I wonder if here people are collectively referring to "WAF" as Apache, modsecurity and modproxy, where it's actually the latter that allowed metainstance calls outbound?
.@briankrebs explains the @CapitalOne breach as a Server-Side Request Forgery due to a misconfigured #ModSecurity.
I'm intrigued, but I can't see how you could configure the #WAF for #SSRF -- and I wrote the #ModSecurity handbook with @ivanristic.
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ …
-
-
-
Hi guys, did you have a chance to contact
@briankrebs about this? I also don't see how modsecurity could have a SSRF vulnerability. Much more likely the Apache server had it. - Još 1 odgovor
Novi razgovor -
-
-
I don't know if misconfiguring modsecurity is sufficient, but I know for sure that with the power of Apache and other modules it's no problem at all. I've seen super complex configs before.
-
Sure thing. But
@briankrebs puts#ModSecurity in the center and I can't see how. There is some piece of the puzzle missing.
Kraj razgovora
Novi razgovor -
-
-
Any update on this? Really interested to clear up the specifics of the SSRF and how it relates to mod_security.
-
No, unfortunately not.
Kraj razgovora
Novi razgovor -
-
-
I was wondering the same thing too. I hope to hear more details from
@briankrebs or Capital OneHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Krebs uses the term “WAF” like an element of infrastructure (eg “the WAF was given too many permissions”), so I suspect capone had a tier of machines functioning as a WAF (perhaps a proxy layer) and those were pwned. Smells like a conflation of the overloaded term WAF & modsec
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
XXE to steal AWS metadata is possible, but not sure how you'd do an SSRF for the same on this platform.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I think ssrf should be avoided "by design", probably mod_security is not the best place where to filter out these requests. maybe in some reverse_proxy module, but as usual you cannot rely only on countermeasures
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.