Hi Manuel, thanks for your reply.
I've seen DVWA, but I didn't found any "testing" functions. Looks like it proposes some coding ideas to avoid the listed attacks, but that isn't a testing tool. (Or I just missed out something... :)) Thanks again, a. On Sun, Apr 16, 2017 at 09:54:22PM +0200, Manuel Spartan wrote: > Hi Ervin, > > The lfi, rfi are always nice, cookie stealing with xss, csrf, rce, those > can be tested with a dvwa or similar webapps and having the low security > setying in dvwa you can show how easy it isnto exploit and that modsec with > crs will block most of the malicious requests. > > Regards, > Manuel > > On Apr 16, 2017 14:27, "Ervin Hegedus" <[email protected]> wrote: > > > Hi all, > > > > I'm new in Modsecurity. A few days ago, I've been created few > > packages for my Debian (8) systems from Github repos: > > - libmodsecurity 3.0, v3/master, sha1: b58f713 > > - nginx 1.6.2 (patched the official Debian package with > > modsecurity-nginx module, master, sha1: 3de175) > > - owasp-modsecutiy-crs 3.0, v3.0/master, sha1: d1692b > > > > I'm using the Nginx as frontend proxy for my Apache webservers, > > which runs in containers (LXC). The patched nginx and another > > components are works as well. I could run few basic checks, and I > > could demonstrate the advantages of WAF to my collegues. But > > there were only two basic attack, what I could show them: XSS and > > SQL injection. > > > > My 2 cents question is: how can I demonstrate another features? I > > meant, it could be show the session fixating: I put a simple PHP > > script to a webroot, load the page in a browser. I found the > > PHPSESSID cookie, and then I tried to load the page in another > > browser (on another host) - but there didn't happened anything... > > the page had been loaded as well with the hijacked session. > > > > What did I miss, or how can I show this feature? > > > > In general way, how can I show the all features of Modsecurity, > > and OWASP CRS? > > > > > > Thank you, > > > > > > Ervin > > > > > > -- > > I � UTF-8 > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > [email protected] > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- I � UTF-8 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
