Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy

Automated Virtual Patching using OWASP Zed Attack Proxy


The SpiderLabs Research Team has added an example script to the OWASP ModSecurity Core Rule Set (CRS) Project archive that will help users to quickly implement virtual patches for vulnerabilities identified by an open source web vulnerability scanning tool. The example script ( is located in the /util directory of the CRS archive in SVN and will auto-convert XML data from the OWASP Zed Attack Proxy (ZAP) vulnerabiltiy scannint tool into custom ModSecurity rules.

Thanks goes out to Psiinon for fixing who fixed the ticket I created which adds in the vulnerable parameter name to the XML report data.

While this example script can only currently process ZAP XML report data, the script could be adapted to process other DAST tools by updating the XML::Smart variables to handle different schemas. The script will parse the XML data from ZAP reports and will auto-create ModSecurity rules for the following attack/vulnerability categories:

  • SQL Injection
  • Cross-site Scripting
  • Remote File Inclusion
  • Local File Inclusion
  • HTTP Response Splitting

Example SQL Injection Vulnerability

Here is an example SQL Injection vulnerablity in the Acunetix AcuForum ASP Site as found by ZAP:

Here is how ZAP reports it:

If we export the report data to XML format, here is how this vulnerabilitly looks:

<alert>SQL Injection</alert>
<riskdesc>High (Suspicious)</riskdesc>
<desc>SQL injection is possible. User parameters submitted will be formulated into a SQL query for database processing. If the query is built by simple 'string concatenation', it is possible to modify the meaning of the query by carefully crafting the parameters. Depending on the access right and type of database used, tampered query can be used to retrieve sensitive information from the database or execute arbitrary code. MS SQL and PostGreSQL, which supports multiple statements, may be exploited if the database access right is more powerful.
This can occur in URL query strings, POST paramters or even cookies. Currently check on cookie is not supported by Paros. You should check SQL injection manually as well as some blind SQL injection areas cannot be discovered by this check.
<solution>Do not trust client side input even if there is client side validation. In general, If the input string is numeric, type check it.
If the application used JDBC, use PreparedStatement or CallableStatement with parameters passed by '?'
If the application used ASP, use ADO Command Objects with strong type checking and parameterized query.
If stored procedure or bind variables can be used, use it for parameter passing into query. Do not just concatenate string into query in the stored procedure!
Do not create dynamic SQL query by simple string concatentation.
Use minimum database user privilege for the application. This does not eliminate SQL injection but minimize its damage. Eg if the application require reading one table only, grant such access to the application. Avoid using 'sa' or 'db-owner'.

<reference>The OWASP guide at
For Oracle database, refer to


The XML data highlighted can be parsed by the scripts to create a ModSecurity rule based on the injection point (URL + Parameter name) and vulnerability category.

Virtual Patching Challenges

The true value of levaraging vulnerability scanner data is confirmation of a known attack vector location or injection point for a specific attack category (such as SQL Injection). Now that you know where a vulnerability exists, the question is how do you want to protect against it? Ideally, you should use a positive security model which will only allow the data types and lengths that you want. If that is not possible, then you can use a negative security approach and deny things that you consider bad. In the case of using DAST data, it becomes tricky if you want to use attack payloads used during the test. The reason is that oftentimes the payloads used during testing are inference-based and geared towards identify a vulnerability vs. actual malicious payloads used by attackers. Vulnerability scanning is used to identify if a vulnerability exists, not to identify all of the possible exploitation variations.

So how can we identify attacks attempting to exploit these vulnerable resources?

Integrating Virtual Patches with the OWASP ModSecurity CRS

The ModSecurity Core Rule Set uses the concept of "generic attack payload detection" where it has many different methods of identifying malicious payloads where ever they may exist. It does not, however, know if this is a known vulnerable injection point. The result is that there is a higher degree of false positives. When we uuse both the CRS generic detection along with the known attack injection point intelligence from the vulnerability scanner XML output, the user can have an increased confidence in blocking. Running the Virtual Patching Scripts To run the scripts, simply specify which XML file to use as input:

$ ./

-f: path to ZAP xml report file

./ -f ./zap_report.xml

$ ./ -f ./zap-acuforum.xml
Vulnerability[10] - Type: SQL Injection Fingerprinting
Found a SQL Injection Fingerprinting vulnerability.
URL is well-formed
Continuing Rule Generation
Current vulnerable Param(s): tfSearch
Vulnerability[11] - Type: SQL Injection
Found a SQL Injection vulnerability.
URL is well-formed
Continuing Rule Generation
Current vulnerable Param(s): tfSearch
SQL Injection (uricontent and param) rule successfully generated and saved in ./modsecurity_crs_48_virtual_patches.conf.
Vulnerability[12] - Type: Cross Site Scripting
Found a Cross Site Scripting vulnerability.
Validating URL:;
URL is well-formed
Continuing Rule Generation
Current vulnerable Param(s): tfSearch
Cross Site Scripting (uricontent and param) rule successfully generated and saved in ./modsecurity_crs_48_virtual_patches.conf.

************ END OF SCRIPT RESULTS *****************
Number of Vulnerabilities Processed: 17
Number of ModSecurity rules generated: 2
Number of Unsupported vulns skipped: 14
Number of bad URLs (rules not gen): 0

To activate the virtual patching file (./modsecurity_crs_48_virtual_patches.conf),
copy it into the CRS "base_rules" directory and then create
a symlink to it in the "activated_rules" directory.

As you can see, there were both Cross-site Scripting and SQL Injection vulns found within the ZAP report. Let's now take a look at an example ModSecurity rule created based on the vuln data:

# OWASP ZAP Virtual Patch Details:
# ID: 111
# Type: SQL Injection
# Vulnerable URL: Search.asp
# Vulnerable Parameter: tfSearch
SecRule REQUEST_FILENAME "Search.asp" "chain,phase:2,t:none,block,msg:'Virtual Patch for SQL Injection',id:'111',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{matched_var_name}',severity:'2'"
SecRule &TX:'/SQL_INJECTION.*ARGS:tfSearch/' "@gt 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}"

As you can see, the first SecRule is checking the request line data to make sure that it matches the vulnerable resource. We then run a 2nd chained rule that, instead of looking separately for the existence of the parameter name and a regex match, it simply inspects previously matched TX variable meta-data. In this case, if a previous CRS rules had already identified an SQL Injection attack payload in the "ARGS:tfSearcht" parameter location, then the rule matches.

Virtual Patching Workshop at OWASP AppSecDC

If you would like to participate in a hands-on virtual patching workshop, you can sign up for the OWASP AppSecDC event. I will be leading this 2-day training session (April 2nd - 3rd, 2012) where we will not only discuss virtual patching theory but also have numerous hands-on labs where you can try to virtually patch many of the OWASP WebGoat vulnerabilties.

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More