WAF Virtual Patching Workshop: Securing WebGoat with ModSecurity

Ryan C. Barnett & Brian Rectanus, Breach Security

Register Now // july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


Identification of web application vulnerabilities is only half the battle with remediation efforts as the other. Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a web application firewall to address identified issues proves its worth.

This workshop is intended to provide an overview of the recommended practices for utilizing a web application firewall for virtual patching. After discussing the framework to use, we will then present a very interesting OWASP Summer of Code Project where the challenge was to attempt to mitigate as many of the OWASP WebGoat vulnerabilities as possible using the open source ModSecurity web application firewall. During the workshop, we will discuss both WebGoat and ModSecurity and provide in-depth walk-throughs of the complex fixes. Examples will include addressing not only attacks but the underlying vulnerabilities, using data persistence for multiple-step processes, content injection and even examples of the new LUA programming language API. The goal of this workshop is to both highlight cutting edge mitigation options using a web application firewall and to show how it can effectively be used by security consultants who traditionally could only offer source code fixes.

Virtual Patching:

Introduction - Virtual Patching Theory

  • What is it?
  • Source Code/Patching Challenges
  • Value

OWASP SoC Project

  • Securing WebGoat with ModSecurity
  • Lab setup (Install WebGoat/ModSecurity VM)
  • Project Solution Examples
  • Cross-Site Scripting
  • Negative Security
  • Positive Security
  • AppDefect Identification
  • HTTPOnly Cookies
  • Cross-Site Request Forgery
  • Unique Token Implementation via Content-Injection
  • Session Management Flaws
  • Session Hijacking/Fixation
  • Deny Invalid Sessions
  • Hidden Parameter Tampering
  • Lua
  • Business Logic Flaws
  • Conclusion / Questions

Teaching Methods:

Lecture, hands-on labs and group discussions.

Who Should Attend:

Security Consultants, IDS/IPS/WAF admins


Students should be familiar with HTTP, Linux, Regular Expressions

What to bring:

Students should bring a laptop computer that can run Vmware image (will be provided in class). OS should have Java installed in order to run OWASP WebGoat locally.

what you will get:

1 hard-copy coursebook, CD with VM image, WebGoat.


Ryan C. Barnett is the Director of Application Security Research at Breach Security. He is also a Faculty Member for the SANS Institute, OWASP ModSecurity Core Rule Set Project Leader and a Member of the Web Application Security Consortium where he leads the Distributed Open Proxy Honeypot Project. Mr. Barnett has also authored a web security book for Addison/Wesley Publishing entitled "Preventing Web Attacks with Apache."

Brian Rectanus is the Lead ModSecurity Developer and a Project member for both the OWASP ModSecurity Core Rule Set and WASC Distributed Open Proxy Honeypot Project. Brian is also a developer for the Open Information Security Foundation (OISF) on the Suricata IDS Project.

Super Early:
Ends Apr 1

Ends May 15

Ends Jun 15

Ends Jul 23