Hi Paul,

I'm using it quite a bit in my OWASP Summer of Code project; here's the Wiki:

Section 4 has a part on using Lua script; check out "Sublesson 4.2: Forgot Password" at the bottom of the page if you are further interested:
http://www.owasp.org/index.php/OWASP_ModSecurity_Securing_WebGoat_Section_4_Mitigating_the_WebGoat_Lessons I implement a rudimentary but configurable account lockout mechanism using Lua persistence.

Combined with content injection that uses Javascript (prepend & append to the response body), almost anything can be done because I have available to me one programming language on the front end and one on the back end.

I see its biggest value in virtual patching especially when the results of a pentest come in, the discovered vulnerabilities need to be mitigated, and the application cannot be touched. A human will find business logic flaws (whereas a vulnerability scanner never will) and the combo of Lua script & js content injection allows for flexibility in mitigating them (automation cannot help here). Whether it's practical or not in the real world is not my concern at this point in time; my goal is to fix the vulnerabilities in WebGoat and I'm using the functionality that is at my disposal.


On Thu, Jul 31, 2008 at 5:48 AM, Paul Greenwood <Paul.Greenwood@ultradent.com> wrote:

How is lua used in mod_security?

Email Policy - Unauthorized review, use, disclosure, or distribution of this e-mail is strictly prohibited. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, is intended solely for the individual or individuals to whom it is specifically addressed. If the recipient of this email is not the intended recipient, do not read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return email or by telephone 801-553-4700.

This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
mod-security-users mailing list