GOVERNMENT OF INDIA logoGOVERNMENT OF INDIA
Skip to main content
Accessibility
Accessibility Tools
Color Adjustment
Text Size
Navigation Adjustment
Screen Reader iconScreen Reader

Problem Statements

Previous | Next
Network and Security Problem Statement -7

ModSec rules for WAF H/W or S/W Defined Appliances to application restrict attacks

Description: The objective of this task is to write ModSec rule sets for OWASP Top 10 and other custom web vulnerability patterns. These rulesets would be one of the major building blocks for the ModSec Based WAF solutions. These rule sets can be applied in any H/W or S/W WAF supporting ModSec rules.

Introduction: Mod-Security, sometimes called ModSec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, Microsoft IIS and Nginx.

Configuration: The platform provides a rule configuration language known as 'SecRules' for real-time monitoring, logging, and filtering of Hypertext Transfer Protocol communications based on user-defined rules. Mod-Security is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP Mod-Security Core Rule Set (CRS).

Deployment: It supports both embedded and reverse proxy deployment models. Mod-Security engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. Reverse proxies are effectively HTTP routers, designed to stand between web servers and their clients. When you install a dedicated Apache reverse proxy and add Mod-Security to it.

Main Functionality Areas: Parsing, Buffering, Logging, Rule engine, Transaction Lifecycle. In Mod-Security, every transaction goes through five steps viz. Request headers, Request body, Response headers, Response body, Logging.

Remote logging & alert management GUI: Mod-Security is perfectly usable without a remote logging solution and without a GUI (the two usually go together). Significant error messages are copied to Apache’s error log. Complete transactions are usually logged to the audit log. With a notification system in place, you will know when something happens, and you can visit the audit logs to investigate.

Requirements: Microsoft IIS web server, Apache or LiteSpeed or Nginx web server on Linux server platform, Mod_security3.0. 4 (Current Stable version)

Features: Explicit Disallowed/Allowed Geolocations, Suspicious URL Identification, Detecting Spam Links in Requests, Detecting Malware Links in Response Pages.

Google Safe Browsing Alert: Web page on your site has somehow become infected. Mod-Security would send the user a 302 redirect back to the home page and generate message

  • Detecting Request Method Anomalies
  • Identifying of multiple encoding in request
  • Detecting Invalid URI Data(HTTP RFC)
  • Detecting Parameter Character Class Anomalies
  • Detecting Response Header Anomalies
  • Detecting Response Header Information Leakages

Detecting Page Title Changes: By monitoring the HTML <title> tag data in web response pages, you can detect when attackers have successfully defaced a page by overwriting the legitimate page with an unauthorized version.

Detecting Page Size Deviations: Two main compromise scenarios may directly impact the resulting web page size i.e. Website defacements & Bulk extraction of back-end database information as well as

  • Detecting Dynamic Content Changes
  • Detecting Source Code Leakages
  • Detecting Technical Data Leakages
  • Detecting Abnormal Response Time Intervals
  • Detecting Sensitive User Data Leakages
  • Detecting Trojan , Backdoor, and Webshell Access Attempts
  • Detecting the Submission of Common/Default Usernames
  • Detecting the Submission of Multiple Usernames
  • Detecting Failed Authentication Attempts multiple times
  • Normalizing Authentication Failure Details (configuring custom message for invalid login attempts)
  • Enforcing Password Complexity
  • Correlating Usernames with SessionIDs
  • Detecting Invalid Cookies
  • Detecting Client Source Location Changes During Session lifetime
  • Tracking the Client’s GeoIP Data
  • Detecting Browser Fingerprint Changes During Sessions Lifetime
  • Web Client Device Fingerprinting:If the web client is some type of automated
  • program or script it easily blocked
  • Identifying a Significant Increase in Resource Usage
  • Other than above features it prevents Application Attacks: OS Command Injection, RFI, XSS, etc.

Resources:

Submission Closed