There are two main evasion issues to be concerned with for any WAF - 1) Evasion of the engine/parsing itself These are usually impedance mispatches between the WAF and underlying app. There were some issues in the past with handling null bytes and multi-part filenames identified by Stefan Esser http://www.suspekt.org/downloads/RSS09-WebApplicationFirewallBypassesAndPHPExploits.pdf There was a similar recent one found by my SpiderLabs colleague Andrew Wilson where clients can specify random/invalid content-types and ModSecurity would not inspect it but the app would handle it normally. This was fixed in recent OWASP CRS updates. 2) Evasion of the rules There are always issues with negative security rules. You can test out evasions here - http://www.modsecurity.org/demo/crs-demo.html We had an SQL Injection Challenge last summer which included evasions for the ModSecurity OWASP CRS - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html Hope this info helps.
mod_security
2012-02-16
1123
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《
阿里云开发者社区用户服务协议》和
《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写
侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介:
There are two main evasion issues to be concerned with for any WAF -1) Evasion of the engine/...
目录
相关文章
|
5月前
from pymdownx import superfences No module named ‘pymdownx‘
from pymdownx import superfences No module named ‘pymdownx‘
50
0
0
ModuleNotFoundError: No module named ‘mmdet.version‘
ModuleNotFoundError: No module named ‘mmdet.version‘
1185
0
0
|
5月前
Py3 ModuleNotFoundError: No module named ‘Crypto‘;ModuleNotFoundError: No module named Cryptodome‘
Py3 ModuleNotFoundError: No module named ‘Crypto‘;ModuleNotFoundError: No module named Cryptodome‘
42
0
0
|
Python
|
Python
成功解决ModuleNotFoundError: No module named engine
成功解决ModuleNotFoundError: No module named engine
421
0
0
ModuleNotFoundError: No module named ‘werkzeug.contrib‘ 解决方法
No module named ‘werkzeug.contrib‘
934
0
0
|
关系型数据库
MySQL
Python
三十九、ModuleNotFoundError: No module named ‘MySQLdb‘(已解决)
三十九、ModuleNotFoundError: No module named ‘MySQLdb‘(已解决)
425
0
0
|
C++
Python
import _polyiou ModuleNotFoundError: No module named ‘_polyiou‘
import _polyiou ModuleNotFoundError: No module named ‘_polyiou‘
418
0
0
|
Java
应用服务中间件
Maven
解决“Dynamic Web Module 3.0 requires Java 1.6 or newer.”错误
解决“Dynamic Web Module 3.0 requires Java 1.6 or newer.”错误
197
0
0
热门文章
最新文章
1
Mac安装并使用telnet命令操作
2
OSS回源的几种方式和应用场景
3
[剑指offer] 孩子们的游戏(圆圈中最后剩下的数)
4
网络安全系列之二十二 Windows用户账号加固
5
我理解的一个程序员如何学习前端开发
6
《社交网站界面设计(原书第2版)》——1.9 为设备之间的空间进行设计
7
《Microduino实战》——1.2 为什么要开源
8
.Net函数Math.Round你会用吗?
9
麻省理工大学新发明:暗黑WiFi透视技术
10
2014秋C++第19周 补充代码 哈希法的存储与查找
1
R语言关联规则模型(Apriori算法)挖掘杂货店的交易数据与交互可视化
26
2
R语言近似贝叶斯计算MCMC(ABC-MCMC)轨迹图和边缘图可视化
22
3
r语言中对LASSO回归,Ridge岭回归和弹性网络Elastic Net模型实现-4
31
4
Sentieon | 每周文献-Multi-omics-第四十一期
27
5
数据分享|R语言广义线性模型GLM:线性最小二乘、对数变换、泊松、二项式逻辑回归分析冰淇淋销售时间序列数据和模拟-2
17
6
数据分享|R语言广义线性模型GLM:线性最小二乘、对数变换、泊松、二项式逻辑回归分析冰淇淋销售时间序列数据和模拟-1
24
7
基于RT-Thread摄像头车牌图像采集系统
23
8
R语言极值理论:希尔HILL统计量尾部指数参数估计可视化
17
9
【视频】R语言中的分布滞后非线性模型(DLNM)与发病率,死亡率和空气污染示例
25
10
sql语句创建数据库
19