Let me fix that for you! (room 3)

Kirk Jackson

Security Researcher @ RedShield

Let me fix that for you! (room 3)

11:30 AM 9 September, 2017

Writing secure applications is hard and often vulnerabilities are found after your application has already been released to production. But what happens if you’re not able to fix the vulnerabilities quickly? What about if you don’t have the source code? Wouldn’t it be great if there was some other way that could secure your website?

In this talk we describe the approach we use to shield customer’s websites when all other avenues have failed, when urgency requires a fix as soon as possible. This process of virtual patching works well in the real world, and allows people to have comfort that all their known vulnerabilities are fixed and their applications are as secure as can be.

This talk demonstrates the process of virtual patching using a suite of open source tooling that you can go back to your company and use straight away – tools like ModSecurity and node.js. Our approach is different to the typical approach of WAF vendors, and avoids false-positives by only patching exact, known vulnerabilities discovered in a penetration test, and avoids the risk of affecting legitimate users.

We will show how ModSecurity works, including patching some OWASP Top 10 vulnerabilities using ModSecurity rules. We will then discuss how to fix more complex business logic flaws by writing javascript code running in node.js. This allows you to rewrite traffic to and from your website, track the state of users, sessions and requests, and fix complex issues that cannot be done using a WAF on it’s own.

Prior knowledge: This talk assumes understanding of the HTTP protocol, and common OWASP Top 10 vulnerabilities. Some experience reading Javascript would be useful, however the examples presented should be explained in a way that makes sense to non-coders.