[Owasp-Malaysia] How to test mod_security
Adnan bin Mohd Shukor
adnan.shukor at gmail.com
Sun Sep 5 10:28:56 EDT 2010
On 05/09/2010, Muzamir Mokhtar <muzamir at pahang.gov.my> wrote:
> I have setup mod_security in my httpd.
> I have use rules from owasp.
> I have enable the rules and use the default ruleset.
> I have enable audit log.
> Question :
> 1) How do i know my mod_security is working properly?
try basic attack:
kalau installation anda berjaya, anda akan mendapat error 403 :)
> 2) Is there any additional modification i need to do in order to block
> the vulnerable attack such as sql injection, xss, spam comment and
as you mentioned, rules from owasp has been used :) so dah tak perlu
modify apa2 untuk sql injection, RFI, remote command injection, xss.
but for spam comment, letak la captcha, hensem kot :)
P/S: koi orang pahang jugak! :P
> Please do advice me on this.
> Muzamir bin Mokhtar,
> Pegawai Teknologi Maklumat (F44)
> Unit Operasi
> Bahagian Teknologi Maklumat
> Pej SUK Pahang
> TEL : 095129424/425
> FAX : 095163490
> This e-mail and the attachment is from State Government of Pahang,
> Malaysia. It is intended solely for the person to whom they are
> addressed and may be confidential and privileged. If you are not the
> intended recipient, you are notified that disclosing, distributing,
> copying or taking any action in reliance of the content of this
> information is strictly prohibited. Please notify the sender
> immediately if you have received this e-mail and delete it from your
> system. The recipient should check the e-mail and any attachment for
> the presence of viruses that could be transmitted via e-mail. Email
> transmission cannot be guaranteed to be secure or error free as
> information could be intercepted, corrupted, lost, destroyed,
> incomplete or contain viruses. State Government of Pahang, Malaysia
> accepts no liability for any errors or omissions in the contents of
> this message which arises as a result of e-mail transmission.
> Opinions, conclusions and other information in this e-mail that does
> not relate to the official business of State Government of Pahang,
> Malaysia shall be understood as neither given nor endorsed by State
> Government of Pahang, Malaysia.
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> OWASP Malaysia Wiki
> OWASP Malaysia Wiki Facebook
More information about the Owasp-Malaysia