ModSecurity

Last updated
ModSecurity
Original author(s) Ivan Ristić
Developer(s) Trustwave SpiderLabs
Initial releaseNovember 2002;21 years ago (2002-11)
Stable release
3.0.8 [1]   OOjs UI icon edit-ltr-progressive.svg / 7 September 2022;16 months ago (7 September 2022)
Repository
Written in C++ (3.x), C (2.x)
Available in English
License Apache License 2.0
Website modsecurity.org   OOjs UI icon edit-ltr-progressive.svg

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, [2] [3] Microsoft IIS and Nginx. [4] It is free software released under the Apache license 2.0.

Contents

The platform provides a rule configuration language known as 'SecRules' for real-time monitoring, logging, and filtering of Hypertext Transfer Protocol communications based on user-defined rules.

Although not its only configuration, ModSecurity is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS). [5] This is an open-source set of rules written in ModSecurity's SecRules language. The project is part of OWASP, the Open Web Application Security Project. Several other rule sets are also available.

To detect threats, the ModSecurity engine is deployed embedded within the webserver or as a proxy server in front of a web application. This allows the engine to scan incoming and outgoing HTTP communications to the endpoint. Dependent on the rule configuration the engine will decide how communications should be handled which includes the capability to pass, drop, redirect, return a given status code, execute a script, and more.

History

ModSecurity was first developed by Ivan Ristić, who wrote the module with the end goal of monitoring application traffic on the Apache HTTP Server. The first version was released in November 2002 which supported Apache HTTP Server 1.3.x. Starting in 2004 Ivan created Thinking Stone to continue work on the project full-time. While working on the version 2.0 rewrite Thinking Stone was bought by Breach Security, an American-Israeli security company, in September 2006. Ivan stayed on continuing the development of version 2.0 which was subsequently released in October 2006 at the OWASP AppSec conference in Seattle.

Ristić and Breach Security released another major rewrite, version 2.5, with major syntactic changes in February 2008. In December 2008 Ivan left Breach to found SSL Labs. Shortly after Ivan's departure from Breach Security, Trustwave Holdings acquired Breach in June 2010 and relicensed ModSecurity under the Apache license. Development continued and the new license allowed easier integration of ModSecurity into other products. As a result of this there was steady adoption of ModSecurity by various commercial products. The license change also precipitated easier porting of the software. Hence, Microsoft contributed an IIS port in August 2012 and the port for Nginx was released at Black Hat Briefings in 2012.

2017 saw the second edition of the handbook released, [6] written by Christian Folini and Ivan Ristić. It covers ModSecurity up to version 2.9.2.

Being originally an Apache module, porting ModSecurity to other platforms was time-consuming and had high maintenance costs. As a result of this, a complete rewrite was started in December 2015. This new iteration, libmodsecurity, changes the underlying architecture, separating ModSecurity into a standalone engine that communicates with the web server via an API. This modular architecture-based WAF, which was announced for public use in January 2018, [7] became libmodsecurity (ModSecurity version 3.0) and has supported connectors for Nginx and Apache.

In 2021, Trustwave Holdings, announce the End-of-Sale (EOS) of Trustwave support for ModSecurity effective August 1, 2021 and the End-of-Life (EOL) of support effective July 1, 2024. The maintenance of the ModSecurity code is given to the open-source community. [8]

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

In web applications, a rewrite engine is a software component that performs rewriting on URLs, modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing within a web application. The engine is typically a component of a web server or web application framework. Rewritten URLs are used to provide shorter and more relevant-looking links to web pages. The technique adds a layer of abstraction between the files used to generate a web page and the URL that is presented to the outside world.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

<span class="mw-page-title-main">WebGUI</span> Open-source content management system

WebGUI is an open-source content management system written in Perl and released under the GNU General Public License.

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the application layer of the OSI model, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

The Web Server Gateway Interface is a simple calling convention for web servers to forward requests to web applications or frameworks written in the Python programming language. The current version of WSGI, version 1.0.1, is specified in Python Enhancement Proposal (PEP) 3333.

<span class="mw-page-title-main">Catalyst (software)</span>

Catalyst is an open source web application framework written in Perl, that closely follows the model–view–controller (MVC) architecture, and supports a number of experimental web patterns. It is written using Moose, a modern object system for Perl. Its design is heavily inspired by frameworks such as Ruby on Rails, Maypole, and Spring.

Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML, but now they commonly allow embedding of server side applications.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. AJP is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server.

<span class="mw-page-title-main">HTTP 403</span> HTTP status code indicating that access is forbidden to a resource

HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it was correct.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.

<span class="mw-page-title-main">HTTP 301</span> HTTP response status code

HTTP 301 is the HTTP response status code for 301 Moved Permanently. It is used for permanent redirecting, meaning that links or records returning this response should be updated. The new URL should be provided in the Location field, included with the response. The 301 redirect is considered a best practice for upgrading users from HTTP to HTTPS.

mod_openpgp was an Apache server module authored by Arturo 'Buanzo' Busleiman. The module implemented access authorization to servers, virtual hosts, or directories when incoming requests' HTTP OpenPGP signatures are valid and known by the local keyring. The module also allowed for the signing and encryption of HTTP requests, providing increased data integrity and confidentiality. The now defunct Enigform Mozilla Firefox extension implemented the client-side requirements of mod_openpgp.

<span class="mw-page-title-main">Web server directory index</span> Index page of a websites directory

When an HTTP client requests a URL that points to a directory structure instead of an actual web page within the directory structure, the web server will generally serve a default page, which is often referred to as a main or "index" page.

<span class="mw-page-title-main">Slowloris (computer security)</span> Software for executing a denial-of-service attack

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing simultaneous two-way communication channels over a single Transmission Control Protocol (TCP) connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

FastCGI is a binary protocol for interfacing interactive programs with a web server. It is a variation on the earlier Common Gateway Interface (CGI). FastCGI's main aim is to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The HTTP/2 specification was published as RFC 7540 on May 14, 2015.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. They also introduce a performance degradation and are easily bypassed by attackers so their deployment is not recommended.

Google PageSpeed is a family of tools by Google Inc, designed to help a website's performance optimizations. It was introduced at Developer Conference in 2010. There are four main components of PageSpeed family tools: PageSpeed Module, consisting of mod PageSpeed for the Apache HTTP Server and ngx PageSpeed for the Nginx, PageSpeed Insights, PageSpeed Service, and PageSpeed Chrome DevTools extension. All of these components are built to identify the faults in a website's compliance with Google's Web Performance Best Practices, and automate the optimization process.

References

  1. Error: Unable to display the reference properly. See the documentation for details.
  2. "How to secure your Apache 2 server in four steps". Techrepublic.com. 18 November 2016. Retrieved 7 January 2018.
  3. Shah, Shreeraj. "Securing Web Services with mod_security - O'Reilly Media". Onlamp.com. Archived from the original on 7 January 2018. Retrieved 7 January 2018.
  4. Lardinois, Frederic (23 August 2016). "NGINX Plus's latest release puts the focus on security". Techcrunch.com. Retrieved 7 January 2018.
  5. "OWASP ModSecurity Core Rule Set – The 1st Line of Defense Against Web Application Attacks". Coreruleset.org. Retrieved 7 January 2018.
  6. ModSecurity Handbook . Retrieved 7 January 2018.{{cite book}}: |website= ignored (help)
  7. "ModSecurity Version 3.0 Announcement". www.trustwave.com. Retrieved 12 September 2019.
  8. "End of Sale and Trustwave Support for ModSecurity Web Application Firewall". trustwave.com. Retrieved 14 October 2021.