DEV Community: Sooraj

What is ModSecurity? Installation Guide for Apache on Ubuntu

Sooraj — Mon, 28 Feb 2022 09:43:29 +0000

ModSecurity (also known as ModSec) is an open-source web application firewall (WAF). It is implemented to protect sites and applications against many common attacks, including XSS, code injection, etc.

70% of all attacks are carried out through the application level of the web. Thus, implementing a WAF would be helpful for organizations in ensuring system security.

It establishes an extra security layer that increases the protection level of web servers, detects, and prevents attacks before they reach web application programs.

Initially, ModSecurity was a module for Apache web servers, and with time, it grew to a full-fledged web application firewall with support for different platforms, including Apache, Nginx, and IIS.

They work on the application layer (the 7th layer in the OSI model).

It examines the incoming requests, compares them to patterns described in the rules in the ruleset, and takes actions on the requests based on the results of the tests. If the check succeeds, the HTTP request is passed to the website to retrieve the content. If not, pre-defined actions are performed.

It has a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS).

And the most popular one among those is the OWASP ModSecurity Core Rule Set, which is updated regularly and can block a wide range of generic attacks, including OWASP’s top-ten list of critical vulnerabilities.
Click here to learn more about ModSecurity installation Guide for Apache on Ubuntu

How To Improve Web Application Security?

Sooraj — Tue, 15 Jun 2021 14:44:06 +0000

Web applications play a key role in determining the success of a business. Many companies solely depend on web applications for their business, offering a SaaS product for other customers and also building web apps for internal use.

Yet it’s a fact that many companies don’t know how to keep track of their web application security and improve it.

Content management systems (CMS) like WordPress, Joomla and website builders have made it easy for everyone to create a website. Most of the website owners forget the fact that the attack surface of internet-facing web applications is much wider and that they need adequate security.

Whenever a customer or visitor is on your website you have to make sure that their data is safe.

If you fail to keep your customers’ data safe, you could be at the receiving end of a cyber attack which can lead to huge business loss and it can also get you sued. You have to keep in mind that no methods can guarantee your web application will be safe from attackers forever.

In this article, we’ll be looking into certain best practices that will help you improve web application security and prevent being an easy target for cyber attackers.

Choose A Secure Host

Even if your website has top of the line security it won’t do you any good if you are not using a secure host.

Do some research and choose a hosting company which has a good reputation and does not have much downtime issues. It is also recommended to check whether they meet your other unique requirements depending on your business needs.

Some of the key points to consider while choosing a hosting server is:

Does the web host offer a Secure File Transfer Protocol (SFTP)?

Is FTP used by Unknown User disabled?
Does it use a Rootkit Scanner?
Does it offer file backup to a remote server?
How well do they keep up to date on security upgrades?
Whether they provide technical support whenever necessary.

Know Your Web Applications And Prioritize Them

It’s quite surprising that most organizations are still unaware of how many web applications they have or where they are hosted.

It is important to have a list of web applications including your organization’s and other third-party applications and prioritize it according to the amount of damage that could be done if something goes wrong.

Secure Your Login Pages Using SSL (HTTPS) Encryption

To keep your website safe, you need a URL with SSL (or even better TLS) encryption enabled.

HTTPS encrypts data sent from your browser to the web server and prevents a 3rd party from reading it while in transit. So, even if an attacker tries to intercept the data (manipulator-in-the-middle attacks), it will be useless.

If your website doesn’t have a valid SSL certificate, it is often flagged by most of the popular browsers as insecure. Browsers warn users not to send any personal, payment or password information in such cases.

Always Sanitize And Validate User Input

Never trust any user input. This is a very common security mistake found on many websites.

If the user input data is not properly sanitized and validated, your website has a high risk of being targeted by attacks like XSS, SQL injection and other types of injection attacks. Sanitizing a user input may include the elimination of unwanted characters by removing, replacing, encoding, or escaping the characters.

Eg:

<script>alert("XSS:);</script>

Html encoded &lt;script&gt;alert(&quot;XSS:);&lt;/script&gt;

Validation is the process of ensuring that the user input data falls within the expected characters. You can create a whitelist or a blacklist to achieve this. In whitelisting, only the approved characters will be allowed and the rest of the characters will be rejected.

For example, if your website has a field for accepting phone numbers, you could whitelist numbers from 0 to 9. If the user tries to input any other character it won’t be accepted. On the contrary, in blacklisting, the list of defined characters will not be accepted as a valid input.

If possible, use whitelisting rather than blacklisting. When using a blacklist, you have to consider all the possible invalid options and if you miss something, you could expose your web application to hackers. This is why it’s much better to simply whitelist what is valid.

Have A Good Password Policy

Whenever there is a talk about web application security, good passwords policies are always part of it.

Most companies nowadays have standard password policies to improve their online security. Even with these password policies, there are so many websites, databases, and programs, an admin or website owner has to keep password protected.

As a result, a lot of people end up using the same password in almost all places in order to remember their login information. But it’s a significant security mistake.

Nowadays, attackers use automated brute-forcing softwares to check whether sites are vulnerable. To protect against brute force, always use unique and complex passwords containing both uppercase, lowercase, numbers and special characters.

Use hard to guess passwords and also try not to use any personal information as passwords. If you try to keep a password in your memory, it is almost always an easy one. So, it is recommended to use a password manager for storing your passwords.

Also, if two-factor authentication (2FA) is available, always opt-in for it. Besides password, this will add an extra layer of security for your accounts.

For the detailed version with more best practices to improve web application security, check out this blog

17 Year Old Critical RCE Vulnerability in Microsoft DNS Server

Sooraj — Tue, 21 Jul 2020 15:20:41 +0000

A critical Remote Code Execution (RCE) vulnerability CVE-2020-1350 dubbed SIGRed has been found in Microsoft Windows Domain Name System (DNS) servers.

This vulnerability is classified as a ‘wormable’ vulnerability which means a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another even without user interaction.

It has a CVSS base score of 10, which is the highest possible risk score. The affected versions include Windows Server versions from 2003 to 2019.

This vulnerability has been in the Microsoft code for more than 17 years. This means that it’s likely that other attackers may have found and have taken advantage of the issue.

But according to Microsoft, this vulnerability is not currently known to be used in active attacks. Microsoft ranks this vulnerability as “exploitation more likely,” and urges customers to apply Windows updates to address this vulnerability as soon as possible.

This issue results from a flaw in Microsoft’s DNS server role implementation. It does not affect non-Microsoft DNS Servers. The main reason why this vulnerability exists is due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled.

The flaw itself is an integer-overflow bug. It can trigger a heap-based buffer overflow attack tied to the DNS module named dns.exe, which is responsible for answering DNS queries on Windows Servers.

Impact of SIGRed: Microsoft DNS Server RCE Vulnerability

If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling an attacker to take control of the server. This makes it possible for an attacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials, etc.
As the service runs in elevated privileges, if compromised, an attacker is also granted Domain Administrator rights. In some scenarios, this vulnerability can be triggered remotely through browser sessions.

How to Prevent SIGRed: Microsoft DNS Server RCE Vulnerability

Microsoft has released a patch to update the DNS server to the latest version. If applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server.

In order to work around this vulnerability, make the following registry change to restrict the size of the largest inbound TCP-based DNS response packet allowed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Go to TcpReceivePacketSize and change the Value = 0xFF00

The Default (also max) Value = 0xFFFF
Now restarting the DNS Service will allow the change to take effect.

Originally published on the Beagle Security Blog: https://beaglesecurity.com/blog/article/sigred-microsoft-dns-server.html