Posted by Tyler Muth on June 2, 2008
mod_security is an Apache module designed as a sort of web application firewall. It’s most useful for preventing SQL Injection and Cross Site Scripting (or XSS). If you are a web developer and could not immediately describe both of those concepts to a colleague, stop reading this and go read more about both concepts. In fact, Oracle Server Technologies has a great, free, online course that covers SQL Injection here. These classes of vulnerabilities have become quite popular and are the vectors to many of the latest security breaches. If you’re using APEX, there are a lot of built-in features and default settings that prevent you from coding these vulnerabilities into your applications, but you should really know the threat so you understand the risk of say, turning off the character escaping in APEX reports or of using a concatenated string in a query instead of a bind variable.
I played around with mod_security about a year ago, but since it required compiling an unsupported module into Oracle HTTP Server, I didn’t invest much time in it. I recently installed the 11g Oracle HTTP Server (OHS 10.1.3.3.0) based on Apache 2.0 and noticed that it shipped with mod_security, so I thought this would be a good time to bring it up with the community. The only downside is that the version shipping with OHS is mod_security 1.8.4. This version came out in 2004 and I can’t even find the documentation for it anymore (even via archive.org). So, I used the mod_security 1.9 doc to put together some examples of what you can do. You can also compile mod_security in with previous versions of OHS (make sure you set the PERL5LIB environment variable or it will fail, use the setup instructions from this article on compiling mod_php). I have not tried to remove the old version of mod_security from OHS and compile in a new one… sticking to the supported stuff or now. Also, I have been told that they will be updating the version of mod_security that ships with OHS in future versions.
I decided to demonstrate this on Windows since most of my examples are Linux based. I added the following line to ORACLE_HOME\ohs\conf\httpd.conf:
This file and the rules file can be downloaded here.
Below are a few VERY simple rules to give you an idea of what mod_security does. The rules I included are a little more complex, but hopefully more complete.
SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" SecFilter "<[[:space:]]*script"
mod_security will inspect both POST and GET requests before handing the requests off to other modules such as mod_plsql, so these database centric attacks never actually reach the database. It offers many advanced features as well, including the ability to scan uploaded files with anti-virus software before they get past mod_security (documented here). You can control whether or not it returns an error page, or simply logs the event and continues. You can even filter output, say Oracle errors if you’re concerned about an Oracle error exposing details about your schema structure.
In my opinion, mod_security is no substitute for awareness, secure coding practices, and code review. My question to the community is do you think it adds significant value? Do want to read more about it if I were to include it in a more formal publication? Are there changes you would make to my example rules?