Web Application Fortification with ModSecurity over IIS : HTTrack Website Copier

Excessive recursion is the number one problem plaguing modern web applications and API’s. I always use the analogy of the bank where the client continues to go to the teller and try credentials in order to have his card authenticated. One of the elements I like to utilise is the module that Mads did in 2007!

 http://madskristensen.net/post/Block-DoS-attacks-easily-in-ASPNET

What 2007!, yes 2007! works wonders for customers who refuse to add Modsecurity or SNORT IDS or to have any appliances. Then whether on classic webforms / mvc / API’s we integrate this module and I can tweak it to allow only enough traffic that can mimic a human user.

ModSecurity over IIS is excellent when dealing with excessive recursion. I have seen it stop the OWASP ZAP Zed Attack Proxy in its tracks, stop Brutus from cycling its usual credential attacks, SQLMap from trying to pull databases from vulnerable SQLi sites. One element where it allowed the traffic to go through was with the HTTrack Website Copier.

What is the HTTrack Website Copier. From their site:

HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility.

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

I first utilised this when our product Manager was going to a remote part of Africa where the internet was to be scarce. I downloaded the utility and presto I had a nice offline rendition of the site.

Then it dawned on my, isn’t this a nice reconnaissance tool for sites that perhaps do not have alot of forensics and could allow us to download alot of elements and then we can do some analysis offline.

Evidently not all can be pulled and observing something live is better but we dont register hits on things that are local.

Notice that ModSecurity and IIS allow me to fire excessive recursions against the site. I had to add custom rules in order to halt the attack. 

Most likely no one is testing against it!

Happy defending!