In this hands-on workshop you will attack a vulnerable web application while defending your own web service behind a Fastly WAF. Attendees will depart understanding how common web application attacks can be exploited as well defended against. They will experience WAF logging and analytics via sumologic to detect attacks realtime. For mitigation you will use a preview version of our newly built WAF rule management UI. We will close off the workshop by deep diving on how our security team analyzed and mitigated some of this summer major vulnerabilities.
Boost PC performance: How more available memory can improve productivity
Altitude San Francisco 2018: WAF Workshop
1. presents
Welcome to the
WAF Workshop
Jose Nazario | Security Research Director
Enrique Hernandez | SOC Manager
Rex Belli | SOC Engineer
2. A brief intro to the Fastly
WAF
Introduction Chaotic
Capture the
Flag
In some CTF’s we attack,
in Others we defend. In
chaotic ones you do both!
Recent
Vulnerabilities
Review
A walkthrough of recent
vulnerabilities released in
blackhat this year
WAF Workshop
22. Rules
1. Juice shop host needs to be always available
2. Only juice shops are under scope (not Fastly API or
other teams service)
3. No DDoS/DoS
4. No IP Blacklisting
5. Cannot switch all rules to blocking mode blindly
23. Scoring
1. Lowest score wins
2. Attackers increase score by grabbing flags
3. Defenders decrease score by patching vulnerabilities
4. Points will be removed for mitigating Velites attacks
5. Velites triggers random flag with in each tier at a given time:
a. Tier 1 - 15 mins
b. Tier 2- 30 mins
c. Tier 3 - 45 mins
d. Tier 4 - 1 hour
e. Tier 5 - 1 hour and 15 mins
31. WAF Workshop
We received cooperation from the researchers in these cases, which
enables us to study and mitigate these risks ahead of public disclosure.
We at Fastly greatly appreciate the back and forth with these
independent researchers.
Many Thanks to the Researchers
32. Practical Web Cache Poisoning, BHUSA 2018, James Kettle
What we learned
Zend (PHP) supports X-Rewrite-URL and X-Forwarded-URL headers
Controls backend response similar to X-Forwarded-Host does
Tons of stuff - like Drupal - inherit Zend
Confusion between caching layer and application layer
Most difficult aspect to mitigate
Can’t apply blanket VCL unset - unintended consequences possible
Exploit author at BHUSA developed a Burp Suite addition to probe for new headers, it’s endless
What you can take away
Understand your dependencies
Unset unexpected headers
Cache on expected headers
WAF Workshop
Cache Poisoning via XFU/XRU
33. Edge Side Include Injection, BHUSA 2018, Louis Dion Marcil
What we learned
ESI comments get stripped away, revealing underlying script code
This enables the attacker to bypass XSS, SQLi etc checks
Most difficult aspect to mitigate
ESI is complicated: <esi:comment /> for example, or <!-- esi --> , as well as arbitrary ESI field
names.
What you can take away
Mostly affects Apache Traffic Server, Oracle Weblogic
New WAF rules to block ESI
Minimal exposure at Fastly - ESI not enabled by default
We did find (and fix) an ESI bug, however
WAF Workshop
ESI Injection
34. CVE-5390
What we learned
Long standing bug, exasperated in Linux 4.9 with larger receive queue
Slow send rate by attacker, long (O(N)) reassembly time by server - denial of service
Instrumented kernels (via kprobes) to look for high rate of receive queue pruning
Most difficult aspect to mitigate
Rolling kernels and preserving cache hit rate
Tuning kernel receive buffers depends on a lot of factors
Dropping fragments not always possible
What you can take away
Hard to clean up on the wire, requires kernel change - config or new kernel
WAF Workshop
SegmentSmack
35. Lost and Found Certificates, Defcon 26, Ian Foster & Dylan Ayrey
What we learned
.Difference in how TLS certificates are renewed and domain names renewed
Transfer of owner of domain name to a new party without expiry of TLS certificate can lead to
security property loss
Most difficult aspect to mitigate
Shared certificates in CDN, cloud - lots of risk, get yourself on a shared cert with a high value
domain name and get it revoked, destroy cert for everyone sharing with you
What you can take away
We rate the risk as minimal
No easy answer, operational safety relies status quo for not revoking immediately on domain
transfer
Invest in a certificate you wholly own for maximum safety
WAF Workshop
BygoneSSL - Certificate
Revocation
Editor's Notes
Why should you care, most data breaches stem or start with a web attack as an initialization vector
15min
Talk about how Fastly approaches security
Talk about how Fastly approaches security
Features of Fastly WAF and what is it
Emphasis on speed ..
Near time Visibility
PCI Compliance
Fastly’s WAF provides global protection without any significant performance impact because it’s fully integrated into our Varnish-based edge cloud platform. Using a set of pre-built rules, we only run WAF detection logic on requests that cannot be served from cache, saving valuable milliseconds in detecting attacks aimed at the origin server. Integration with our edge cloud platform also ensures support for IPv6 and HTTP/2.
Fastly’s cloud-based WAF consumes third-party rules from the OWASP Core Ruleset, commercial sources, and open source, in addition to Fastly-generated rules. Customers are protected from key application-layer attacks, such as injection attacks and malicious inputs, cross site scripting, data exfiltration, HTTP protocol violations, and other OWASP Top 10 threats. Fastly WAF rules are instantly configurable so you can respond to threats as they arise.
Built on our powerful edge cloud platform, Fastly’s WAF gives you access to 100% of your security events and notifications within seconds from the edge. You can quickly identify potential application layer threats and make instant configuration changes to your WAF rules from within our service. Real-time log streaming also gives you immediate visibility into attack mitigation efforts.
How it mitigates it and limitations (no response checking) you can use snippets to fill those gaps
You will be using the Sumo UI today
Shout out
10min
Reverse CTF
Each team given a vulnerable website and a WAF to protect it
Teams will be able to attack other teams
Tier 6 will be ignored
Green is untriggered challenges - for which you will receive no points
Red is triggered challenges - for which you will receive positive points
Blue is mitigated challenges - for which you will receive negative points
Tools that will be used (js/scoreboard, sumologic, rule management UI)
Sumo has the Fastly pre-installed
Form Teams in this slide
1h
Where we go to juice shop, then launch attacks then go to sumo analyze, then go to Rule UI and activate rule.
10 min
15min
<scr<esi:comment text="the goal of the comment is just to break the script tag"/>ipt>alert(/Chrome%20XSS%20filter%20bypass/);</script>
<script>alert(/Chrome%20XSS%20filter%20bypass/);</script>
Code syntax highlighting isn’t natively supported by Google Slides. To apply syntax highlighting to your text box do the following steps in Chrome:
Go to https://tohtml.com
Paste your code snippet in the box
Press the ‘highlight’ button
Paste the highlighted code in the text boxes on the slide
If you text isn’t legible against your background (such as in this case), there’s a second layer of type layered directly underneath to create a small outline.
Photo is under the MIT license.
Code syntax highlighting isn’t natively supported by Google Slides. To apply syntax highlighting to your text box do the following steps in Chrome:
Go to https://tohtml.com
Paste your code snippet in the box
Press the ‘highlight’ button
Paste the highlighted code in the text boxes on the slide
Code syntax highlighting isn’t natively supported by Google Slides. To apply syntax highlighting to your text box do the following steps in Chrome:
Go to https://tohtml.com
Paste your code snippet in the box
Press the ‘highlight’ button
Paste the highlighted code in the text boxes on the slide