purewaf

Dec
02
Virtual Patching Session Fixation
Written By Josh Zlatin

    On a recent engagement we gained unrestricted administrative access to a certain proprietary web application by exploiting a Session Fixation flaw. According to the WASC Threat Classification v2, Session Fixation is an attack technique that forces a user's session ID to an explicit value.

0 Comments
| 596 Hits
Read More
ModSecurity, purewaf
Nov
16
Speeding Up Lua Script Execution in ModSecurity
Written By Josh Zlatin

    Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.

0 Comments
| 1,246 Hits
Read More
Lua, ModSecurity, purewaf, security
May
06
Increasing ModSecurity Collection Size Limits
Written By Josh Zlatin

    One of the more useful features of ModSecurity is it's persistant storage capabilities. ModSecurity uses the SDBM library, which comes with the Apache Portable Runtime (APR). When using ModSecurity collections for anything beyond trivial use, you may quickly hit the arbitrary SDBM library limit of 1008 bytes. That limit is on the combined size of both the key and record length. When you hit the SDMB size limit, you get the following cryptic error message:

0 Comments
| 1,630 Hits
Read More
ModSecurity, purewaf

Most Popular List

Skype 0day vulnerabilitiy d...
06/05/2011 | Written By Gordon Maddern | 44,265 Hits
About a month ago I was chatting on skype to a colleague about a payload for...
Building dependable enterpr...
28/06/2011 | Written By Sandeep Nain | 6,716 Hits
Coming from a family of civil engineers, I always knew that it is a rigorous...
PHP/Java Floating Point DoS...
17/02/2011 | Written By Josh Zlatin | 5,999 Hits
Recently a floating point DoS vulnerability surfaced in both PHP and Java. Th...
Remove Lost iPhone Backup P...
15/10/2011 | Written By Ty Miller | 4,317 Hits
Lets say that at some point you decided to adhere to security best practices...

Most Recent Posts List

Introduction to Hash DoS At...
03/01/2012 | Written By Josh Zlatin | 1,349 Hits
Someone asked me about the Hash DoS attack recently disclosed at CCC, so...
Virtual Patching Session Fi...
02/12/2011 | Written By Josh Zlatin | 596 Hits
On a recent engagement we gained unrestricted administrative access to...
Speeding Up Lua Script Exec...
16/11/2011 | Written By Josh Zlatin | 1,246 Hits
Often when implementing customised ModSecurity solutions we need to...
Remove Lost iPhone Backup P...
15/10/2011 | Written By Ty Miller | 4,317 Hits
Lets say that at some point you decided to adhere to security best practices...