Thread: [mod-security-users] How can I test to see if mod_security is catching/blocking attempts?
Brought to you by:
victorhora,
zimmerletw
From: robert m. <rob...@gm...> - 2010-10-27 13:21:55
|
Hi, Is there a way to test with standard attack vectors to see if mod_security is blocking the attemps for (example), sql injection? I've enabled and tried with www.mysite.com/?u=1 OR 1=1 but no message is logged in /var/log/httpd/error-log |
From: Ryan B. <RBa...@tr...> - 2010-10-27 13:45:22
|
On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: > Hi, > > Is there a way to test with standard attack vectors to see if mod_security is > blocking the attemps for (example), sql injection? > > I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1> > OR 1=1 but no message is logged in /var/log/httpd/error-log > What rule set are you using? When I test your payload against our public OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 -Ryan |
From: robert m. <rob...@gm...> - 2010-10-27 13:50:57
|
I've downloaded and used the rules from OWASP modsecurity_35_bad_robots.data modsecurity_50_outbound.data modsecurity_crs_48_local_exceptions.conf modsecurity_35_scanners.data modsecurity_50_outbound_malware.data modsecurity_crs_49_inbound_blocking.conf modsecurity_40_generic_attacks.data modsecurity_crs_41_phpids_converter.conf modsecurity_crs_50_outbound.conf modsecurity_41_sql_injection_attacks.data modsecurity_crs_41_phpids_filters.conf modsecurity_crs_59_outbound_blocking.conf modsecurity_42_comment_spam.data modsecurity_crs_41_sql_injection_attacks.conf modsecurity_crs_60_correlation.conf modsecurity_46_et_sql_injection.data modsecurity_crs_41_xss_attacks.conf modsecurity_46_et_web_rules.data modsecurity_crs_47_common_exceptions.conf modsecurity_crs_20_protocol_violations.conf modsecurity_crs_30_http_policy.conf modsecurity_crs_42_tight_security.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_35_bad_robots.conf modsecurity_crs_45_trojans.conf modsecurity_crs_23_request_limits.conf modsecurity_crs_40_generic_attacks.conf I've configure SecDefaultAction "phase:2,drop,log" On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBa...@tr...>wrote: > On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: > > > Hi, > > > > Is there a way to test with standard attack vectors to see if > mod_security is > > blocking the attemps for (example), sql injection? > > > > I've enabled and tried with www.mysite.com/?u=1 < > http://www.mysite.com/?u=1> > > OR 1=1 but no message is logged in /var/log/httpd/error-log > > > > What rule set are you using? When I test your payload against our public > OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - > http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 > > -Ryan > > > |
From: Ryan B. <RBa...@tr...> - 2010-10-27 13:53:49
|
On 10/27/10 9:50 AM, "robert mena" <rob...@gm...> wrote: > I've downloaded and used the rules from OWASP > > modsecurity_35_bad_robots.data modsecurity_50_outbound.data > modsecurity_crs_48_local_exceptions.conf > modsecurity_35_scanners.data > modsecurity_50_outbound_malware.data > modsecurity_crs_49_inbound_blocking.conf > modsecurity_40_generic_attacks.data > modsecurity_crs_41_phpids_converter.conf > modsecurity_crs_50_outbound.conf > modsecurity_41_sql_injection_attacks.data > modsecurity_crs_41_phpids_filters.conf > modsecurity_crs_59_outbound_blocking.conf > modsecurity_42_comment_spam.data > modsecurity_crs_41_sql_injection_attacks.conf > modsecurity_crs_60_correlation.conf > modsecurity_46_et_sql_injection.data modsecurity_crs_41_xss_attacks.conf > > modsecurity_46_et_web_rules.data > modsecurity_crs_47_common_exceptions.conf > modsecurity_crs_20_protocol_violations.conf > modsecurity_crs_30_http_policy.conf > modsecurity_crs_42_tight_security.conf > modsecurity_crs_21_protocol_anomalies.conf > modsecurity_crs_35_bad_robots.conf modsecurity_crs_45_trojans.conf > modsecurity_crs_23_request_limits.conf > modsecurity_crs_40_generic_attacks.conf > > I've configure SecDefaultAction "phase:2,drop,log" > Have you reviewed the modsec_debug.log file? -Ryan > > On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBa...@tr...> wrote: >> On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: >> >>> Hi, >>> >>> Is there a way to test with standard attack vectors to see if mod_security >>> is >>> blocking the attemps for (example), sql injection? >>> >>> I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1> >>> <http://www.mysite.com/?u=1> >>> OR 1=1 but no message is logged in /var/log/httpd/error-log >>> >> >> What rule set are you using? When I test your payload against our public >> OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - >> http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 >> >> -Ryan |
From: robert m. <rob...@gm...> - 2010-10-27 14:59:55
|
well, i was not url_encoding the string before trying on the server. It worked. Unfortunately I found an error message Rule execution error - PCRE limits exceeded (-8): (null). Searching in google I found very old messages (back to 2004?) and some new (in ASL forum) but no conclusive answer of how to solve it and why it was triggered. When those errors happen what occurs with the request? Is it allowed or dropped? On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBa...@tr...>wrote: > On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: > > > Hi, > > > > Is there a way to test with standard attack vectors to see if > mod_security is > > blocking the attemps for (example), sql injection? > > > > I've enabled and tried with www.mysite.com/?u=1 < > http://www.mysite.com/?u=1> > > OR 1=1 but no message is logged in /var/log/httpd/error-log > > > > What rule set are you using? When I test your payload against our public > OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - > http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 > > -Ryan > > > |
From: Ryan B. <RBa...@tr...> - 2010-10-27 15:20:34
|
On 10/27/10 10:59 AM, "robert mena" <rob...@gm...> wrote: > well, i was not url_encoding the string before trying on the server. It > worked. > > Unfortunately I found an error message > > Rule execution error - PCRE limits exceeded (-8): (null). > > Searching in google I found very old messages (back to 2004?) and some new (in > ASL forum) but no conclusive answer of how to solve it and why it was > triggered. > > When those errors happen what occurs with the request? Is it allowed or > dropped? > Please refer to this recent thread - http://article.gmane.org/gmane.comp.apache.mod-security.user/7864 > > On Wed, Oct 27, 2010 at 9:45 AM, Ryan Barnett <RBa...@tr...> wrote: >> On 10/27/10 9:21 AM, "robert mena" <rob...@gm...> wrote: >> >>> Hi, >>> >>> Is there a way to test with standard attack vectors to see if mod_security >>> is >>> blocking the attemps for (example), sql injection? >>> >>> I've enabled and tried with www.mysite.com/?u=1 <http://www.mysite.com/?u=1> >>> <http://www.mysite.com/?u=1> >>> OR 1=1 but no message is logged in /var/log/httpd/error-log >>> >> >> What rule set are you using? When I test your payload against our public >> OWASP Core Rule Set (CRS) Demo is triggers SQL Injection alerts - >> http://www.modsecurity.org/demo/phpids?test=1+OR+1%3D1 >> >> -Ryan |
From: Jamuse <ja...@gm...> - 2010-10-27 13:50:11
|
On Wed, Oct 27, 2010 at 3:21 PM, robert mena <rob...@gm...> wrote: > Hi, > Is there a way to test with standard attack vectors to see if mod_security > is blocking the attemps for (example), sql injection? > I've enabled and tried with www.mysite.com/?u=1 OR 1=1 but no message is > logged in /var/log/httpd/error-log Hi Robert, Assuming your running the CRS, you can use a simple XSS request: http://www.example.com/?<script>alert(1)</script> Verify your request shows up in the ModSec debug log (set via the SecDebugLog directive). You may want to increase the SecDebugLogLevel setting for more verbose debugging information. You may also want to verify that the SecDefaultAction is set to drop / deny and that the CRS is included properly. -- - Josh -- - Josh |