[Owasp-Malaysia] How to test mod_security
david at fetter.org
Sun Sep 5 11:19:43 EDT 2010
On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote:
> On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar <muzamir at pahang.gov.my>wrote:
> > Salam,
> > I have setup mod_security in my httpd.
If I were you, I would not trust anything with this name. Security is
a tricky and complicated issue, and pretty much by definition, it is
not a software component you can just install.
> > sanitize your input to prevent SQL injection
Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's
a large mistake. You are going to screw yourself over if you imagine
that any level of "sanitizing inputs" will actually protect you from
attackers. The vast majority of SQL injection attacks come from
one single serious strategic mistake on the defender's part, namely
taking untrusted input and creating executable code out of it by
You'd fire any programmer that attempted such a thing with Java,
Python, PHP, or Perl code, and you should be firing people who attempt
it with SQL code.
You're going to have to put in standards and enforce them, slipping
ship dates as needed, or you might as well just not have standards of
any kind and hand your site over to whomever wants it.
That guide is at best misleading, and at worst an actual attack. If I
were an attacker, I'd *love* for people to imagine that if they just
picked some magical tool--probably one I had a hand in making--that
they'd just be safe.
I'll be editing this for reality as soon as I get permission :)
David Fetter <david at fetter.org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david.fetter at gmail.com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
More information about the Owasp-Malaysia