well, i was not url_encoding the string before trying on the server. It worked.
On 10/27/10 9:21 AM, "robert mena" <email@example.com> wrote:> I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1>
> Is there a way to test with standard attack vectors to see if mod_security is
> blocking the attemps for (example), sql injection?
> OR 1=1 but no message is logged in /var/log/httpd/error-logWhat rule set are you using? When I test your payload against our public
OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts -