[Owasp-Malaysia] How to test mod_security
Muzamir Mokhtar
muzamir at pahang.gov.my
Tue Sep 7 01:08:39 EDT 2010
Salam,
Thanx in advance for all the advice and suggestion.
David Fetter :
- Thanx david. I agree with your suggestion to sanitize. Actually i do
always scan for any vulnerable with all the web application (public
and intranet).
- Yes i do advice strongly to sanitize user input in the programming
architecture and do not just depend on this.
- However, i do enable this mod_security for 1st level protection on
the server part before they get into the coding.
Adnan :
- Yes i have try your suggestion with multiple vulnerable request
- Yes koi dah nampak dah error 403 tu dalam audit_log..
- So in future aku kena tune on the score je la kan to make it more
secure but not 100%. Macam tune score spamassassin je lak, buntang
mate koi.
- Captcha will be one of the main standard yang aku akan minta team
development do whenever develop system with user input from public.
- Oran pahang kt mana? koi org temerloh.
Hanif UM :
- Aku kat sini walau F44 pun takde beza. Bukan standard macam di
federal buat kerja specific. Kat state kena self develop semua skill
on ICT.
- Lagipun jenis aku suke tahu lebih dulu dari anak buah
aku...ehehee..kang deme kelentong aku naye woo..
ApOgEE :
- Thanx for the advice will make sanitization on apps as priority and
not this mod_security..
- Before this i have try to use greensql to protect sql injection on
certain servers, not remember which version. I have mention them
before install it to not depend on this totally because other flaws
like XSS is still vulnerable.
- However the just rely on greensql..then i just uninstall it and tell
them greensql got error...hahahha..then they start to find coding to
sanitize it..
--
Muzamir bin Mokhtar,
Pegawai Teknologi Maklumat (F44)
Unit Operasi
Bahagian Teknologi Maklumat
Pej SUK Pahang
TEL : 095129424/425
FAX : 095163490
http://muzzoshah.blogspot.com
http://muzzotechspot.blogspot.com
----- Message from david at fetter.org ---------
Date: Sun, 5 Sep 2010 08:19:43 -0700
From: David Fetter <david at fetter.org>
Subject: Re: [Owasp-Malaysia] How to test mod_security
To: owasp-malaysia at lists.owasp.org
> On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote:
>> Salam,
>>
>> On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar
>> <muzamir at pahang.gov.my>wrote:
>>
>> > Salam,
>> >
>> > I have setup mod_security in my httpd.
>
> If I were you, I would not trust anything with this name. Security is
> a tricky and complicated issue, and pretty much by definition, it is
> not a software component you can just install.
>
>> > sanitize your input to prevent SQL injection
>
> Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's
> a large mistake. You are going to screw yourself over if you imagine
> that any level of "sanitizing inputs" will actually protect you from
> attackers. The vast majority of SQL injection attacks come from
> one single serious strategic mistake on the defender's part, namely
> taking untrusted input and creating executable code out of it by
> string concatenation.
>
> You'd fire any programmer that attempted such a thing with Java,
> Python, PHP, or Perl code, and you should be firing people who attempt
> it with SQL code.
>
> You're going to have to put in standards and enforce them, slipping
> ship dates as needed, or you might as well just not have standards of
> any kind and hand your site over to whomever wants it.
>
>> http://www.owasp.org/index.php/Guide_to_SQL_Injection
>
> That guide is at best misleading, and at worst an actual attack. If I
> were an attacker, I'd *love* for people to imagine that if they just
> picked some magical tool--probably one I had a hand in making--that
> they'd just be safe.
>
> I'll be editing this for reality as soon as I get permission :)
>
> Cheers,
> David.
> --
> David Fetter <david at fetter.org> http://fetter.org/
> Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
> Skype: davidfetter XMPP: david.fetter at gmail.com
> iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics
>
> Remember to vote!
> Consider donating to Postgres: http://www.postgresql.org/about/donate
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>
> --
> This message has been scanned for viruses and dangerous content by
> MySpamGuard State Government of Pahang, Malaysia and is believed to
> be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
----- End message from david at fetter.org -----
----------------------------------------------------------------
DISCLAIMER:
This e-mail and the attachment is from State Government of Pahang,
Malaysia. It is intended solely for the person to whom they are
addressed and may be confidential and privileged. If you are not the
intended recipient, you are notified that disclosing, distributing,
copying or taking any action in reliance of the content of this
information is strictly prohibited. Please notify the sender
immediately if you have received this e-mail and delete it from your
system. The recipient should check the e-mail and any attachment for
the presence of viruses that could be transmitted via e-mail. Email
transmission cannot be guaranteed to be secure or error free as
information could be intercepted, corrupted, lost, destroyed,
incomplete or contain viruses. State Government of Pahang, Malaysia
accepts no liability for any errors or omissions in the contents of
this message which arises as a result of e-mail transmission.
Opinions, conclusions and other information in this e-mail that does
not relate to the official business of State Government of Pahang,
Malaysia shall be understood as neither given nor endorsed by State
Government of Pahang, Malaysia.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Owasp-Malaysia
mailing list