|
Hi everyone, First of all thanks to the OWASP CRS team for the quality of the security tools you provide to the public! I have been implementing modsecurity 2.7.7 with the OWASP Core Rule Set 2.2.9., specifically trying to make them play nice with a basic install of Drupal (but my question should be relevant to most database-driven apps). While all is going pretty well, I have been running into a lot of False Positives with SQL injection rules when trying to add or edit content containing basic html formatting (e.g. "<p>o" is an SQL Tautology!), which is, of course, to be expected. However, I was wondering: For a basic website where only authenticated users can post content on specific URLs like "/node/add" or "/node/1152/edit", is it an "acceptable" compromise to completely disable SQL injection rules for the free-form textareas, on those URLs ? I ask because I was thinking to myself that, while things like XSS protection are vital for users prone to copy-pasting a lot of "dirty" content, SQL injection rules do little to stop an authenticated attacker. Could somebody who's more experienced than I am chip in? Thanks! Ramy Darwish |
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
