Securing WebGoat using ModSecurity | Search for a title, author or keyword | ||||||||
Securing WebGoat using ModSecurity PDF document. Securing WebGoat using ModSecurity, Summer of Code 2008, OWASP Beta Level, Version 1.0, November 2008. ModSecurity is an open source web application firewall that can work either embedded in an Apache web server or as a reverse proxy. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure. Web servers are typically well-equipped to log traffic in a form useful for marketing analyses, but fall short logging traffic to web applications. In particular, most are not capable of logging the request bodies. Your adversaries know this, and that is why most attacks are now carried out via POST requests, rendering your systems blind. ModSecurity makes full HTTP transaction logging possible, allowing complete requests and responses to be logged. In addition to providing logging facilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case, ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems. ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. ModSecurity provides for free a broad set of generic Core Rulesets that cover areas such as protocol compliance, malicious client software detection, XML protection, error detection, and generic attack detection. However, the Core Set rule documentation cautions that since attackers may examine the freely-available core rules to get around them, some core rules should be viewed more as a "nuisance reduction" mechanism instead of a security mechanism. WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson. The lessons in WebGoat 5.2 detail over 30 different types of attacks on the WebGoat application. The purpose of this project is to create custom ModSecurity rulesets that, in addition to the Core Set, will protect WebGoat 5.2 Standard Release from as many of its vulnerabilities as possible ( the goal is 90% ) without changing one line of source code. These same lessons are available at: https://www.owasp.org/index.php/OWASP_Securing_WebGoat_using_ModSecurity_Project.
|
|||||||||
Securing WebGoat using ModSecurity | Disclaimer: this link points to content provided by other sites. |