[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] method to bypass mod_security

From: Ryan Barnett <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] method to bypass mod_security
Date: Tue, 3 Nov 2009 12:15:48 -0500

--0016e68ef47e37451f04777aa5d0
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Nov 3, 2009 at 5:46 AM, Dmitry Evteev <devteev@ptsecurity.com>wrote:

>  A new method  to bypass mod_security and conduct SQL Injection was
> discovered. You can view the materials at:
>
>
> http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html
>
>
>
In your example tests, you are using an older version of ModSecurity (2.5.9)
which also uses an older version of the Core Rule Set (CRS).  I suggest you
test this with the new v2 CRS rules -
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

In these newer rules - we have implemented some comment evasion detection
rules that stand on their own rather than only being used in rule data
transformations.  I just tested the example attack payloads you listed on
your site and they are all detected.

-- 
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com/

--0016e68ef47e37451f04777aa5d0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">On Tue, Nov 3, 2009 at 5:46 AM, Dmitry Evteev <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:devteev@ptsecurity.com";>devteev@ptsec=
urity.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div lang=3D"RU" vlink=3D"purple" link=3D"blue">
<div>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"COLOR: #1f497d">A new =
method =A0to bypass mod_security and conduct SQL Injection was discovered. =
You can view the materials at:</span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"COLOR: #1f497d"><a hre=
f=3D"http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-=
sql.html" target=3D"_blank">http://ptresearch.blogspot.com/2009/11/another-=
fine-method-to-exploit-sql.html</a></span></p>

<p class=3D"MsoNormal"><span lang=3D"EN-US" style=3D"COLOR: #1f497d">=A0</s=
pan></p></div></div></blockquote>
<div>In your example tests, you are using an older version of ModSecurity (=
2.5.9) which also uses an older version of the Core Rule Set (CRS).=A0 I su=
ggest you test this with the new v2 CRS rules - <a href=3D"http://www.owasp=
.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project">http://www=
.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project</a></=
div>

<div>=A0</div>
<div>In these newer rules - we have implemented some comment evasion detect=
ion rules that stand on their own rather than only being used in rule data =
transformations.=A0 I just tested the example attack payloads you listed on=
 your site and they are all detected.</div>

<div>=A0</div>
<div><br>-- <br>Ryan C. Barnett<br>WASC Distributed Open Proxy Honeypot Pro=
ject Leader<br>OWASP ModSecurity Core Rule Set Project Leader<br>Tactical W=
eb Application Security<br><a href=3D"http://tacticalwebappsec.blogspot.com=
/">http://tacticalwebappsec.blogspot.com/</a><br>
</div></div>

--0016e68ef47e37451f04777aa5d0--

References:
- [WEB SECURITY] method to bypass mod_security
  - From: Dmitry Evteev

Prev by Date: [WEB SECURITY] method to bypass mod_security
Next by Date: [WEB SECURITY] winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep
Previous by thread: [WEB SECURITY] method to bypass mod_security
Next by thread: [WEB SECURITY] winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site