Successfully attacking an IT system requires exploitable vulnerabilities. Software always contains such vulnerabilities. As all networking and security to some extent is based on software, such as firewalls, encryption, intrusion detection and protection systems, security infrastructure should be seen as a threat in itself. This has been shown by multi-level systematic security tests on a wide range of security products. The need for patching after security products are delivered is minimised by a comprehensive security test process.
In this talk, Prof. Dr. Pohl will guide you through the cases, of a Web Application Firewall (WAF) ModSecurity, showing that even security software can contain vulnerabilities that might be exploited by attackers and thus is open to attack.
WAFs operate with black and white list and filter the http transfer between servers and clients. The advantage this has over regular firewalls is that a WAF does not filter at the lower network levels, but at the application level – level 7 according to the OSI model. Conventional firewalls generally operate at level 3 (network layer) or level 4 (transport layer), which enables them to filter in-coming requests for IP addresses or ports. A WAF, on the other hand, also examines the content of the in-coming packet and is thus able to defend against attacks such as SQL injections and cross-site scripting, which will not be recognised by conventional firewalls. Web application firewalls examine only http packets and therefore serve to prevent exploitation of vulnerabilities especially in web applications. For this purpose, they make use of certain defined rules, which operate with regular terms in order to block malicious http enquiries using the black-and-white listing method.
Because the WAF ModSecurity itself contained a vulnerability, it was able, for example, to put the web server out of operation by means of simple http enquiries with XML content due to a denial-of-service vulnerability.
This shows that security software can be a double-edged sword: while firewalls on the one hand increase the security level, by filtering the traffic and thus protect servers, computers and web applications from attacks; on the other hand, however, they must themselves be free of vulnerabilities. Otherwise the firewall itself can be attacked. In addition, it is always necessary to patch security software promptly and have it generally configured correctly if the security level is to be increased to meet the relevant threat.
To ensure that security software never becomes a conduit for threats it should be examined to ascertain any vulnerabilities as part of a multi-level systematic security test process by means of Threat Modelling, Static Source Code Analysis, Penetration Testing and Dynamic Analysis – Fuzzing. Only in this way can it be guaranteed that security software is really secure.
