Tyler Muth’s Blog

Technology with a focus on Oracle, Application Express and Linux

mod_security

Posted by Tyler Muth on June 2, 2008

mod_security is an Apache module designed as a sort of web application firewall. It’s most useful for preventing SQL Injection and Cross Site Scripting (or XSS). If you are a web developer and could not immediately describe both of those concepts to a colleague, stop reading this and go read more about both concepts. In fact, Oracle Server Technologies has a great, free, online course that covers SQL Injection here. These classes of vulnerabilities have become quite popular and are the vectors to many of the latest security breaches. If you’re using APEX, there are a lot of built-in features and default settings that prevent you from coding these vulnerabilities into your applications, but you should really know the threat so you understand the risk of say, turning off the character escaping in APEX reports or of using a concatenated string in a query instead of a bind variable.

I played around with mod_security about a year ago, but since it required compiling an unsupported module into Oracle HTTP Server, I didn’t invest much time in it. I recently installed the 11g Oracle HTTP Server (OHS 10.1.3.3.0) based on Apache 2.0 and noticed that it shipped with mod_security, so I thought this would be a good time to bring it up with the community. The only downside is that the version shipping with OHS is mod_security 1.8.4. This version came out in 2004 and I can’t even find the documentation for it anymore (even via archive.org). So, I used the mod_security 1.9 doc to put together some examples of what you can do. You can also compile mod_security in with previous versions of OHS (make sure you set the PERL5LIB environment variable or it will fail, use the setup instructions from this article on compiling mod_php). I have not tried to remove the old version of mod_security from OHS and compile in a new one… sticking to the supported stuff or now. Also, I have been told that they will be updating the version of mod_security that ships with OHS in future versions.

Configuration

I decided to demonstrate this on Windows since most of my examples are Linux based. I added the following line to ORACLE_HOME\ohs\conf\httpd.conf:

include "C:\oracle\http_home\ohs\conf\mod_security.conf

This file and the rules file can be downloaded here.

Below are a few VERY simple rules to give you an idea of what mod_security does. The rules I included are a little more complex, but hopefully more complete.

SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "<[[:space:]]*script"

mod_security will inspect both POST and GET requests before handing the requests off to other modules such as mod_plsql, so these database centric attacks never actually reach the database. It offers many advanced features as well, including the ability to scan uploaded files with anti-virus software before they get past mod_security (documented here). You can control whether or not it returns an error page, or simply logs the event and continues. You can even filter output, say Oracle errors if you’re concerned about an Oracle error exposing details about your schema structure.

In my opinion, mod_security is no substitute for awareness, secure coding practices, and code review. My question to the community is do you think it adds significant value? Do want to read more about it if I were to include it in a more formal publication? Are there changes you would make to my example rules?

7 Responses to “mod_security”

  1. Scott said

    In my opinion, mod_security is no substitute for awareness, secure coding practices, and code review.

    Agreed 100%, but that doesn’t mean that it should be avoided. Security is not an event; it is an ongoing process which required multiple disciplines to implement. If I could use mod_security to prevent one type of attack, then it would definitely be worth it!

    I always clients to use a corresponding APEX validation for every JavaScript validation. My hope is that the APEX validation will simply never execute, as the JavaScript will take care of things. However, if something does go wrong – either intentionally or accidentally, the APEX validation will act as a saftey net. I see mod_security in a similar light – do everything right everywhere else, and you’ll be OK, but you will also have a saftey net in the case something did fail.

    – Scott –

  2. Gary said

    Surely the catchcry of “defense in depth” means that multiple layers of security should be used together simply on the assumption that ther can be a failure in any one layer.

  3. […] at run-time – adding a rule to disable said action from happening. here’s a nice article on it. mod_security Tyler Muth’s Blog The closing paragraph sums it up. Vb is pretty dang secure out of the box. There are currently no […]

  4. Bob said

    So, when running mod_security on a bulletin board site for SQL help, how would you allow users to post messages with SQL queries in them?

  5. Tyler Muth said

    Bob,

    Great question. The best way I can think of to do that is add an exception in mod_security for the page(s) used to post questions. Then focus on the code behind that page to make sure that it uses bind variables for it’s DML. mod_security can still protect the rest of the site, and you only need to worry about one or 2 pages.

    You might also escape some of the characters in the SQL they submit with HTML codes. For example, replace equals, semi-colon, and single-quotes with their HTML escape codes. This will allow them to display correctly on the page, but should render most SQL Injection attacks harmless. You would want to do this before the user’s SQL get’s inserted into your database.

  6. Doug Gault said

    Tyler,

    The mod_security.conf file that you had hosted on drop.io has been lost after drop.io got bought out by FaceBook.

    Can you post the contents of the file so that people (like me) who come here for reference can see it?

  7. David John said

    While Speaking of Modsec, what do you think about this one? http://waf.comodo.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: