Development and Management of Web Application Firewall rules.

Learn more


ModSecurity - Development and Management of Web Application Firewall rules is a dedicated training which helps you understand the basics and deploy later complex web application firewall rules and hardened configuration against modern flaws in your web application infrastructure. During hands-on labs we will cover in detail every important aspect and functionality of ModSecurity vs current attacker’s techniques, vulnerabilities and server misconfigurations.

Various examples such as Command Execution, SSRF, SQL Injection or Cross Site Scripting are just a few of the most commonly used bugs. There are dozens of types of susceptibility. The most dangerous, however, are the so-called hybrid-attacks which are chained attacks consisting of misconfiguration or vulnerabilities in many different layers - and we want to focus on that!

Within the labs we will examine features that lie in the open design of ModSecurity project: configuration, rule syntax, logs, tuning and troubleshooting. In addition to that, we will build our own dedicated rules and create virtual patches.

There are also abs from other areas of application (in)security: web-based honeypots in central Reverse Proxy architecture, secure HTTP headers, Appsensor approach, Content Security Policy, HMAC, SRI, upload security, Tomcat / PHP / DB hardening and many more. The whole web application security material is preserved in a “protection vs. attack” model.


  • Hardened Apache/Nginx configuration:
    • Modules in use, path / HTTP method restrictions and file system security.
    • Secure HTTPS - how to achieve and verify a A+ status?
    • Mutual and authenticated SSL between reverse proxy and backend servers
    • Kerberos and LDAP for your web-based Single Sign On setup
    • Security headers: Content Security Policy, Cross Origin Resource Sharing /
      Same Origin Policy, X-Frame-Options, X-Content-Type-Options,
      X-XSS-Protection, Fetch API, Service Workers, SRI, Per-page sub-origins,
      HSTS, HPKP, PFS.
    • Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data
      Feature Policy, First-party cookies
    • HTTP header anomalies and full HTTP auditing.
    • LUA support for Apache/Nginx.
    • ModSecurity syntax, scoring, collections and logs.
    • Deep dive into OWASP CRS and tuning.
    • Sensor approach - OWASP Appsensor within ModSecurity.
    • ModSecurity rules against server misconfigurations, vulnerabilities and attacks:
      • *Injections
      • Null bytes
      • Path/directory traversal
      • LFI/RFI->Command Execution
      • Cross Site Scripting (XSS) vs CSP
      • Cross Site Request Forgery (CSRF)
      • Server Side Request Forgery (SSRF)
      • HTTP Parameter Pollution (HPP)
      • Open Redirect
      • Insecure Direct Object Reference vs HMAC
      • Forceful Browsing vs HMAC
      • CSWSH - Cross Site Websocket Hijacking
      • Session Security
      • Brute force
      • Slow DOS
      • GEO restrictions
      • Central Error handling
      • Leakage detection
      • Secure file upload
      • Secure log out / forgot password form
      • Web honeypots
      • Bot/scan protection
      • AV protection
      • PHP and Tomcat Security
      • MySQL / PGSQL Hardening vs data exfiltration
      • Tools in use:
        • Sqlmap, sqlninja
        • Xsser
        • Dominator
        • XXEinjector
        • Skipfish
        • ZAP / Burp
        • Wafdetect
        • Joomscan, wpscan, drupwn
        • Dirbuster, dirb
        • Nikto
        • JSDetox
        • Brakeman
        • Browser plugins and others
      • Central logging and hunting with ELK.
      • Commercial & cloud WAF.

Time Duration

2 days (9:00am - 5:00pm)

Who should attend

  • IT Consultants and Solution Integrators
  • Web Server Administrators and Hosting Providers
  • Web Application Firewall Experts
  • Linux Experts and System Engineers
  • Network Security Engineers
  • Penetration Testers
  • IT Consultants
  • SOC members

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and system developer, Solution Engineer, DevOps and CI, through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON, Black Hat US, OWASP Appsec US, FloCon US, Hack In The Box DBX/AMS, Infosec in the City SG, Nanosec Asia, Confidence PL, PLNOG, Open Source Day PL, Red Hat Roadshow. Member of OWASP Poland Chapter.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out “what da **ck” the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.


If interested in dedicated, closed training for your Linux / WAF team let us know. We love delivering on-site training sessions!