Showing 46 results for: 2008 ×

Fixing Both Missing HTTPOnly and Secure Cookie Flags

In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish the same thing but for...

Helping Protect Cookies with HTTPOnly Flag

If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, please refer to the following resources - Mitigating Cross-site Scripting With HTTP-only Cookies - http://msdn.microsoft.com/en-us/library/ms533046.aspx OWASP HTTPOnly Overview - http://www.owasp.org/index.php/HTTPOnly The...

Securing WebGoat using ModSecurity

This year, the OWASP's Summer of Code event contains one project that's of particular interest to me (and possibly to you, consider that you're following this blog): Securing WebGoat Using ModSecurity. If you've even seen WebGoat (a learning sandbox that...

ModSecurity's Source Code Repository Is Now Open

I spent the last week importing ModSecurity's source code repository into subversion at Source Forge. I am proud to announce that a read-only version of ModSecurity's subversion repository is now publicly available. In addition to this, Atlassian has graciously given...

ModSecurity at ApacheCon US 2008

In a few weeks' time I will present my favourite talk, Web Intrusion Detection with ModSecurity, at the ApacheCon US 2008 in New Orleans: Intrusion detection is a well-known network security technique--it introduces monitoring and correlation devices to networks, enabling...

ModProfiler: Leading ModSecurity Towards Positive Security

Several years ago, a few more than I'd like to admit, I realised our chances for writing completely secure web applications are extremely slim; virtually non-existent. We can certainly try—and many are making heroic efforts—but nothing good can come out...

Best Practices: Use of Web Application Firewalls

Back in May, at AppSec OWASP in Ghent, I listened to Alexander Meisel (who was presenting on behalf of OWASP Germany) talk about best practices for web application firewall deployment. The interesting talk was backed by a larger document, which...

ModSecurity Issue Tracker Now Available

I am happy to announce that we've just launched a public issue tracking facility for ModSecurity. It's available at https://www.modsecurity.org/tracker/. We've selected JIRA for this purpose, not only because it is the best issue tracking product our there, but also...

ModSecurity 2.5.6 and Mlogc

The ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log data to a console or Breach Security appliance. The final packaged release of ModSecurity 2.5.6 did not contain the mlogc source as it should have. This means that...

Transformation Caching Unstable, Fixed, But Deprecated

We have just released ModSecurity 2.5.6 to address several issues with transformation caching: the subsystem is unstable, can crash your server server, and is even susceptible to evasion in certain circumstances. Although the issues have all been fixed in 2.5.6...

ModSecurity In Solaris

Although Solaris has been supported as a platform for ModSecurity since the very beginning, it has now become part of Sun's Cool Stack: Cool Stack is a collection of some of the most commonly used open source applications optimized for...

Three ModSecurity Rule Language Annoyances

There are three aspects of the ModSecurity Rule Language we are not very happy with. One comes from a wrong design decision (my own), with further two from constraints of working within the framework of Apache. All three break the...

Enough With Default Allow Revision 2

A revised version (but still a draft) of the Enough With Default Allow in Web Applications! paper is now available for download. (My previous post on this topic is here.) The major changes in this version include: Decided to use...

Enough with Default Allow in Web Applications!

The title of this blog post is also the title of a research paper we are currently working on. Although the paper is still in draft form, we've decided to circulate it widely (download here) because we believe a public...

Web Application Firewall Use Cases Update

My list of web application firewall use cases continues to involve. I've decided to shuffle things somewhat: I am going to remove the "Network building blocks" use case because that is really a feature of reverse proxies. If a WAF...

XSS Defense HOWTO

We all agree that cross-site scripting is a serious problem, but what continues to amaze me is the lack of good documentation on the subject. It is easy to find instructions how to execute attacks against applications vulnerable to XSS,...

ModSecurity In HP-UX Internet Express

We receive questions about ModSecurity running on HP-UX from time to time, but since we don't have access to the platform there is very little we can do to help. Fortunately, most questions fall into the "Does it run?" category....

ModSecurity Licensing Exception Draft Is Ready

As you may know, ModSecurity is licensed under GPL version 2. This licence has served us reasonably well, but there's been one problem that has been following us for a long time. I chose to use the GPLv2 for ModSecurity,...