Chapter 9

Preventing Application Attacks

Rapidity is the essence of war: take advantage of the enemy’s unreadiness, make your way by unexpected routes, and attack unguarded spots.

—Sun Tzu in The Art of War

Attackers use a variety of methods to bypass web application input validation and access control mechanisms. The recipes in this chapter show you the most common attack methods and outline various countermeasures for each one. Each recipe includes reference material taken from the Mitre Common Attack Pattern Enumeration and Classification (CAPEC) project: http://capec.mitre.org/.

Recipe 9-1: Blocking Non-ASCII Characters
This recipe shows you how to determine when attackers attempt to submit non-ASCII characters.
Ingredients
  • OWASP ModSecurity Core Rule Set (CRS)
    • modsecurity_crs_20_protocol_violations.conf
  • ModSecurity
    • ARGS variable
    • ARGS_NAMES variable
    • REQUEST_HEADERS variable
    • @validateByteRange operator
CAPEC-52: Embedding NULL Bytes
An attacker embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when they encounter the null byte(s).
Sample Attacks
The following attacks were captured from web server honeypot sensors:
209.235.136.112 - - [15/Apr/2012:16:55:36 +0900] "GET /index.php?option=com_ganalytics&controller=../opt/lampp/logs/ ...

Get Web Application Defender's Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.