Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Contents:
1. Introduction2. Preparing the environment3. Attack analysis and prevention4. Conclusion
1) Introduction
Web applications are arguably the most important element of today’s online infrastructure. They are used to power many features which are critical to online business, including dynamic content, payment systems, web-mail, online stores, software-as-a-service, forums, social media and more.
Unfortunately, the importance of web-applications also makes them a prime target for attackers. A successful breach of an important web-application could lead to financial devastation, loss of intellectual property, compromised customer data or severe reputation damage. Strong, persistent protection for web-applications is therefore an important consideration for any business with an online presence.
This article shows how you can use mod_security rules and Comodo Web Application Firewall (CWAF) to quickly and easily set up powerful, real-time protection for your web-apps. We also test the system we have set up by illustrating how it protects against a number of well known attacks.
Download and install Comodo Web Application Firewall for free at https://waf.comodo.com/
2) Preparing the environment
System requirements:
We shall use Docker as the emulation environment, which gives us the ability to quickly configure our testing environment. Be aware that software contained in the image is vulnerable and MAY NOT BE USED for any production system.
Console commands to prepare the environment:
# yum install docker# docker pull comodo63/b_centos_63# docker run -p 8080:80 -it comodo63/b_centos_63 /bin/bash
The last command redirects host machine port 8080 to port 80 on the VM. If everything is OK, you’ll be inside the root shell in the docker image:
bash-4.1#
The image contains:
3) Attack analysis and prevention
Let’s look at how hackers work by showing examples of common attacks on web applications. We’ll look at some of the most notorious CVE exploits and some classic attacks.
We’ll show you how to recreate these attacks step-by-step, and how CWAF defends against them.
# python /soft/modsec_.py on
# python /soft/modsec_.py off
Case A:
Vulnerability: Arbitrary File Download
Application: WordPress Slider Revolution plugin 4.1.4 (CVE-2014-9734)
In 2014, the SUCURI research team published an article, “RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise”, which describes how to download an arbitrary file from a hosting server with the Slider Revolution plugin installed.
https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html
See CVE-2014-9734 at cve.mitre.org
Lets see how this vulnerability is used by hackers.
Precondition:
To reproduce the attack, we pre-installed WordpPress 3.5 and Revslider plugin 2.3.3. The default login credentials for WP admin panel are:
URL: http://127.0.0.1/wordpress/wp-admin/Username: adminPassword: admin
Figure 1. WordPress version
Common attack technique for this vulnerability described in the public exploit: https://www.exploit-db.com/exploits/36554/
To demonstrate the vulnerability, enter this URL in a web browser on the host machine:
http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
or use this console command:http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&i
# wget “http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php” -O wp-config.php
This will open a wp-config.php file like this:
Figure 3. Downloaded configuration file
With this file, intruders can gain access to your database or WordPress admin panel. It’s a critical vulnerability.
Now try with Comodo Web Application Firewall running. With Comodo rules active, visiting the same URL leads to a 403: Forbidden message:
Figure 4. Blocked CVE-20114-9734 attack
You can also try the exploit using the console, and get the same 403 result:
–2017-04-05 11:09:06– http://127.0.0.1:8080/wordpress/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpConnecting to 127.0.0.1:8080… connected.HTTP request sent, awaiting response… 403 Forbidden2017-04-05 11:09:06 ERROR 403: Forbidden.
CWAF prevents intruders from accessing your web files using this vulnerability.
CASE B: Vulnerability: Remote Code Execution Application: GNU Bash through 4.3 / HTTPd (ShellShock, CVE-2014-6271)
See CVE-2014-6271 published at cve.mitre.org
Let’s check how this vulnerability is used by hackers.
Preconditions:
Here is the text of test.cgi file from the HTTPd server:
#!/bin/bashecho “Content-type: text/plain”echo.echoecho “Hi”
Next, visit this URL in your host machine browser http://127.0.0.1:8080/cgi-bin/test.cgi . You will see the message “Hi”. You can also fetch it via the console:
# wget “http://127.0.0.1:8080/cgi-bin/test.cgi” -O out.txt && cat out.txt
This is expected behavior.
You can read more about this exploit here: https://github.com/XiphosResearch/exploits/tree/master/shellshock
We will use a lightweight version of the exploit to reproduce the vulnerability. It accepts a URL to a buggy script as a parameter and requires a bash command to execute (let’s use: “cat /etc/passwd” for demo purposes). Type the following command in the docker’s container console:
# python /soft/github_exploit/shell_sh.py http://127.0.0.1/cgi-bin/test.cgi
When you see “Enter bash command:”, type:
# cat /etc/passwd
…and you’ll be able to read the contents of the system password file.
Figure 5. Remote code execution on a ShellShock vulnerable system
Using this critical vulnerability, attackers can execute any shell commands and steal sensitive information.
Now, enable CWAF and try the exploit again. You’ll get a 403 response code (forbidden) as before:
Figure 6. Blocked ShellShock attack
CWAF successfully blocks ShellShock attack and prevents remote code execution vulnerability.
CASE C: Vulnerability: reflected XSS Application: Damn Vulnerable Web Application (DVWA)
Here are the steps to reproduce the vulnerability:
1. Login at http://127.0.0.1:8080/dvwa/login.php on your host machine with the following credentials:
username: adminpassword: password
2. Open the “DVWA Security” page and set it to “low”
3. Open the “XSS reflected” page
4. Enter this URL in your browser: http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E
or in the console:
# wget “http://127.0.0.1:8080/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(%27Hello%20John_%27)%3C/script%3E” -O out.txt && cat out.txt
The output will be as follows:
Figure 7. Reflected XSS in DVWA
Again, this kind of vulnerability can be abused by attacker to run exploits on your web application.
Enable CWAF and test this vulnerability again. Once more, CWAF forbids access to the resource:
Figure 8. CWAF protects against reflected XSS
CASE D:
Automated CVE and DVWA tests
Go to the directory /soft/ and you will see some python scripts:
wp_revslider.py – WordPress Revslider plugin bug checkshellshock.py – Shellshock bug in bash checkdvwa_s_xss.py – stored XSS bug in DVWA checkdvwa_r_xss.py – reflected XSS bug in DVWA checkdvwa_exec.py – RCE bug in DVWA checkdvwa_sqli.py – SQLI bug in DVWA check with sqlmap toolall_scans.py – all checks together
To perform a single automated scan, start any script with the following command:
# python </path/name_of_the_script>
Or you can start all scans with the following command:
# python /soft/all_scans.py
The output is as follows:
Figure 9. Automated scan of unprotected system
Enable CWAF and run the automated tests again. All attacks are blocked, as illustrated in the following screenshot:
Figure 10. CWAF successfully protects server against various vulnerabilities
If you check your web server access log you’ll see multiple requests from automated tools to hack your website that were blocked by CWAF.
4) Conclusion
Comodo Mod Security rules and Web Application Firewall will implement strong, real-time protection on your web server against even the most sophisticated hacks and exploits. The best part? It’s 100% free. Comodo’s Mod Security are constantly updated to deliver consistent protection over time against threats as they emerge. To find out more and download, please visit https://waf.comodo.com/
Website Backup
Website Status
https://www.itarian.com/what-is-itsm-software.phpWhat Is ITSM Software
Tags: dome firewall,firewall,Mod security,virtual firewall,website firewall
Reading Time: 6 minutes If your website host or browser has blocked your Joomla! website – it means that your website could contain malware. You must utilize a Joomla which is known as “remove a malware tool” to scan your website and get rid of the malware. Hosts will suspend accounts/websites containing malware. Browsers will block websites—including Joomla! websites—…
Reading Time: 6 minutes The immense wave of phishing attacks hit the users of major banks in Turkey. Poisoned emails dropped into the users’ inboxes to covertly penetrate their computers and give the attackers total control over those who would be unlucky to take the perpetrators’ bait. With sophisticated and hard-to-discover malware attached, the phishing waves spread from many…
Reading Time: 6 minutes Internet security is a branch of computer security which comprises various security measures exercised for ensuring the security of transactions done online. In the process, the internet security prevents attacks targeted at browsers, network, operating systems, and other applications. Today, businesses and governments are more concerned about safeguarding from Cyber attacks and malware programs that…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP