The Swiss OWASP chapter invited me to talk about Advanced ModSecurity in Zurich on November 12, 2014. The audience of 40 people exceeded my expectations by far and I was not sure I could meet their expectations.
Here is a brief summary of the topics I covered:
- Blocking Mode: Always start in blocking mode. Assign a high anomaly limit and work your way down with the limit, but always start in blocking mode.
- Handling False Positives: Bring sense and reason to the process. You start with those false positives (= rules), triggered by the requests with the highest anomaly scores. As a pre-condition you need to log the unique-id and the anomaly scores of each request; ideally in the access log.
- Advanced Rule: Solving a Session Fixation issue by removing cookie request header
- Advanced Rule: Authentication Cache to fix stupid client using a ModSec session
- Advanced Rule: Fix an authentication / authorisation bypass using a ModSec session
The first point is a strategic one. I have not seen much success tuning a WAF in monitoring mode. But blocking mode forces you to sort out issues and that is a good thing.
The second point is more of a method. I was not sure if it was worth to include it, but the feedback from the audience proofed this approach was not universal with all sysadmins handling ModSecurity false positives.
The advanced rules I presented were meant to be examples of what you can achieve with ModSecurity. You can achieve far more than most in the audience anticipated. Everybody thinks SqlInjection when they hear ModSecurity. But nobody thinks Authorisation Bypass. That’s wrong.
During the discussion, we also talked about bringing complex rules into production and maintaining them. I think this is comparable to complex bits of perl code: You better make sure you know what you are doing. And if you think ModSecurity is a cheap alternative to fixing the code, then ModSecurity will proof you wrong. But it can be a way to patch a forever day vulnerability or one that takes a lot of time to get right.