homepage Welcome to WebmasterWorld Guest from 54.167.96.124
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
SQL Injection bypasses ModeSec rule
afridy




msg:4578471
 5:28 am on May 28, 2013 (gmt 0)

Hello,

i have installed owasp ruleset last week in to our vps. one of my friend tested a website we have hosted and told that our server is still valnarable. He issued the following sql statement and simply it worked.

a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

OWASP rule was in action and shown 406.

a'/**//*!unIoN*//**//*!SelEct*//**/1,/*!table_name*/,database()/**/from/**/information_schema.tables/**/WheRe/**/tablE_SchEma=daTabase()--+-

rule failed. sql statment successfully executed.

Any body can help me with this?

 

Dideved




msg:4578486
 6:48 am on May 28, 2013 (gmt 0)

I took a look at the OWASP ModSecurity SQL injection rules. It appears that it looks for and blocks suspicious strings. But this seems ineffective for two reasons:

1) Not every suspicious string is an attack. What if we were on a forum discussing SQL? The ModSecurity rules may very well end up blocking legitimate content. Even a simple phrase such as "select group having order" could be considered suspicious by those rules.

And 2) we can't possibly think up each and every combination of suspicious strings, and if you know what's considered suspicious, then it's super easy to beat.

All things considered, this seems like flimsy protection that will generate an awful lot of false positives. I wouldn't use it. It's the responsibility of your application to escape or bind any user provided content. Escaping or binding is the only way to achieve foolproof protection with zero false positives.

afridy




msg:4578488
 7:15 am on May 28, 2013 (gmt 0)

Thanks Dideved,
Yes understood.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved