[Owasp-Malaysia] How to test mod_security

Native19 native19 at gmail.com
Tue Sep 7 01:42:52 EDT 2010


Hi all,

Was going through the mail list and came across this topic,

 I agree with David on some of the parts but i have some comments:

> > I have setup mod_security in my httpd.

David >>If I were you, I would not trust anything with this name.  Security
is
a tricky and complicated issue, and pretty much by definition, it is
not a software component you can just install.

Although it is not a complete solution to the SQL injection, it can be
useful in providing a 1st layer defense in deterring the attacker from
further testing with injection tools which might consume bandwidth and
server resources. This component does help reducing attack to maybe about
30% or less, but it is nevertheless important..why you might ask because
lets say there is a 0day that targets a module(injection wise) in your
application that is not designed by you, the component could probably thwart
the attacks till you apply the proper fixes.

> > sanitize your input to prevent SQL injection

David >> Despite its appearance in an xkcd comic (http://xkcd.com/327/),
that's
a large mistake.  You are going to screw yourself over if you imagine
that any level of "sanitizing inputs" will actually protect you from
attackers.  The vast majority of SQL injection attacks come from
one single serious strategic mistake on the defender's part, namely
taking untrusted input and creating executable code out of it by
string concatenation.

I agree with this because sanitizing is the "cheapo or for the time being"
solution and may not prove to be the best solution, it is always better to
apply proper standard during the development stage itself.

> http://www.owasp.org/index.php/Guide_to_SQL_Injection

David >>That guide is at best misleading, and at worst an actual attack.  If
I
were an attacker, I'd *love* for people to imagine that if they just
picked some magical tool--probably one I had a hand in making--that
they'd just be safe.

David >>I'll be editing this for reality as soon as I get permission :)

The guide is meant for starters on SQL injection showing the basic manual
methods on how a proper SQL injection can be performed, this then can be put
into any other method the attacker wishes too.. such as the one David
suggested above so its not that bad actually :) especially for kiddies like
me :) hehe... The content could be improved tho on the "Avoiding" part with
better explanation i guess. I hjope David can amend it soon :)

Regards
Ray
Another Security Kiddie sharing my 2 cents...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20100907/302509aa/attachment.html 


More information about the Owasp-Malaysia mailing list