1 Jul 04:08
Re: How to save value of a query string parameterthen use it in Phase 4?
From: Stephen Craig Evans <stephencraig.evans <at> gmail.com>
Subject: Re: How to save value of a query string parameterthen use it in Phase 4?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-01 02:08:05 GMT
Subject: Re: How to save value of a query string parameterthen use it in Phase 4?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-07-01 02:08:05 GMT
Hi Christian, > Stephen, I think this mailinglist would profit, if you would > comment a bit on your project. How are you getting along? I'm doing an OWASP Summer of Code project which is using ModSecurity (2.5) to mitigate as many of the vulnerabilities as possible in WebGoat (5.2). Overloaded by my day job caused me to get a very late start, but I've been working furiously on the project and aim to reach 50% by the end of next week (Fri July 11). For those interested, check at that date from here: https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project for project progress and details (there is nothing posted now). To reach the 50% milestone, I'm aiming to mitigate 50% of the vulnerabilities (which means preventing the WebGoat lessons from being solved) that are the low-hanging fruit. Both ModSecurity & WebGoat were new to me, so it's taken awhile to get up to speed on those, learn a cool ruleset-making tool called Remo (!), and install all of that and install/configure other bits such as Apache and Tomcat (on Kubuntu 7.10). For the 2nd half: - deploy ModSecurity as a reverse proxy (now I'm using it in embedded mode) - mitigate as many as the rest of the vulnerabilities as possible; I'm looking forward to the juicy stuff like business logic flaws and hopefully some LUA programming To give credit (or blame) where credit (or blame) is dueDinis Cruz helped me a lot in adjusting my original proposal to come up with this project. Thanks to you and the guys at Breach (Ivan, Ryan, Ofer, Brian) for your support by volunteering to be the project reviewers. Cheers, Stephen On Tue, Jul 1, 2008 at 3:31 AM, Christian Folini <christian.folini <at> time-machine.ch> wrote: > On Mon, Jun 30, 2008 at 09:58:07PM +0800, Stephen Craig Evans wrote: >> Hi, >> >> Ryan, you are correct but in this case I have to set this value at the >> beginning of phase 2, then I'll be accessing it throughout numerous >> more *.conf files and in both Phases 2 & 4. > > In fact I had the same thing in mind as Ryan, but then I thought > you must have your reasons for reading and saving in phase two. > >> I guess I should call it a night. I typed in "setvar:tx:menu" instead >> of "setvar:tx.menu" and that cost me over an hour of debugging ;-( > > :) good to see, these kind of things do not happen to me alone. > > Stephen, I think this mailinglist would profit, if you would > comment a bit on your project. How are you getting along? > > cheers, > > Christian > > -- > Communications without intelligence is noise; > Intelligence without communications is irrelevant. > --- Gen Alfred. M. Gray, USMC > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > mod-security-users mailing list > mod-security-users <at> lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
RSS Feed