[Owasp-Malaysia] How to test mod_security

David Fetter david at fetter.org
Sun Sep 5 11:19:43 EDT 2010


On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote:
> Salam,
> 
> On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar <muzamir at pahang.gov.my>wrote:
> 
> > Salam,
> >
> > I have setup mod_security in my httpd.

If I were you, I would not trust anything with this name.  Security is
a tricky and complicated issue, and pretty much by definition, it is
not a software component you can just install.

> > sanitize your input to prevent SQL injection

Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's
a large mistake.  You are going to screw yourself over if you imagine
that any level of "sanitizing inputs" will actually protect you from
attackers.  The vast majority of SQL injection attacks come from
one single serious strategic mistake on the defender's part, namely
taking untrusted input and creating executable code out of it by
string concatenation.

You'd fire any programmer that attempted such a thing with Java,
Python, PHP, or Perl code, and you should be firing people who attempt
it with SQL code.

You're going to have to put in standards and enforce them, slipping
ship dates as needed, or you might as well just not have standards of
any kind and hand your site over to whomever wants it.

> http://www.owasp.org/index.php/Guide_to_SQL_Injection

That guide is at best misleading, and at worst an actual attack.  If I
were an attacker, I'd *love* for people to imagine that if they just
picked some magical tool--probably one I had a hand in making--that
they'd just be safe.

I'll be editing this for reality as soon as I get permission :)

Cheers,
David.
-- 
David Fetter <david at fetter.org> http://fetter.org/
Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
Skype: davidfetter      XMPP: david.fetter at gmail.com
iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate


More information about the Owasp-Malaysia mailing list