[Owasp-Malaysia] How to test mod_security

Muzamir Mokhtar muzamir at pahang.gov.my
Tue Sep 7 01:08:39 EDT 2010


Thanx in advance for all the advice and suggestion.

David Fetter :
- Thanx david. I agree with your suggestion to sanitize. Actually i do  
always scan for any vulnerable with all the web application (public  
and intranet).
- Yes i do advice strongly to sanitize user input in the programming  
architecture and do not just depend on this.
- However, i do enable this mod_security for 1st level protection on  
the server part before they get into the coding.

Adnan :
- Yes i have try your suggestion with multiple vulnerable request
- Yes koi dah nampak dah error 403 tu dalam audit_log..
- So in future aku kena tune on the score je la kan to make it more  
secure but not 100%. Macam tune score spamassassin je lak, buntang  
mate koi.
- Captcha will be one of the main standard yang aku akan minta team  
development do whenever develop system with user input from public.
- Oran pahang kt mana? koi org temerloh.

Hanif UM :
- Aku kat sini walau F44 pun takde beza. Bukan standard macam di  
federal buat kerja specific. Kat state kena self develop semua skill  
on ICT.
- Lagipun jenis aku suke tahu lebih dulu dari anak buah  
aku...ehehee..kang deme kelentong aku naye woo..

ApOgEE :
- Thanx for the advice will make sanitization on apps as priority and  
not this mod_security..
- Before this i have try to use greensql to protect sql injection on  
certain servers, not remember which version. I have mention them  
before install it to not depend on this totally because other flaws  
like XSS is still vulnerable.
- However the just rely on greensql..then i just uninstall it and tell  
them greensql got error...hahahha..then they start to find coding to  
sanitize it..

Muzamir bin Mokhtar,
Pegawai Teknologi Maklumat (F44)
Unit Operasi
Bahagian Teknologi Maklumat
Pej SUK Pahang
TEL : 095129424/425
FAX : 095163490

----- Message from david at fetter.org ---------
     Date: Sun, 5 Sep 2010 08:19:43 -0700
     From: David Fetter <david at fetter.org>
  Subject: Re: [Owasp-Malaysia] How to test mod_security
       To: owasp-malaysia at lists.owasp.org

> On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote:
>> Salam,
>> On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar  
>> <muzamir at pahang.gov.my>wrote:
>> > Salam,
>> >
>> > I have setup mod_security in my httpd.
> If I were you, I would not trust anything with this name.  Security is
> a tricky and complicated issue, and pretty much by definition, it is
> not a software component you can just install.
>> > sanitize your input to prevent SQL injection
> Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's
> a large mistake.  You are going to screw yourself over if you imagine
> that any level of "sanitizing inputs" will actually protect you from
> attackers.  The vast majority of SQL injection attacks come from
> one single serious strategic mistake on the defender's part, namely
> taking untrusted input and creating executable code out of it by
> string concatenation.
> You'd fire any programmer that attempted such a thing with Java,
> Python, PHP, or Perl code, and you should be firing people who attempt
> it with SQL code.
> You're going to have to put in standards and enforce them, slipping
> ship dates as needed, or you might as well just not have standards of
> any kind and hand your site over to whomever wants it.
>> http://www.owasp.org/index.php/Guide_to_SQL_Injection
> That guide is at best misleading, and at worst an actual attack.  If I
> were an attacker, I'd *love* for people to imagine that if they just
> picked some magical tool--probably one I had a hand in making--that
> they'd just be safe.
> I'll be editing this for reality as soon as I get permission :)
> Cheers,
> David.
> --
> David Fetter <david at fetter.org> http://fetter.org/
> Phone: +1 415 235 3778  AIM: dfetter666  Yahoo!: dfetter
> Skype: davidfetter      XMPP: david.fetter at gmail.com
> iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics
> Remember to vote!
> Consider donating to Postgres: http://www.postgresql.org/about/donate
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> --
> This message has been scanned for viruses and dangerous content by  
> MySpamGuard State Government of Pahang, Malaysia and is believed to  
> be clean.
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

----- End message from david at fetter.org -----

This e-mail and the attachment is from State Government of Pahang,  
Malaysia. It is intended solely for the person to whom they are  
addressed and may be confidential and privileged. If you are not the  
intended recipient, you are notified that disclosing, distributing,  
copying or taking any action in reliance of the content of this  
information is strictly prohibited. Please notify the sender  
immediately if you have received this e-mail and delete it from your  
system. The recipient should check the e-mail and any attachment for  
the presence of viruses that could be transmitted via e-mail. Email  
transmission cannot be guaranteed to be secure or error free as  
information could be intercepted, corrupted, lost, destroyed,  
incomplete or contain viruses. State Government of Pahang, Malaysia  
accepts no liability for any errors or omissions in the contents of  
this message which arises as a result of e-mail transmission.  
Opinions, conclusions and other information in this e-mail that does  
not relate to the official business of State Government of Pahang,  
Malaysia shall be understood as neither given nor endorsed by State  
Government of Pahang, Malaysia.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Owasp-Malaysia mailing list