Learn how Comodo mod_security rules will protect your web servers against attack. Free!

April 10, 2017 | By Comodo

Contents:

1. Introduction
2. Preparing the environment
3. Attack analysis and prevention
4. Conclusion

1) Introduction

Web applications are arguably the most important element of today’s online infrastructure. They are used to power many features which are critical to online business, including dynamic content, payment systems, web-mail, online stores, software-as-a-service, forums, social media and more.

Unfortunately, the importance of web-applications also makes them a prime target for attackers. A successful breach of an important web-application could lead to financial devastation, loss of intellectual property, compromised customer data or severe reputation damage. Strong, persistent protection for web-applications is therefore an important consideration for any business with an online presence.

This article shows how you can use mod_security rules and Comodo Web Application Firewall (CWAF) to quickly and easily set up powerful, real-time protection for your web-apps. We also test the system we have set up by illustrating how it protects against a number of well known attacks.

Download and install Comodo Web Application Firewall for free at https://waf.comodo.com/

2) Preparing the environment

System requirements:

  • A Linux system with an internet connection. In our example we shall use CentOS 7.x;
  • 1Gb of free hard drive space;
  • 512Mb of free RAM;

We shall use Docker as the emulation environment, which gives us the ability to quickly configure our testing environment. Be aware that software contained in the image is vulnerable and MAY NOT BE USED for any production system.

Console commands to prepare the environment:

# yum install docker
# docker pull comodo63/b_centos_63
# docker run -p 8080:80 -it comodo63/b_centos_63 /bin/bash

The last command redirects host machine port 8080 to port 80 on the VM. If everything is OK, you’ll be inside the root shell in the docker image:

bash-4.1#

The image contains:

  • Vulnerable version of Centos v6.3
  • DVWA 1.0.7 (http://www.dvwa.co.uk/)
  • WordPress 3.5 with vulnerable Slider Revolution plugin 4.1.4
  • Apache Web Server 2.2.15
  • PHP 5.3.3
  • MySQL 5.1.73
  • Python 2.7
  • ModSecurity 2.9.1
  • sqlmap 1.1.1.20
  • test scripts at /soft/

3) Attack analysis and prevention

Let’s look at how hackers work by showing examples of common attacks on web applications. We’ll look at some of the most notorious CVE exploits and some classic attacks.

We’ll show you how to recreate these attacks step-by-step, and how CWAF defends against them.

  • You’ll need to disable CWAF in advance if you wish to recreate the exploits. To do this, type the following command in the console:

# python /soft/modsec_.py on

  • To re-enable ModSecurity with Comodo Web Application Firewall (CWAF) rules installed, type the following command in the console:

# python /soft/modsec_.py off

Case A:

Vulnerability: Arbitrary File Download

Application: WordPress Slider Revolution plugin 4.1.4 (CVE-2014-9734)

In 2014, the SUCURI research team published an article, “RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise”, which describes how to download an arbitrary file from a hosting server with the Slider Revolution plugin installed.

https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

See CVE-2014-9734 at cve.mitre.org

Lets see how this vulnerability is used by hackers.

Precondition:

  • CWAF disabled

To reproduce the attack, we pre-installed WordpPress 3.5 and Revslider plugin 2.3.3. The default login credentials for WP admin panel are:

URL: http://127.0.0.1/wordpress/wp-admin/
Username: admin
Password: admin

Figure 1. WordPress version

Common attack technique for this vulnerability described in the public exploit: https://www.exploit-db.com/exploits/36554/

To demonstrate the vulnerability, enter this URL in a web browser on the host machine:

http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

or use this console command:http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&i

# wget “http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php” -O wp-config.php

This will open a wp-config.php file like this:

Figure 3. Downloaded configuration file

With this file, intruders can gain access to your database or WordPress admin panel. It’s a critical vulnerability.

Now try with Comodo Web Application Firewall running. With Comodo rules active, visiting the same URL leads to a 403: Forbidden message:

Figure 4. Blocked CVE-20114-9734 attack

You can also try the exploit using the console, and get the same 403 result:

# wget “http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php” -O wp-config.php

–2017-04-05 11:09:06– http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Connecting to 127.0.0.1:8080… connected.
HTTP request sent, awaiting response… 403 Forbidden
2017-04-05 11:09:06 ERROR 403: Forbidden.

CWAF prevents intruders from accessing your web files using this vulnerability.

CASE B:
Vulnerability: Remote Code Execution
Application: GNU Bash through 4.3 / HTTPd (ShellShock, CVE-2014-6271)

See CVE-2014-6271 published at cve.mitre.org

Let’s check how this vulnerability is used by hackers.

Preconditions:

  • CWAF disabled

Here is the text of test.cgi file from the HTTPd server:

#!/bin/bash
echo “Content-type: text/plain”
echo.
echo
echo “Hi”

Next, visit this URL in your host machine browser http://127.0.0.1:8080/cgi-bin/test.cgi . You will see the message “Hi”. You can also fetch it via the console:

# wget “http://127.0.0.1:8080/cgi-bin/test.cgi” -O out.txt && cat out.txt

This is expected behavior.

You can read more about this exploit here: https://github.com/XiphosResearch/exploits/tree/master/shellshock

We will use a lightweight version of the exploit to reproduce the vulnerability. It accepts a URL to a buggy script as a parameter and requires a bash command to execute (let’s use: “cat /etc/passwd” for demo purposes). Type the following command in the docker’s container console:

# python /soft/github_exploit/shell_sh.py http://127.0.0.1/cgi-bin/test.cgi

When you see “Enter bash command:”, type:

# cat /etc/passwd

…and you’ll be able to read the contents of the system password file.


Figure 5. Remote code execution on a ShellShock vulnerable system

Using this critical vulnerability, attackers can execute any shell commands and steal sensitive information.

Now, enable CWAF and try the exploit again. You’ll get a 403 response code (forbidden) as before:

Figure 6. Blocked ShellShock attack

CWAF successfully blocks ShellShock attack and prevents remote code execution vulnerability.

CASE C:
Vulnerability: reflected XSS
Application: Damn Vulnerable Web Application (DVWA)

Preconditions:

  • CWAF disabled

Here are the steps to reproduce the vulnerability:

1. Login at http://127.0.0.1:8080/dvwa/login.php on your host machine with the following credentials:

username: admin
password: password

2. Open the “DVWA Security” page and set it to “low”

3. Open the “XSS reflected” page

4. Enter this URL in your browser: http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E

or in the console:

# wget “http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E” -O out.txt && cat out.txt

The output will be as follows:

Figure 7. Reflected XSS in DVWA

Again, this kind of vulnerability can be abused by attacker to run exploits on your web application.

Enable CWAF and test this vulnerability again. Once more, CWAF forbids access to the resource:

Figure 8. CWAF protects against reflected XSS

 

CASE D:

Automated CVE and DVWA tests

Preconditions:

  • CWAF disabled

Go to the directory /soft/ and you will see some python scripts:

wp_revslider.py – WordPress Revslider plugin bug check
shellshock.py – Shellshock bug in bash check
dvwa_s_xss.py – stored XSS bug in DVWA check
dvwa_r_xss.py – reflected XSS bug in DVWA check
dvwa_exec.py – RCE bug in DVWA check
dvwa_sqli.py – SQLI bug in DVWA check with sqlmap tool
all_scans.py – all checks together

To perform a single automated scan, start any script with the following command:

# python </path/name_of_the_script>

Or you can start all scans with the following command:

# python /soft/all_scans.py

The output is as follows:

Figure 9. Automated scan of unprotected system

Enable CWAF and run the automated tests again. All attacks are blocked, as illustrated in the following screenshot:

Figure 10. CWAF successfully protects server against various vulnerabilities

If you check your web server access log you’ll see multiple requests from automated tools to hack your website that were blocked by CWAF.

4) Conclusion

Comodo Mod Security rules and Web Application Firewall will implement strong, real-time protection on your web server against even the most sophisticated hacks and exploits. The best part? It’s 100% free. Comodo’s Mod Security are constantly updated to deliver consistent protection over time against threats as they emerge. To find out more and download, please visit https://waf.comodo.com/

 

Be Sociable, Share!

    Tags:

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>