Towards a Framework of Configuring and Evaluating ModSecurity WAF on Tomcat and Apache Web Servers

摘要

Open-source software has slowly infiltrated the enterprise space because the products tend to be cheaper, flexible, and secure in comparison to propriety products. However, open-source software incurs the cost of beavering to acquire professionals to, customize the product in meeting expectations, support fixes and in extending the product to a wide range of capabilities. ModSecurity is an open-source web application firewall (WAF) developed explicitly for Apache, and technically only listens to HTTP port 80. This study utilized the agility and flexibility property of open-source software to design a framework of configuring Apache module ModSecurity WAF to communicate with Tomcat server (which runs explicitly on HTTP port 8080). Furthermore, using suitable penetration testing methodology, this study investigates and compares the effectiveness of ModSecurity WAF in both Apache and Tomcat environments. ModSecurity WAF limitations were also investigated. In addition to providing a framework for configuring ModSecurity on tomcat server, this study provides an understanding of web application vulnerabilities, the techniques used to exploit them and the mitigation mechanisms to address them.