notes blog about

2019-10-01

ModSecurity

ModSecurity is a WAF engine (library, module) for Apache, Nginx, IIS. ModSecurity 3.0 has a new modular architecture - it’s composed of:

  1. ModSecurity-nginx - a connector that links libmodsecurity to the web server it is running with - NGINX in this case (it takes the form of an nginx module)
  2. ModSecurity (a.k.a. libmodsecurity :-) - core component containing the functionality and couple of rules

Files

Tips

Directives

SecRule

SecRule VARIABLES   "OPERATOR"                "TRANSFORMATIONS,ACTIONS"
# E.g.
SecRule REQUEST_URI "@streq /index.php" "id:1,phase:1,t:lowercase,deny"

SecDefaultAction

If no ACTIONS are provided is SecRule, default actions apply as per SecDefaultAction.

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

More

OWASP ModSecurity Core Rule Set (CRS)

Files

Tips

Paranoia levels (FP = false positive - a WAF blocking a valid request):

  1. (default) basic security, minimal amount of false positives (FPs)
  2. elevated security level, more rules, fair amount of FPs
  3. online banking level security, specialized rules, more FPs
  4. nuclear powerplant level security, insane rules, lots of FPs

You can configure rules via:

More

Attacks for testing WAF

curl -I "https://$FQDN/?exec=/bin/bash"           # Remote Code Execution (RCE)
curl -I "https://$FQDN/?id=1'%20or%20'1'%20=%20'" # SQL Injection (SQLi)
curl -I "https://$FQDN/?page=/etc/passwd"         # Local File Inclusion (LFI)
curl -I "https://$FQDN/?<script>"                 # Cross Site Scripting (XSS)

See also waf-tester.