Virtual Patching Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

The goal with this cheat Sheet is to present a concise virtual patching framework that organizations can follow to maximize the timely implementation of mitigation protections.

= Definition: Virtual Patching =

A security policy enforcement layer which prevents the exploitation of a known vulnerability.

The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.

= Why Not Just Fix the Code? =

From a purely technical perspective, the number one remediation strategy would be for an organization to correct the identified vulnerability within the source code of the web application. This concept is universally agreed upon by both web application security experts and system owners. Unfortunately, in real world business situations, there arise many scenarios where updating the source code of a web application is not easy such as:
 * Lack of resources (Devs are already allocated to other projects)
 * 3rd Party Software
 * Outsourced App Dev which would require a new contract

The important point is this - Code level fixes and Virtual Patching are NOT mutually exclusive. They are processes that are executed by different team (OWASP Builders/Devs vs. OWASP Defenders/OpSec) and can be run in tandem.

= Value of Virtual Patching = The two main goals of Virtual Patching are:
 * Time-to-Fix - Fixing application source code takes time. The main purpose of a virtual patch is to implement a mitigation for the identified vulnerability as soon as possible.  The urgency of this response may be different: for example if the vulnerability was identified in-house through code reviews or penetration testing vs. finding a vulnerability as part of live incident response.


 * Attack Surface Reduction - Focus on minimizing the attack vector. In some cases, such as missing positive security input validation, it is possible to achieve 100% attack surface reduction.  In other cases, such with missing output encoding for XSS flaws, you may only be able to limit the exposures.  Keep in mind - 50% reduction in 10 minutes is better than 100% reduction in 48 hrs.

= Virtual Patching Tools = Notice that the definition above did not list any specific tool as there are a number of different options that may be used for virtual patching efforts sucha as:
 * Intermediary devices such as a WAF or IPS
 * Web server plugin such as ModSecurity
 * Application layer filter such as ESAPI WAF

For example purposes, we will show virtual patching examples using the open source ModSecurity WAF tool.

= A Virtual Patching Methodology = Virtual Patching, like most other security processes, is not something that should be approached haphazardly. Instead, a consistent, repeatable process should be followed that will provide the best chances of success. The following virtual patching workflow mimics the industry accepted practice for conducting IT Incident Response and consists of the following phases:
 * Preparation
 * Identification
 * Analysis
 * Virtual Patch Creation
 * Implementation/Testing
 * Recovery/Follow T Up.

Preparation Phase
The importance of properly utilizing the preparation phase with regards to virtual patching cannot be overstated. The idea is that you need to do a number of things to setup the virtual patching processes and framework prior to actually having to deal with an identified vulnerability, or worse yet, react to a live web application intrusion. The point is that during a live compromise is not the ideal time to be proposing installation of a web application firewall and the concept of a virtual patch. Tension is high during real incidents and time is of the essence, so lay the foundation of virtual patching when the waters are calm and get everything in place and ready to go when an incident does occur.

Here are a few critical items that should be addressed during the preparation phase:
 * Ensure that you are signed up for on all vendor alert mail-lists for commercial software that you are using. This will ensure that you will be notified in the event that the vendor releases vulnerability information and patching data.
 * Virtual Patching Pre-Authorization – Virtual Patches need to be implemented quickly so the normal governance processes and authorizations steps for standard software patches need to be expedited. Since virtual patches are not actually modifying source code, they do not require the same amount of regression testing as normal software patches.  I have found that categorizing virtual patches in the same group as Anti-Virus updates or Network IDS signatures helps to speed up the authorization process and minimize extended testing phases.
 * Deploy ModSecurity In Advance - As time is critical during incident response, it would be a poor time to have to get approvals to install new software. You can install ModSecurity in embedded mode on your Apache servers, or an Apache reverse proxy server.  The advantage with this deployment is that you can create fixes for non-Apache back-end servers.  Even if you do not use ModSecurity under normal circumstances, it is best to have it “on deck” ready to be enabled if need be.
 * Increase Audit Logged – The standard Common Log Format (CLF) utilized by most web servers does not provide adequate data for conducting proper incident response. You need to have access to the following HTTP data:
 * Request URI (including QUERY_STRING)
 * Full Request Headers (including Cookies)
 * Full Request Body (POST payload)
 * Full Response Headers
 * Full Response Body

Identification Phase
The Identification Phase occurs when an organization becomes aware of a vulnerability within their web application. There are generally two different methods of identifying vulnerabilities: Proactive and Reactive.

Proactive Identification
This occurs when an organization takes it upon themselves to assess their web security posture and conducts the following tasks: These tasks are extremely important for custom coded web applications as there would be external entity that has the same application code.
 * Vulnerability assessment (internal or external) and penetration tests
 * Source code reviews

Reactive Identification
There are three main reactive methods for identifying vulnerabilities:
 * Vendor contact (e.g. pre-warning) - Occurs when a vendor discloses a vulnerability for commercial web application software that you are using. Example is Microsoft's Active Protections Program (MAPP) - http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
 * Public disclosure - Public vulnerability disclosure for commercial/open source web application software that you are using. The threat level for public disclosure is increased as more people know about the vulnerability.
 * Security incident – This is the most urgent situation as the attack is active. In these situations, remediation must be immediate.

Analysis Phase
Here are the recommended steps to start the analysis phase:


 * 1) Enter the vulnerability information into a bug tracking system for tracking purposes and metrics.  Recommend you use ticketing systems you already use such as Jira or you may use a specialized tool such as ThreadFix - https://code.google.com/p/threadfix/.
 * 2) Verify the name of the vulnerability - This means that you need to have the proper CVE name/number identified by the vulnerability announcement, vulnerability scan, etc…
 * 3) Designate the impact level - It is always important to understand the level of criticality involved with a web vulnerability.  Information leakages may not be treated in the same manner as an SQL Injection issue.
 * 4) Specify which versions of software are impacted - You need to identify what versions of software are listed so that you can determine if the version(s) you have installed are affected.
 * 5) List what configuration is required to trigger the problem - Some vulnerabilities may only manifest themselves under certain configuration settings.
 * 6) List Proof of Concept (PoS) exploit code or payloads used during attacks/testing - Many vulnerability announcements have accompanying exploit code that shows how to demonstrate the vulnerability.  If this data is available, make sure to download it for analysis.  This will be useful later on when both developing and testing the virtual patch.

Virtual Patch Creation Phase
The process of creating an accurate virtual patch is bound by two main tenants:


 * 1) No false positives - means do not ever block legitimate traffic under any circumstances.
 * 2) No false negatives - means do not ever miss attacks, even when the attacker intentionally tries to evade detection.

Positive Security (Whitelist) Virtual Patches (Recommended Solution)
Positive security model (whitelist) is a comprehensive security mechanism that provides an independent input validation envelope to an application. The model specifies the characteristics of valid input (character set, length, etc…) and denies anything that does not conform. By defining rules for every parameter in every page in the application the application is protected by an additional security envelop independent from its code.

Negative Security (Blacklist) Virtual Patches
A negative security model (blacklist) is based on a set of rules that detect specific known attacks rather than allow only valid traffic.

Which Method is Better for Virtual Patching – Positive or Negative Security?
A virtual patch may employ either a positive or negative security model. Which one you decide to use depends on the situation and a few different considerations. For example, negative security rules can usually be implemented more quickly, however the possible evasions are more likely.

Positive security rules, only the other hand, provides better protection however it is often a manual process and thus is not scalable and difficult to maintain for large/dynamic sites. While manual positive security rules for an entire site may not be feasible, a positive security model can be selectively employed when a vulnerability alert identifies a specific location with a problem.

Beware of Exploit-Specific Virtual Patches
You want to resist the urge to take the easy road and quickly create an exploit-specific virtual patch. For instance, if an authorized penetration test identified an XSS vulnerability on a page and used the following attack payload in the report:

 alert('XSS Test') 

It would not be wise to implement a virtual patch that simply blocks that exact payload. While it may provide some immediate protection, its long term value is significantly decreased.

Implementation/Testing Phase
In order to accurately test out the newly created virtual patches, it may be necessary to use an application other than a web browser. Some useful tools are: •	Command line web clients such as Curl and Wget. •	Local Proxy Servers such as WebScarab (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) and Burp Proxy (http://www.portswigger.net/suite/). •	ModSecurity AuditViewer (http://www.jwall.org/web/audit/viewer.jsp) – which allows you to load a ModSecurity audit log file, manipulate it and then re-inject the data back into any web server. These tools will allow you to manipulate the request data in any way desired. ModSecurity’s Debug Log File In order to verify exactly how your new rule is working, you should review the ModSecurity SecDebugLog file data. The Debug log provides extensive details on the rule processing order and in many cases is the only true way to verify that the rule is working exactly as you expected. You will most likely need to increase the SecDebugLogLevel directive setting to get enough detail to validate the patch processing. You can selectively increase the logging based on source IP address so that you don’t impact performance on the entire web server. Below is an excerpt of the debug log data during rule processing (some data deleted for readibility):

Recipe: Invoking rule 82211d8. Executing operator !rx with param "^(POST)$" against REQUEST_METHOD. Target value: POST Operator completed in 17 usec. Rule returned 0. No match, not chained -> mode NEXT_RULE. Recipe: Invoking rule 82214b0. Rule returned 0. No match, not chained -> mode NEXT_RULE. Recipe: Invoking rule 82360d0. Executing operator !rx with param "^(\w{0,32})$" against ARGS:username. Target value: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Operator completed in 13 usec. Rule returned 1. Match, intercepted -> returning. Access denied with code 501 (phase 2). Match of "rx ^(\w{0,32})$" against "ARGS:username" required. [id "1"] [msg "Postparameter username failed validity check. Value domain: Username."] [severity "ERROR"]

Recovery/Follow-Up Phase
Although you may need to expedite the implementation of virtual patches, you should still track them in your normal Patch Management processes. This means that you should create proper change request tickets, etc… so that their existence and functionality is documented. You should also have periodic re-assessments to verify if/when you can remove previous virtual patches if the web application code has been updated with the real source code fix. I have found that many people opt to keep virtual patches in place due to better identification/logging vs. application or db capabilities.

= References =

https://www.owasp.org/index.php/Virtual_Patching_Best_Practices

= Authors and Primary Editors =

ryan.barnett[at]owasp.org