mod-security-developers

[Mod-security-developers] LibModsecurity

[Fakhri Z. <d0l...@ya...>]

Hello,

i'm having a hard time in finding the function call that actually detect injection payload (e.g <script>alert(1)</script>). The payload does not necessarily need to exactly like the one i provided in the brackets. 

Based on the code flow
(https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/examples/simple_example_using_c/test.c) , the code basically just initiate the rules to the modsecurity instance and also try to initiate remote rules and i don't find any function call that actually does the payload detection, is it already implemented? maybe i missed somewhere. 
Thanks.

Re: [Mod-security-developers] LibModsecurity

[Felipe C. <FC...@tr...>]

Hi Fakhri,

The complete documentation can be found embedded in the classes source, for instance:
https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/src/transaction.cc#L226-L248

Depending on your editor, this information may be available as a tooltip (or similar), while you coding.

Also, you can use other implementation of the library as a guide to your development. In library
git repository you will be able to find the benchmark utility and the regression test utility:
 - https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/test/benchmark/benchmark.cc
 - https://github.com/SpiderLabs/ModSecurity/blob/libmodsecurity/test/regression/regression.cc

Another implementation available is the pcap one:
 - https://github.com/SpiderLabs/ModSecurity-pcap/blob/master/pcap.cc


Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





On 2/22/16, 8:41 AM, "Fakhri Zulkifli" <d0l...@ya...<mailto:d0l...@ya...>> wrote:

Hello,

i'm having a hard time in finding the function call that actually detect injection payload (e.g <script>alert(1)</script>). The payload does not necessarily need to exactly like the one i provided in the brackets.

Based on the code flow
(http://scanmail.trustwave.com/?c=4062&d=r_TK1jviw3jweOIGGWeJS_6JQ1rHQ8KwyJOzHmvrnw&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fblob%2flibmodsecurity%2fexamples%2fsimple%5fexample%5fusing%5fc%2ftest%2ec) , the code basically just initiate the rules to the modsecurity instance and also try to initiate remote rules and i don't find any function call that actually does the payload detection, is it already implemented? maybe i missed somewhere.
Thanks.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://scanmail.trustwave.com/?c=4062&d=r_TK1jviw3jweOIGGWeJS_6JQ1rHQ8KwyJOxTDzqmw&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%3fid%3d272487151%26iu%3d%2f4140
_______________________________________________
mod-security-developers mailing list
mod...@li...<mailto:mod...@li...>
http://scanmail.trustwave.com/?c=4062&d=r_TK1jviw3jweOIGGWeJS_6JQ1rHQ8KwyMazQD7tnA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.