ModSecurity - Development and Management of Web Application Firewall rules is a dedicated training which helps you understand the basics and deploy later complex web application firewall rules and hardened configuration against modern flaws in your web application infrastructure. During hands-on labs we will cover in detail every important aspect and functionality of ModSecurity vs current attacker’s techniques, vulnerabilities and server misconfigurations.
Various examples such as Command Execution, SSRF, SQL Injection or Cross Site Scripting are just a few of the most commonly used bugs. There are dozens of types of susceptibility. The most dangerous, however, are the so-called hybrid-attacks which are chained attacks consisting of misconfiguration or vulnerabilities in many different layers - and we want to focus on that!
Within the labs we will examine features that lie in the open design of ModSecurity project: configuration, rule syntax, logs, tuning and troubleshooting. In addition to that, we will build our own dedicated rules and create virtual patches.
There are also abs from other areas of application (in)security: web-based honeypots in central Reverse Proxy architecture, secure HTTP headers, Appsensor approach, Content Security Policy, HMAC, SRI, upload security, Tomcat / PHP / DB hardening and many more. The whole web application security material is preserved in a “protection vs. attack” model.
- Hardened Apache/Nginx configuration:
- Modules in use, path / HTTP method restrictions and file system security.
- Secure HTTPS - how to achieve and verify a A+ status?
- Mutual and authenticated SSL between reverse proxy and backend servers
- Kerberos and LDAP for your web-based Single Sign On setup
- Security headers: Content Security Policy, Cross Origin Resource Sharing /
Same Origin Policy, X-Frame-Options, X-Content-Type-Options,
X-XSS-Protection, Fetch API, Service Workers, SRI, Per-page sub-origins,
HSTS, HPKP, PFS.
- Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data
Feature Policy, First-party cookies
- HTTP header anomalies and full HTTP auditing.
- LUA support for Apache/Nginx.
- ModSecurity syntax, scoring, collections and logs.
- Deep dive into OWASP CRS and tuning.
- Sensor approach - OWASP Appsensor within ModSecurity.
- ModSecurity rules against server misconfigurations, vulnerabilities and attacks:
- Null bytes
- Path/directory traversal
- LFI/RFI->Command Execution
- Cross Site Scripting (XSS) vs CSP
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- HTTP Parameter Pollution (HPP)
- Open Redirect
- Insecure Direct Object Reference vs HMAC
- Forceful Browsing vs HMAC
- CSWSH - Cross Site Websocket Hijacking
- Session Security
- Brute force
- Slow DOS
- GEO restrictions
- Central Error handling
- Leakage detection
- Secure file upload
- Secure log out / forgot password form
- Web honeypots
- Bot/scan protection
- AV protection
- PHP and Tomcat Security
- MySQL / PGSQL Hardening vs data exfiltration
- Tools in use:
- Sqlmap, sqlninja
- ZAP / Burp
- Joomscan, wpscan, drupwn
- Dirbuster, dirb
- Browser plugins and others
- Central logging and hunting with ELK.
- Commercial & cloud WAF.
2 days (9:00am - 5:00pm)
Who should attend
- IT Consultants and Solution Integrators
- Web Server Administrators and Hosting Providers
- Web Application Firewall Experts
- Linux Experts and System Engineers
- Network Security Engineers
- Penetration Testers
- IT Consultants
- SOC members
TRAINER: Leszek Miś
Leszek Miś is the Founder of Defensive Security, Principal Trainer & IT Security Architect. Recently he was a VP, Head of Cyber Security in Collective Sense - a Machine Learning Network Security Startup from the U.S. where he was responsible for product security research, strategy, business analysis & technical feature implementation and recommendation. He has over 13 years of experience in the IT security market supporting the world’s largest customers in terms of exfiltration simulations and penetration tests, infrastructure hardening and general Open Source and IT Security consultancy services. In addition, he has 11 years of experience in teaching and transferring a deep technical knowledge and his own experience. He has trained 600+ students with the highest rank. He is an IT Security Architect with offensive love and a recognized expert in the enterprise OSS market.
If interested in dedicated, closed training for your Linux / WAF team let us know. We love delivering on-site training sessions!