Mod_Secutiry
- Open source
- Basically - monitors web requests and responses looking for malicious patterns
- Uses regular expressions to match those patterns
- Regex - Regular Expressions
*.?<>(){}[]^ all of these are special characters-
[0-9] this is a range- For IPv4
___|___|___[0-255] [0-255] [0-255]\. Reads the . as a character. The \ is an escape character- C.t - the period means something has to be there
- Can block requests or responses if pattern is found
- ModSecurity is a web application layer firewall
- It is free software released under the apache license
- It is a set of rules with regular expressions that help to instantly exfiltrate the commonly known exploits.
- ModSecurity obstructs the processing of invalid data
- To defect threats, the ModSecutiy engine scans all the requests and relatives reponses
- If the HTTP request is valid, it is then passed to the website content.
- Invalid requests are blocked
Core Rules
- HTTP Protection - detects violations of the HTTP protocol and a locally defined usage policy
- Real-Time Blocklist Lookups - utilizes 3rd Party IP Reputation
- Web-based Malware Detection - identifies malicious web content by check against the Google Safe Browsing API.
- HTTP Denial of Service Protections - defends against HTTP Flooding and Slow HTTP DoS Attacks.
- Common Web Attacks Protection - detects common web application attacks
Directory Traversal
- Directory traversal aims to access files and directories that are stored outside the web root folder
- Attackers could acces arbitrary files stored on file system including application source code and/or critical system files
- By manipulating URLs with “dot-dot-slash” sequences and its variations
- Using Absolute file paths
Percent Encoding
- Percent encoding is a mechanism to encode 8-bit
- Request Variations