Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection

Presented at AppSec USA 2014, Sept. 19, 2014, 10:30 a.m. (45 minutes)

Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and we started research on a new approach to mitigate the problem. Initially reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation, resulting in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, their results and how we have maintained WAF (Web Application Firewall), using very low CPU processes and high detection rates. Detailed Outline: - Current method of detection (We'll show how WAF operates today, allowing us to emphasize our unique approach) - Reverse engineering a CMS application (In this step we'll show how we reverse engineered a CMS Application to understand its fragility and common attack vectors) - Setting up honeypots (We'll share our work with honeypots which gathered data in real time during massive attacks on popular CMS applications) - Identifying behavior (analyzing data to understand points to be considered when creating counter measures and evaluating the best approach to each type of attack type) - Creating countermeasures (using behaviour information, CMS vulnerabilities and attack methods spreading in the wild, we'll show how we created better signatures specific to each CMS based on the knowledge acquired during research on each one of them) - Live analysis (merging everything together and seeing the tool operate live, well-tuned, blocking specific attacks, with improving low false-positive rate in an effective and efficient manner)


  • Rodrigo Montoro - Security Researcher
    Rodrigo "Sp0oKeR" Montoro has 15 years of experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Security Researcher/ SOC. Prior to joining Clavis he worked as a Senior Security administrator at Sucuri, and was a researcher at Spiderlabs where he focused on IDS/IPS Signatures, Modsecurity rules, and new detection researches. Rodrigo is the author of two patented technologies involving discovery of malicious digital documents and analyzing malicious HTTP traffic. He is also a coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at a number of open source and security conferences including OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE (Boston and Seattle), ZonCon (Amazon Internal Conference), BSides (Las Vegas and São Paulo), and Black Hat (Brazil).


Similar Presentations: