How do you protect against injections in your web application and how do you keep track of what attackers are trying to break in?
Security is a hard problem, especially when you are only running but not writing an application. The infamous comic “This is fine” is often the best description we have for this scenario. But it doesn’t have to be. This talks shows how to protect against injections and also how to monitor them.
This talk combines two of the OWASP top ten security risks:
- Injections (A1:2017): We are using a simple application exploitable by injection and will then secure it with the Web Application Firewall (WAF) ModSecurity.
- Insufficient Logging & Monitoring (A10:2017): We are logging and monitoring both the secured and the unsecured application with the open source Elastic Stack.
To make it more interactive, the audience has to do the injections, which we are then live monitoring and mitigating with ModSecurity.
Demo: Try out the example code of the talk or just look at the configuration of ModSecurity and logging.
PS: This is highly insecure and bad code — don’t use it for anything except demoing the security problem.