OWASP Top 10 2010

OWASP just released the latest Top 10 Web Application Security Risks for 2010. And here is the list :

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Book Review : ModSecurity 2.5

ModSecurity 2.5

In my previous post, I wrote about ModSecurity book that will be published by Packt Publishing. In November 24, 2009, I received the book in PDF format.

The book is titled “ModSecurity 2.5:Securing your Apache installation and web applications” and authored by Magnus Mischel. It contains nine chapters and covers the topic from the installation to deployment of ModSecurity.

Continue reading

ModSecurity 2.5.11

ModSecurity version 2.5.11 has been released.

Here are several changes in this release according to the CHANGES file included in the tarball.

  • Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing.
  • Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser.
  • Cleanup persistence database locking code.
  • Added warning during configure if libcurl is found linked against gnutls for SSL.  The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash.
  • Cleanup some mlogc (over)logging.
  • Do not log output filter errors in the error log.
  • Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response.  Patch originally submitted by Ivan Ristic.

I’ve also updated my RPM spec file (for OpenSUSE 11.x).

Detecting Web Application Firewalls

In OWASP AppSec Europe 2009 in Poland, Sandro Gauci and Wendel G. Henrique gave a presentation titled “The Truth About Web Application Firewalls:What the vendors do not want you to know“.

In the presentation they mentions that Web Application Firewalls (WAFs) :

  • can be detected, because they leave several signs
  • can be bypassed by changing the attack in order to avoid rules

Continue reading

Upgrade Your ModSecurity

I just noticed that ModSecurity 2.5.8 and 2.5.9 has been released on the same day (March 11, 2009).

Later on I found out that version 2.5.8 fix the following security issues :

  • Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat.
  • Removed an invalid “Internal error: Issuing “%s” for unspecified error.” message that was logged when denying with nolog/noauditlog set and

While the 2.5.9 superseded it to fix major security issue :

  • Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by “Internet Security Auditors” (isecauditors.com).

So if you are using ModSecurity version <= 2.5.8, please do upgrade your ModSecurity to version 2.5.9.

Oh BTW, if you are going to compile the ModSecurity by yourself, you may need to add –with-apr= option to the configure script, like the following :

./configure [your_other_options]