mod_security

  1. 云栖社区>
  2. 博客>
  3. 正文

mod_security

cnbird 2012-02-16 09:50:41 浏览568
展开阅读全文
There are two main evasion issues to be concerned with for any WAF -

1) Evasion of the engine/parsing itself
These are usually impedance mispatches between the WAF and underlying app.  There were some issues in the past with handling null bytes and multi-part filenames identified by Stefan Esser
http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf

There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates. 

2) Evasion of the rules
There are always issues with negative security rules. You can test out evasions here -
http://www.modsecurity.org/demo/crs-demo.html

We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS -
http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

Hope this info helps.

网友评论

登录后评论
0/500
评论
cnbird
+ 关注