Chapter 9 Preventing Application Attacks

Rapidity is the essence of war: take advantage of the enemy’s unreadiness, make your way by unexpected routes, and attack unguarded spots.

—Sun Tzu in The Art of War

Attackers use a variety of methods to bypass web application input validation and access control mechanisms. The recipes in this chapter show you the most common attack methods and outline various countermeasures for each one. Each recipe includes reference material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.

Recipe 9-1: Blocking Non-ASCII Characters

This recipe shows you how to determine when attackers attempt to submit non-ASCII characters.

Ingredients

OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_20_protocol_violations.conf
ModSecurity
- ARGS variable
- ARGS_NAMES variable
- REQUEST_HEADERS variable
- @validateByteRange operator

CAPEC-52: Embedding NULL Bytes

An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when they encounter the null byte(s).

http://capec.mitre.org/data/definitions/52.html

Sample Attacks

The following attacks were captured from web server honeypot sensors:

209.235.136.112 - - [15/Apr/2012:16:55:36 +0900] "GET /index.php?option=com_ganalytics&controller=../opt/lampp/logs/ ...

Get Web Application Defender's Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Web Application Defender's Cookbook by Ryan C. Barnett, Jeremiah Grossman

Chapter 9

Preventing Application Attacks

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly