Virtual Patching Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

The goal with this cheat Sheet is to present a concise virtual patching framework that organizations can follow to maximize the timely implementation of mitigation protections.

= Definition: Virtual Patching =

A security policy enforcement layer which prevents the exploitation of a known vulnerability.

The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.

= Why Not Just Fix the Code? =

From a purely technical perspective, the number one remediation strategy would be for an organization to correct the identified vulnerability within the source code of the web application. This concept is universally agreed upon by both web application security experts and system owners. Unfortunately, in real world business situations, there arise many scenarios where updating the source code of a web application is not easy such as:
 * Lack of resources (Devs are already allocated to other projects)
 * 3rd Party Software
 * Outsourced App Dev which would require a new contract

The important point is this - Code level fixes and Virtual Patching are NOT mutually exclusive. They are processes that are executed by different team (OWASP Builders/Devs vs. OWASP Defenders/OpSec) and can be run in tandem.

= Value of Virtual Patching = The two main goals of Virtual Patching are:
 * Time-to-Fix - Fixing application source code takes time. The main purpose of a virtual patch is to implement a mitigation for the identified vulnerability as soon as possible.  The urgency of this response may be different: for example if the vulnerability was identified in-house through code reviews or penetration testing vs. finding a vulnerability as part of live incident response.


 * Attack Surface Reduction - Focus on minimizing the attack vector. In some cases, such as missing positive security input validation, it is possible to achieve 100% attack surface reduction.  In other cases, such with missing output encoding for XSS flaws, you may only be able to limit the exposures.  Keep in mind - 50% reduction in 10 minutes is better than 100% reduction in 48 hrs.

= Virtual Patching Tools = Notice that the definition above did not list any specific tool as there are a number of different options that may be used for virtual patching efforts sucha as:
 * Intermediary devices such as a WAF or IPS
 * Web server plugin such as ModSecurity
 * Application layer filter such as ESAPI WAF

For example purposes, we will show virtual patching examples using the open source ModSecurity WAF tool.

= A Virtual Patching Methodology = Virtual Patching, like most other security processes, is not something that should be approached haphazardly. Instead, a consistent, repeatable process should be followed that will provide the best chances of success. The following virtual patching workflow mimics the industry accepted practice for conducting IT Incident Response and consists of the following phases:
 * Preparation
 * Identification
 * Analysis
 * Virtual Patch Creation
 * Implementation/Testing
 * Recovery/Follow T Up.

Preparation Phase
The importance of properly utilizing the preparation phase with regards to virtual patching cannot be overstated. The idea is that you need to do a number of things to setup the virtual patching processes and framework prior to actually having to deal with an identified vulnerability, or worse yet, react to a live web application intrusion. The point is that during a live compromise is not the ideal time to be proposing installation of a web application firewall and the concept of a virtual patch. Tension is high during real incidents and time is of the essence, so lay the foundation of virtual patching when the waters are calm and get everything in place and ready to go when an incident does occur.

Here are a few critical items that should be addressed during the preparation phase:
 * Ensure that you are signed up for on all vendor alert mail-lists for commercial software that you are using. This will ensure that you will be notified in the event that the vendor releases vulnerability information and patching data.
 * Virtual Patching Pre-Authorization – Virtual Patches need to be implemented quickly so the normal governance processes and authorizations steps for standard software patches need to be expedited. Since virtual patches are not actually modifying source code, they do not require the same amount of regression testing as normal software patches.  I have found that categorizing virtual patches in the same group as Anti-Virus updates or Network IDS signatures helps to speed up the authorization process and minimize extended testing phases.
 * Deploy ModSecurity In Advance - As time is critical during incident response, it would be a poor time to have to get approvals to install new software. You can install ModSecurity in embedded mode on your Apache servers, or an Apache reverse proxy server.  The advantage with this deployment is that you can create fixes for non-Apache back-end servers.  Even if you do not use ModSecurity under normal circumstances, it is best to have it “on deck” ready to be enabled if need be.
 * Increase Audit Logged – The standard Common Log Format (CLF) utilized by most web servers does not provide adequate data for conducting proper incident response. You need to have access to the following HTTP data:
 * Request URI (including QUERY_STRING)
 * Full Request Headers (including Cookies)
 * Full Request Body (POST payload)
 * Full Response Headers
 * Full Response Body

Identification Phase
The Identification Phase occurs when an organization becomes aware of a vulnerability within their web application. There are generally two different methods of identifying vulnerabilities: Proactive and Reactive.

Proactive Identification
This occurs when an organization takes it upon themselves to assess their web security posture and conducts the following tasks: These tasks are extremely important for custom coded web applications as there would be external entity that has the same application code.
 * Vulnerability assessment (internal or external) and penetration tests
 * Source code reviews

Reactive Identification
There are three main reactive methods for identifying vulnerabilities:
 * Vendor contact (e.g. pre-warning) - Occurs when a vendor discloses a vulnerability for commercial web application software that you are using. Example is Microsoft's Active Protections Program (MAPP) - http://www.microsoft.com/security/msrc/collaboration/mapp.aspx
 * Public disclosure - Public vulnerability disclosure for commercial/open source web application software that you are using. The threat level for public disclosure is increased as more people know about the vulnerability.
 * Security incident – This is the most urgent situation as the attack is active. In these situations, remediation must be immediate.

Example Public Vulnerability
Let's take the following SQL Injection vulnerability as our example for the remainder of the article - http://www.osvdb.org/show/osvdb/88856

88856 : WordPress Shopping Cart Plugin for WordPress /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php reqID Parameter SQL Injection

''Description: WordPress Shopping Cart Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php script not properly sanitizing user-supplied input to the 'reqID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.''

Analysis Phase
Here are the recommended steps to start the analysis phase:


 * 1) Determine if the attack type category is suitable for virtual patching - virtual patching is ideally suited for injection-type flaws but may not provide an adequate level of attack surface reduction for other types such as authorization or access control flaws.
 * 2) Enter the vulnerability information into a bug tracking system for tracking purposes and metrics.  Recommend you use ticketing systems you already use such as Jira or you may use a specialized tool such as ThreadFix - https://code.google.com/p/threadfix/.
 * 3) Verify the name of the vulnerability - This means that you need to have the proper CVE name/number identified by the vulnerability announcement, vulnerability scan, etc…
 * 4) Designate the impact level - It is always important to understand the level of criticality involved with a web vulnerability.  Information leakages may not be treated in the same manner as an SQL Injection issue.
 * 5) Specify which versions of software are impacted - You need to identify what versions of software are listed so that you can determine if the version(s) you have installed are affected.
 * 6) List what configuration is required to trigger the problem - Some vulnerabilities may only manifest themselves under certain configuration settings.
 * 7) List Proof of Concept (PoS) exploit code or payloads used during attacks/testing - Many vulnerability announcements have accompanying exploit code that shows how to demonstrate the vulnerability.  If this data is available, make sure to download it for analysis.  This will be useful later on when both developing and testing the virtual patch.

Virtual Patch Creation Phase
The process of creating an accurate virtual patch is bound by two main tenants:


 * 1) No false positives - means do not ever block legitimate traffic under any circumstances.
 * 2) No false negatives - means do not ever miss attacks, even when the attacker intentionally tries to evade detection.

Positive Security (Whitelist) Virtual Patches (Recommended Solution)
Positive security model (whitelist) is a comprehensive security mechanism that provides an independent input validation envelope to an application. The model specifies the characteristics of valid input (character set, length, etc…) and denies anything that does not conform. By defining rules for every parameter in every page in the application the application is protected by an additional security envelop independent from its code.

Example Whitelist ModSecurity Virtual Patch
In order to create a whitelist virtual patch, you must be able to verify what the normal, expected input values are. If you have implemented proper audit logging as part of the Preparation Phase, then you should be able to review audit logs to identify the format of expected input types. In this case, the "reqID" parameter is supposed to only hold integer characters so we can use this virtual patch: SecRule REQUEST_URI "@contains /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php" "chain,id:1,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'Input Validation Error for \'reqID\' parameter.',logdata:'%{args.reqid}'" SecRule ARGS:reqID "!@rx ^[0-9]+$"

This virtual patch will inspect the reqID parameter value on the specified page and prevent any characters other than integers as input.

Negative Security (Blacklist) Virtual Patches
A negative security model (blacklist) is based on a set of rules that detect specific known attacks rather than allow only valid traffic.

Example Blacklist ModSecurity Virtual Patch
Here is the example PoC code that was supplied by the public advisory - http://packetstormsecurity.com/files/119217/WordPress-Shopping-Cart-8.1.14-Shell-Upload-SQL-Injection.html: http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1

Looking at the payload, we can see that the attacker is inserting a single quote character and then adding additional SQL query logic to the end. Based on this data, we could disallow the single quote character like this: SecRule REQUEST_URI "@contains /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php" "chain,id:1,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'Input Validation Error for \'reqID\' parameter.',logdata:'%{args.reqid}'" SecRule ARGS:reqID "@pm '"

Which Method is Better for Virtual Patching – Positive or Negative Security?
A virtual patch may employ either a positive or negative security model. Which one you decide to use depends on the situation and a few different considerations. For example, negative security rules can usually be implemented more quickly, however the possible evasions are more likely.

Positive security rules, only the other hand, provides better protection however it is often a manual process and thus is not scalable and difficult to maintain for large/dynamic sites. While manual positive security rules for an entire site may not be feasible, a positive security model can be selectively employed when a vulnerability alert identifies a specific location with a problem.

Beware of Exploit-Specific Virtual Patches
You want to resist the urge to take the easy road and quickly create an exploit-specific virtual patch. For instance, if an authorized penetration test identified an XSS vulnerability on a page and used the following attack payload in the report:

 alert('XSS Test') 

It would not be wise to implement a virtual patch that simply blocks that exact payload. While it may provide some immediate protection, its long term value is significantly decreased.

Implementation/Testing Phase
In order to accurately test out the newly created virtual patches, it may be necessary to use an application other than a web browser. Some useful tools are:

Testing Steps

 * Implement virtual patches initially in a "Log Only" configuration to ensure that you do not block any normal user traffic.
 * Use any of the following tools to manually test out the patch:
 * Web browser
 * Command line web clients such as Curl and Wget.
 * Local Proxy Servers such as OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
 * ModSecurity AuditViewer (http://www.jwall.org/web/audit/viewer.jsp) – which allows you to load a ModSecurity audit log file, manipulate it and then re-inject the data back into any web server.
 * If the vulnerability was identified by a specific tool or assessment team - request a retest.
 * If retesting fails due to evasions, then you must go back to the Analysis phase to identify how to better fix the issue.

Recovery/Follow-Up Phase
Although you may need to expedite the implementation of virtual patches, you should still track them in your normal Patch Management processes. This means that you should create proper change request tickets, etc… so that their existence and functionality is documented. You should also have periodic re-assessments to verify if/when you can remove previous virtual patches if the web application code has been updated with the real source code fix. I have found that many people opt to keep virtual patches in place due to better identification/logging vs. application or db capabilities.

= References =
 * OWASP Virtual Patching Best Practices
 * OWASP Securing WebGoat with ModSecurity

= Authors and Primary Editors =

ryan.barnett[at]owasp.org