Hi all I read this : modsecurity-nginx module, master, sha1: 3de175)
Knowing that sha1 is broken and considered as weak, some bad guy could potentially replace genuine package with corrupt one. Has this issue been considered at Modsecurity management level? Kind regards, Jean-Raymond Ferrer Le dim. 16 avr. 2017 21:27, Ervin Hegedus <airw...@gmail.com> a écrit : > Hi all, > > I'm new in Modsecurity. A few days ago, I've been created few > packages for my Debian (8) systems from Github repos: > - libmodsecurity 3.0, v3/master, sha1: b58f713 > - nginx 1.6.2 (patched the official Debian package with > modsecurity-nginx module, master, sha1: 3de175) > - owasp-modsecutiy-crs 3.0, v3.0/master, sha1: d1692b > > I'm using the Nginx as frontend proxy for my Apache webservers, > which runs in containers (LXC). The patched nginx and another > components are works as well. I could run few basic checks, and I > could demonstrate the advantages of WAF to my collegues. But > there were only two basic attack, what I could show them: XSS and > SQL injection. > > My 2 cents question is: how can I demonstrate another features? I > meant, it could be show the session fixating: I put a simple PHP > script to a webroot, load the page in a browser. I found the > PHPSESSID cookie, and then I tried to load the page in another > browser (on another host) - but there didn't happened anything... > the page had been loaded as well with the hijacked session. > > What did I miss, or how can I show this feature? > > In general way, how can I show the all features of Modsecurity, > and OWASP CRS? > > > Thank you, > > > Ervin > > > -- > I � UTF-8 > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
