Global AppSec Dublin 2023

We are fighting a 2023 problem by using early 2000s technology. The web has evolved. Some people even talk about web 3.0, bringing blockchain technology into our daily internet navigation. Therefore, the threats have evolved, SQL injection isn’t as common as it used to be, and attackers are now looking for more complex vulnerabilities that could provide faster and bigger profits. New technologies also come with new architecture and deployment requirements, so the final question becomes, how can we protect our applications without risking false positives or decreasing performance? OWASP Coraza’s goal is to solve these questions by providing a modern approach to Open-Source WAF using Golang. Coraza provides a modular, fast, developer-friendly, and efficient set of WAF capabilities that can be easily integrated into any program, it also provides connectors for Web Servers, API Gateways, HTTP frameworks, and more. Coraza is 100% compatible with OWASP Core Ruleset and extends ModSecurity capabilities to the 2020s internet.This is the first public talk of OWASP Coraza WAF. We are currently a lab project in OWASP, soon Flagship. Coraza is also used by many fortune 500 companies around the world, in the top 10 of the ranking.Topics:WAF in the early 2000s1990s World Wide WebAppShield WAFReverse/Transparent ProxyModSecurityRich Content Applications (Ajax)OWASP TOP 10Core RulesetBlocking Models Web 2.0New web FrameworksWebsockets: Transmitted data is not standard. How can we protect it?GraphQL: New language, new vulnerabilities Next Generation WAFs Libmodsecurity:From Apache to everything (mostly Nginx)New architecture Connectors WAF deployment TCP Dump: We can read decrypted traffic, but we cannot terminate a sessionEBPF: We can read encrypted traffic, but we cannot terminate a sessionOpen Tracing: We can read traffic, but we cannot terminate a sessionGRPC and OPA: Can be evaluated inline to terminate a sessionEdge Termination: Request session termination from another endpoint2023 ChallengesWe are not only looking for SQL InjectionEscalate and terminate without latencyRule-less protection0 False PositivesCompliance or protection?Compete against CDN WAFBlock the user, not the IPOWASP CorazaIntroduction to CorazaHigh-Level Architecture Deployment OptionsExtended Web/API capabilitiesExtensibilityRoadmapConclusionsCoraza Links:https://www.coraza.io/https://github.com/corazawaf/corazahttps://owasp.org/www-project-coraza-web-application-firewall/

Dates

Author

Conferences

Tags

OWASP Coraza: The way to WAF in 2023

tldr - powered by Generative AI