Ontwerp van een zelflerende Web Application Firewall

Vincent Cox
Deze masterproef gaat over het onderzoek en ontwikkeling van een zelflerende Web Application Firewall. Het eindresultaat bevat een Grafische Userinterface waardoor zelfs IT’ers met beperkte kennis over security, toch een uitgebreide beveiliging kunnen instellen voor websites en webapplicaties. Het zelflerende gedeelte geeft namelijk een betere en aangepaste bescherming dan de standaard OWASP Top Ten firewall regels.

Executing Root Commands in Web Applications While Maintaining Security Best Practices

page1

page2

page3

Bibliografie

LITERATUURLIJST

[1]  B. Barrett, „Hack Brief: Hackers Are Holding an LA Hospital’s Computers Hostage,” 16 02 2016. [Online]. Available: http://www.wired.com/2016/02/hack-brief-hackers-are-holding-an-la-hospi…- computers-hostage/.

[2]  L. Bershidsky, „Russians Have Learned How to Hack Power Grids,” 7 01 2016. [Online]. Available: http://www.bloombergview.com/articles/2016-01- 07/russians-have-learned-how-to-hack-power-grids. [Geopend 04 02 2016].

[3]  The Telegraph, „Chinese hackers seized 'gold mine' of information about US spies and army personnel,” 13 06 2015. [Online]. Available: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/11672451/Chi… se-hackers-seized-gold-mine-of-information-about-US-spies-and-army- personnel.html. [Geopend 22 03 2016].

[4]  D. Doe, „Hackers have breached Goldcorp, a Canadian gold-mining firm,” 27 04 2016. [Online]. Available: http://www.dailydot.com/politics/goldcorp-hack-data- dump/. [Geopend 2 05 2016].

[5]  Akamai, May 2015. [Online]. Available: https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security- 2015-web-app-attack-stats-ponemon-infographic.pdf. [Geopend 29 Februari 2016].

[6]  Strategic Cyber, LLC, „Homepage,” 22 2 2016. [Online]. Available: https://www.cobaltstrike.com/.

[7]  A. D. Cid, „RevSlider Vulnerability Leads To Massive WordPress SoakSoak Compromise,” 15 12 2014. [Online]. Available: https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive- wordpress-soaksoak-compromise.html.

[8]  D. Bass, „Six Things You Need to Know About ATMs and the Windows XP- ocalypse,” Bloomberg, 2014.

[9]  Shodan, „Shodan is the world's first search engine for Internet-connected devices.,” 2013. [Online]. Available: https://www.shodan.io/. [Geopend 26 01 2016].

[10]  Cisco, „Cisco 2016 Annual Security Report,” Cisco, 2016.

[11]  M. Ciampa, Security Awareness: Applying Practical Security in Your World, 4th Edition red., Western Kentucky, 2014, p. 304.

[12]  L. O. M. a. E. C. Nicolas Falliere, „W32.Stuxnet Dossier,” 02 2011. [Online]. Available:

https://www.symantec.com/content/en/us/enterprise/media/security_respon… whitepapers/w32_stuxnet_dossier.pdf. [Geopend 05 02 2016].

62

[13]  P. Mavrommatis, „Protecting people across the web with Google Safe Browsing,” 12 03 2015. [Online]. Available: https://googleblog.blogspot.be/2015/03/protecting-people-across-web- with.html. [Geopend 08 02 2016].

[14]  C. Wueest, „Underground black market: Thriving trade in stolen data, malware, and attack services,” 20 11 2015. [Online]. Available: http://www.symantec.com/connect/blogs/underground-black-market-thriving- trade-stolen-data-malware-and-attack-services. [Geopend 08 02 2016].

[15]  T. Hunt, „Check if you have an account that has been compromised in a data breach,” 2016. [Online]. Available: https://haveibeenpwned.com/.

[16]  OWASP, „OWASP Top 10,” The OWASP Foundation, 2013.

[17]  I. Ristic, Modsecurity handbook, Development Version (revision 629) red., J. G. - Risti, Red., London: Feisty Duck Limited, 2015, p. 379.

[18]  Modsecurity, „What Can ModSecurity Do?,” [Online]. Available: https://www.modsecurity.org/about.html. [Geopend 09 02 2016].

[19]  J. Graham-Cumming, „CloudFlare's new WAF: compiling to Lua,” 23 08 2013. [Online]. Available: https://blog.cloudflare.com/cloudflares-new-waf-compiling- to-lua/.

[20]  Trustwave Holdings, Inc, „Reference Manual,” 2016. [Online]. Available: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual.

[21]  Trustwave Holdings, „Trustwave,” 2016. [Online]. Available: https://ssl.trustwave.com/web-application-firewall.

[22]  OWASP, „The free and open software security community,” 2016. [Online]. Available: https://www.owasp.org/index.php/Main_Page.

[23]  CVE Details, „The ultimate security vulnerability datasource,” 2016. [Online]. Available: https://www.cvedetails.com/.

[24]  Materialize, „A modern responsive front-end framework based on Material Design,” 2016. [Online]. Available: http://materializecss.com/.

[25]  The PHP Group, „Deprecated features in PHP 5.5.x,” 2016. [Online]. Available: http://php.net/manual/en/migration55.deprecated.php.

[26]  PortSwigger, 2016. [Online]. Available: https://portswigger.net/burp/.

[27]  w3techs, „Usage of content management systems for websites,” 02 05 2016. [Online]. Available:

http://w3techs.com/technologies/overview/content_management/all.

[28]  Digitalocean, „Simple Cloud Computing, Built for Developers.,” 2016. [Online]. Available: https://www.digitalocean.com/.

63

[29]  M. Pall, „Performance: x86/x64,” 2016. [Online]. Available: http://luajit.org/performance_x86.html. [Geopend 21 April 2016].

[30]  Symantec, „Internet Security Threat Report Apendices,” 5 April 2015. [Online]. Available:

https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet- security-threat-report-volume-20-2015-appendices.pdf. [Geopend 28 Februari 2016].

[31]  Akamai, „State of the internet,” [Online]. Available: https://www.stateoftheinternet.com. [Geopend 25 Februari 2016].

[32]  Trustwave Spiderlabs, „Modsecurity Open Source Web Application Firewall,” [Online]. Available: https://www.modsecurity.org. [Geopend 26 Januari 2016].

[33]  The Apache Software Foundation, „Welcome to The Apache Software Foundation!,” [Online]. Available: http://www.apache.org. [Geopend 22 Februari 2016].

[34]  Symantec, „Internet Security Threat Report Apendices,” 2015.

[35]  Akamai, „The Cost of Web Application Attacks,” Akamai Technologies, 2015. 

Universiteit of Hogeschool
"Master of Science in de Industriële wetenschappen” met afstudeerrichting ICT
Publicatiejaar
2016
Promotor(en)
Gustaaf Vermeulen
Kernwoorden
vincentcox_be
Share this on: