Salam, Thanx in advance for all the advice and suggestion.
David Fetter : - Thanx david. I agree with your suggestion to sanitize. Actually i do always scan for any vulnerable with all the web application (public and intranet). - Yes i do advice strongly to sanitize user input in the programming architecture and do not just depend on this. - However, i do enable this mod_security for 1st level protection on the server part before they get into the coding. Adnan : - Yes i have try your suggestion with multiple vulnerable request - Yes koi dah nampak dah error 403 tu dalam audit_log.. - So in future aku kena tune on the score je la kan to make it more secure but not 100%. Macam tune score spamassassin je lak, buntang mate koi. - Captcha will be one of the main standard yang aku akan minta team development do whenever develop system with user input from public. - Oran pahang kt mana? koi org temerloh. Hanif UM : - Aku kat sini walau F44 pun takde beza. Bukan standard macam di federal buat kerja specific. Kat state kena self develop semua skill on ICT. - Lagipun jenis aku suke tahu lebih dulu dari anak buah aku...ehehee..kang deme kelentong aku naye woo.. ApOgEE : - Thanx for the advice will make sanitization on apps as priority and not this mod_security.. - Before this i have try to use greensql to protect sql injection on certain servers, not remember which version. I have mention them before install it to not depend on this totally because other flaws like XSS is still vulnerable. - However the just rely on greensql..then i just uninstall it and tell them greensql got error...hahahha..then they start to find coding to sanitize it.. -- Muzamir bin Mokhtar, Pegawai Teknologi Maklumat (F44) Unit Operasi Bahagian Teknologi Maklumat Pej SUK Pahang TEL : 095129424/425 FAX : 095163490 http://muzzoshah.blogspot.com http://muzzotechspot.blogspot.com ----- Message from [email protected] --------- Date: Sun, 5 Sep 2010 08:19:43 -0700 From: David Fetter <[email protected]> Subject: Re: [Owasp-Malaysia] How to test mod_security To: [email protected] > On Sun, Sep 05, 2010 at 04:00:26PM +0800, ApOgEE wrote: >> Salam, >> >> On Sun, Sep 5, 2010 at 2:29 PM, Muzamir Mokhtar >> <[email protected]>wrote: >> >> > Salam, >> > >> > I have setup mod_security in my httpd. > > If I were you, I would not trust anything with this name. Security is > a tricky and complicated issue, and pretty much by definition, it is > not a software component you can just install. > >> > sanitize your input to prevent SQL injection > > Despite its appearance in an xkcd comic (http://xkcd.com/327/), that's > a large mistake. You are going to screw yourself over if you imagine > that any level of "sanitizing inputs" will actually protect you from > attackers. The vast majority of SQL injection attacks come from > one single serious strategic mistake on the defender's part, namely > taking untrusted input and creating executable code out of it by > string concatenation. > > You'd fire any programmer that attempted such a thing with Java, > Python, PHP, or Perl code, and you should be firing people who attempt > it with SQL code. > > You're going to have to put in standards and enforce them, slipping > ship dates as needed, or you might as well just not have standards of > any kind and hand your site over to whomever wants it. > >> http://www.owasp.org/index.php/Guide_to_SQL_Injection > > That guide is at best misleading, and at worst an actual attack. If I > were an attacker, I'd *love* for people to imagine that if they just > picked some magical tool--probably one I had a hand in making--that > they'd just be safe. > > I'll be editing this for reality as soon as I get permission :) > > Cheers, > David. > -- > David Fetter <[email protected]> http://fetter.org/ > Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter > Skype: davidfetter XMPP: [email protected] > iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics > > Remember to vote! > Consider donating to Postgres: http://www.postgresql.org/about/donate > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > > -- > This message has been scanned for viruses and dangerous content by > MySpamGuard State Government of Pahang, Malaysia and is believed to > be clean. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ----- End message from [email protected] ----- ---------------------------------------------------------------- DISCLAIMER: This e-mail and the attachment is from State Government of Pahang, Malaysia. It is intended solely for the person to whom they are addressed and may be confidential and privileged. If you are not the intended recipient, you are notified that disclosing, distributing, copying or taking any action in reliance of the content of this information is strictly prohibited. Please notify the sender immediately if you have received this e-mail and delete it from your system. The recipient should check the e-mail and any attachment for the presence of viruses that could be transmitted via e-mail. Email transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted, lost, destroyed, incomplete or contain viruses. State Government of Pahang, Malaysia accepts no liability for any errors or omissions in the contents of this message which arises as a result of e-mail transmission. Opinions, conclusions and other information in this e-mail that does not relate to the official business of State Government of Pahang, Malaysia shall be understood as neither given nor endorsed by State Government of Pahang, Malaysia. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
