OWASP Top 10 2010

OWASP just released the latest Top 10 Web Application Security Risks for 2010. And here is the list :

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Book Review : ModSecurity 2.5

In my previous post, I wrote about ModSecurity book that will be published by Packt Publishing. In November 24, 2009, I received the book in PDF format.

The book is titled “ModSecurity 2.5:Securing your Apache installation and web applications” and authored by Magnus Mischel. It contains nine chapters and covers the topic from the installation to deployment of ModSecurity.

Continue reading →

ModSecurity 2.5.11

ModSecurity version 2.5.11 has been released.

Here are several changes in this release according to the CHANGES file included in the tarball.

• Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing.
• Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser.
• Cleanup persistence database locking code.
• Added warning during configure if libcurl is found linked against gnutls for SSL.  The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash.
• Cleanup some mlogc (over)logging.
• Do not log output filter errors in the error log.
• Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response.  Patch originally submitted by Ivan Ristic.

I’ve also updated my RPM spec file (for OpenSUSE 11.x).