Web Application Security¶

Overview¶

Web application security focuses on protecting web services from attacks that exploit vulnerabilities in the application layer. Common attack vectors include SQL injection (manipulating database queries), Cross-Site Scripting (XSS, injecting malicious scripts), directory traversal (accessing files outside the web root), and command injection.

Web Application Firewalls (WAFs) like ModSecurity provide a rule-based defense layer that inspects HTTP requests and blocks suspicious patterns before they reach the application. While application developers bear primary responsibility for secure code, system administrators provide defense in depth through WAF configuration, proper file permissions, and secure server configuration.

How It Works¶

Defence in Depth¶

Web application security follows the principle of defence in depth — multiple layers of protection so that no single failure compromises the system:

Network firewall (firewalld) — controls which ports and protocols are reachable (Layers 3–4)
Web Application Firewall (WAF) — inspects HTTP request content for malicious patterns (Layer 7)
Application code — input validation, parameterised queries, output encoding
OS-level controls — SELinux, file permissions, dedicated service accounts

System administrators are responsible for layers 1, 2, and 4. Even if application code has vulnerabilities, these layers can prevent or limit exploitation.

Common Attack Vectors¶

SQL Injection: Attackers insert SQL statements into input fields (e.g. login forms, URL parameters) to manipulate database queries. A vulnerable query like SELECT * FROM users WHERE name = '$input' can be exploited with input like ' OR 1=1 -- to bypass authentication or dump data.
Cross-Site Scripting (XSS): Malicious JavaScript is injected into web pages viewed by other users. Stored XSS persists in the database; reflected XSS is embedded in URLs. Both can steal session cookies or redirect users.
Directory Traversal: Requests containing ../ sequences attempt to access files outside the web root, such as http://example.com/../../../../etc/passwd. Properly configured web servers and WAF rules block these patterns.
Command Injection: If a web application passes user input to a shell command without sanitisation, attackers can execute arbitrary system commands.

Web Application Firewalls (WAFs)¶

A WAF sits between web traffic and the web server, analysing HTTP requests and responses to identify and block malicious patterns. Unlike network firewalls that rely on IP addresses and ports, WAFs examine the actual content of web requests — URLs, query parameters, headers, and request bodies.

ModSecurity is an open-source WAF that integrates with Apache as a module. It uses a rule-based engine to inspect every HTTP request:

# Default action: deny and log with HTTP 406
SecDefaultAction "phase:2,deny,log,status:406"

# Block requests containing 'etc/passwd' in the URI
SecRule REQUEST_URI "etc/passwd" "id:'500001'"

# Block directory traversal attempts
SecRule REQUEST_URI "\.\./" "id:'500002'"

# Block script injection in arguments
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"

When a request matches a rule, ModSecurity blocks it and returns an error (e.g. 406 Not Acceptable) instead of forwarding it to the application. The blocked request is logged for review.

OWASP Core Rule Set (CRS) provides a comprehensive, community-maintained set of ModSecurity rules covering the most common attack patterns. In production, you would use the CRS rather than writing custom rules, since it is impractical to account for every attack vector yourself.

Forensic Logging¶

Standard Apache access logs record basic information: client IP, timestamp, request path, and response code. For security investigations, this is often insufficient.

mod_log_forensic provides detailed request logging including:

Complete HTTP headers (User-Agent, cookies, Accept types, etc.)
Unique request identifiers for correlating across log files
Pre-request (+) and post-request (-) entries

+YDvAdxfNz6bRQrk@IWUKUQAAAMA|GET / HTTP/1.1|Host:localhost|User-Agent:Mozilla/5.0 ...
-YDvAdxfNz6bRQrk@IWUKUQAAAMA

A pre-request entry without a matching post-request entry indicates a request that never completed — useful for identifying client disconnections or server crashes.

Forensic logging generates significantly larger log files than standard logging, so it is typically enabled selectively during investigations rather than permanently.

Secure Server Configuration¶

Beyond WAFs, system administrators harden web servers through:

File permissions: Web content owned by apache user, with restrictive permissions. The web server should not be able to write to its own document root unless explicitly required.
SELinux contexts: Setting httpd_sys_rw_content_t only on directories that genuinely need write access (e.g. WordPress upload directories).
Disabling unnecessary modules: Each loaded Apache module increases the attack surface. Only enable modules that are actively used.
Separate log files per virtual host: Isolating logs makes it easier to identify which site is being targeted.
Running behind a reverse proxy: The application itself is not directly exposed to the internet; Apache handles TLS termination, logging, and WAF filtering.

Key Terminology¶

WAF (Web Application Firewall): A security layer that inspects HTTP traffic and blocks requests matching known attack patterns.
ModSecurity: An open-source WAF engine that integrates with Apache, Nginx, and IIS. Uses configurable rules to filter malicious requests.
OWASP: The Open Web Application Security Project — a non-profit producing tools, documentation, and standards for web application security (including the CRS and the OWASP Top 10).
OWASP Core Rule Set (CRS): A community-maintained collection of ModSecurity rules providing broad protection against common web attacks.
SQL Injection: An attack that inserts malicious SQL into application queries via user input.
XSS (Cross-Site Scripting): An attack that injects malicious scripts into web pages viewed by other users.
Directory Traversal: An attack using ../ sequences to access files outside the intended web root.
Forensic Logging: Detailed HTTP request logging (via mod_log_forensic) that captures complete headers and unique request identifiers.
Virtual Patching: Using WAF rules to block exploitation of a known vulnerability before the application code is fixed.

Why It Matters¶

Defence in depth: Application developers make mistakes. WAF rules and proper server configuration provide a safety net that catches attacks even when application code is vulnerable.
Compliance: Many security standards (PCI-DSS, SOC 2) require WAF protection for web-facing applications.
Incident response: Forensic logs provide the detailed evidence needed to understand what happened during a security incident — standard logs often lack the header detail required for investigation.
Reducing attack surface: Disabling unused modules, enforcing file permissions, and running services under dedicated accounts all reduce the number of ways an attacker can exploit the system.

Common Pitfalls¶

WAF blocking legitimate traffic: Overly aggressive rules can block normal application behaviour. For example, a CMS that allows users to edit HTML content may trigger XSS rules. Always test WAF rules against real application traffic and create targeted exceptions where needed.
Relying solely on the WAF: A WAF is a layer of defence, not a substitute for secure application code. SQL injection should be fixed with parameterised queries, not just blocked by rules.
Leaving ModSecurity in DetectionOnly mode: After installation, ModSecurity defaults to detection mode (logging only, not blocking). Switch to enforcement mode (SecRuleEngine On) for actual protection.
Not monitoring WAF logs: ModSecurity logs blocked requests, but someone needs to review them. Unmonitored logs provide no value.
Permissive file ownership: WordPress directories owned by apache with write access everywhere allow a compromised plugin to modify any file. Only grant write access where strictly needed (uploads, cache).