On Mon, Feb 17, 2014 at 02:43:57AM +0100, Ramy Darwish wrote: > I have been implementing modsecurity 2.7.7 with the OWASP Core Rule > Set 2.2.9., specifically trying to make them play nice with a basic > install of Drupal (but my question should be relevant to most > database-driven apps).<br> > While all is going pretty well, I have been running into a lot of > False Positives with SQL injection rules when trying to add or edit > content containing basic html formatting (e.g. "<p>o" is an > SQL Tautology!), which is, of course, to be expected.<br> > However, I was wondering: For a basic website where only > authenticated users can post content on specific URLs like > "/node/add" or "/node/1152/edit", is it an "acceptable" compromise > to completely disable SQL injection rules for the free-form > textareas, on those URLs ?<br>
Hi Ramy, >From my perspective the question comes down to trust. If you completely trust the users with administrative rights and are not concerned with CSRF attacks you can safely disable those rules. Another approach is to disable those rules based on a source IP or secret token in the user-agent string. -- - Josh > I ask because I was thinking to myself that, while things like XSS > protection are vital for users prone to copy-pasting a lot of > "dirty" content, SQL injection rules do little to stop an > authenticated attacker.<br> > <br> > Could somebody who's more experienced than I am chip in?<br> > <br> > Thanks!<br> > <br> > Ramy Darwish<br> > <br> > <br> > <br> > </body> > </html> > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Josh Amishav-Zlatin CTO | Wafsec The WAF is free, your time isn't _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
