Msg#: 4578469 posted 5:28 am on May 28, 2013 (gmt 0)
i have installed owasp ruleset last week in to our vps. one of my friend tested a website we have hosted and told that our server is still valnarable. He issued the following sql statement and simply it worked.
a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -
Msg#: 4578469 posted 6:48 am on May 28, 2013 (gmt 0)
I took a look at the OWASP ModSecurity SQL injection rules. It appears that it looks for and blocks suspicious strings. But this seems ineffective for two reasons:
1) Not every suspicious string is an attack. What if we were on a forum discussing SQL? The ModSecurity rules may very well end up blocking legitimate content. Even a simple phrase such as "select group having order" could be considered suspicious by those rules.
And 2) we can't possibly think up each and every combination of suspicious strings, and if you know what's considered suspicious, then it's super easy to beat.
All things considered, this seems like flimsy protection that will generate an awful lot of false positives. I wouldn't use it. It's the responsibility of your application to escape or bind any user provided content. Escaping or binding is the only way to achieve foolproof protection with zero false positives.