host machine port 8080 to port 80 on the VM. If everything is OK, you’ll be inside the root shell in the docker image:
bash-4.1#
The image contains:
- Vulnerable version of Centos v6.3
- DVWA 1.0.7 (http://www.dvwa.co.uk/)
- WordPress 3.5 with vulnerable Slider Revolution plugin 4.1.4
- Apache Web Server 2.2.15
- PHP 5.3.3
- MySQL 5.1.73
- Python 2.7
- ModSecurity 2.9.1
- sqlmap 1.1.1.20
- test scripts at /soft/
3) Attack analysis and prevention
Let’s look at how hackers work by showing examples of common attacks on web applications. We’ll look at some of the most notorious CVE exploits and some classic attacks.
We’ll show you how to recreate these attacks step-by-step, and how CWAF defends against them.
- You’ll need to disable CWAF in advance if you wish to recreate the exploits. To do this, type the following command in the console:
# python /soft/modsec_.py on
- To re-enable ModSecurity with Comodo Web Application Firewall (CWAF) rules installed, type the following command in the console:
# python /soft/modsec_.py off
Case A:
Vulnerability: Arbitrary File Download
Application: WordPress Slider Revolution plugin 4.1.4 (CVE-2014-9734)
In 2014, the SUCURI research team published an article, “RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise”, which describes how to download an arbitrary file from a hosting server with the Slider Revolution plugin installed.
See CVE-2014-9734 at cve.mitre.org
Lets see how this vulnerability is used by hackers.
Precondition:
- CWAF disabled
To reproduce the attack, we pre-installed WordpPress 3.5 and Revslider plugin 2.3.3. The default login credentials for WP admin panel are:
URL: http://127.0.0.1/wordpress/wp-admin/
Username: admin
Password: admin
Figure 1. WordPress version
Common attack technique for this vulnerability described in the public exploit: https://www.exploit-db.com/exploits/36554/
To demonstrate the vulnerability, enter this URL in a web browser on the host machine:
http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
or use this console command:http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&i
# wget “http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php” -O wp-config.php
This will open a wp-config.php file like this:
Figure 3. Downloaded configuration file
With this file, intruders can gain access to your database or WordPress admin panel. It’s a critical vulnerability.
Now try with Comodo Web Application Firewall running. With Comodo rules active, visiting the same URL leads to a 403: Forbidden message:
Figure 4. Blocked CVE-20114-9734 attack
You can also try the exploit using the console, and get the same 403 result:
# wget “http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php” -O wp-config.php
–2017-04-05 11:09:06– http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Connecting to 127.0.0.1:8080… connected.
HTTP request sent, awaiting response… 403 Forbidden
2017-04-05 11:09:06 ERROR 403: Forbidden.
CWAF prevents intruders from accessing your web files using this vulnerability.
CASE B:
Vulnerability: Remote Code Execution
Application: GNU Bash through 4.3 / HTTPd (ShellShock, CVE-2014-6271)
See CVE-2014-6271 published at cve.mitre.org
Let’s check how this vulnerability is used by hackers.
Preconditions:
- CWAF disabled
Here is the text of test.cgi file from the HTTPd server:
#!/bin/bash
echo “Content-type: text/plain”
echo.
echo
echo “Hi”
Next, visit this URL in your host machine browser http://127.0.0.1:8080/cgi-bin/test.cgi . You will see the message “Hi”. You can also fetch it via the console:
# wget “http://127.0.0.1:8080/cgi-bin/test.cgi” -O out.txt && cat out.txt
This is expected behavior.
You can read more about this exploit here: https://github.com/XiphosResearch/exploits/tree/master/shellshock
We will use a lightweight version of the exploit to reproduce the vulnerability. It accepts a URL to a buggy script as a parameter and requires a bash command to execute (let’s use: “cat /etc/passwd” for demo purposes). Type the following command in the docker’s container console:
# python /soft/github_exploit/shell_sh.py http://127.0.0.1/cgi-bin/test.cgi
When you see “Enter bash command:”, type:
# cat /etc/passwd
…and you’ll be able to read the contents of the system password file.
Figure 5. Remote code execution on a ShellShock vulnerable system
Using this critical vulnerability, attackers can execute any shell commands and steal sensitive information.
Now, enable CWAF and try the exploit again. You’ll get a 403 response code (forbidden) as before:
Figure 6. Blocked ShellShock attack
CWAF successfully blocks ShellShock attack and prevents remote code execution vulnerability.
CASE C:
Vulnerability: reflected XSS
Application: Damn Vulnerable Web Application (DVWA)
Preconditions:
- CWAF disabled
Here are the steps to reproduce the vulnerability:
1. Login at http://127.0.0.1:8080/dvwa/login.php on your host machine with the following credentials:
username: admin
password: password
2. Open the “DVWA Security” page and set it to “low”
3. Open the “XSS reflected” page
4. Enter this URL in your browser: http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E
or in the console:
# wget “http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E” -O out.txt && cat out.txt
The output will be as follows:
Figure 7. Reflected XSS in DVWA
Again, this kind of vulnerability can be abused by attacker to run exploits on your web application.
Enable CWAF and test this vulnerability again. Once more, CWAF forbids access to the resource:
Figure 8. CWAF protects against reflected XSS
CASE D:
Automated CVE and DVWA tests
Preconditions:
- CWAF disabled
Go to the directory /soft/ and you will see some python scripts:
wp_revslider.py – WordPress Revslider plugin bug check
shellshock.py – Shellshock bug in bash check
dvwa_s_xss.py – stored XSS bug in DVWA check
dvwa_r_xss.py – reflected XSS bug in DVWA check
dvwa_exec.py – RCE bug in DVWA check
dvwa_sqli.py – SQLI bug in DVWA check with sqlmap tool
all_scans.py – all checks together
To perform a single automated scan, start any script with the following command:
# python </path/name_of_the_script>
Or you can start all scans with the following command:
# python /soft/all_scans.py
The output is as follows:
Figure 9. Automated scan of unprotected system
Enable CWAF and run the automated tests again. All attacks are blocked, as illustrated in the following screenshot:
Figure 10. CWAF successfully protects server against various vulnerabilities
If you check your web server access log you’ll see multiple requests from automated tools to hack your website that were blocked by CWAF.
4) Conclusion
Comodo Mod Security rules and Web Application Firewall will implement strong, real-time protection on your web server against even the most sophisticated hacks and exploits. The best part? It’s 100% free. Comodo’s Mod Security are constantly updated to deliver consistent protection over time against threats as they emerge. To find out more and download, please visit https://waf.comodo.com/
TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE Source: https://blog.comodo.com/it-security/learn-comodo-mod_security-rules-will-protect-web-servers-attack-free/