purewaf

May
19
Speeding Up Lua Script Execution in ModSecurity
Written By Josh Zlatin

    Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.

0 Comments
| 3,190 Hits
Read More
Lua, ModSecurity, purewaf, security
Dec
02
Virtual Patching Session Fixation
Written By Josh Zlatin

    On a recent engagement we gained unrestricted administrative access to a certain proprietary web application by exploiting a Session Fixation flaw. According to the WASC Threat Classification v2, Session Fixation is an attack technique that forces a user's session ID to an explicit value.

0 Comments
| 2,330 Hits
Read More
ModSecurity, purewaf
May
06
Increasing ModSecurity Collection Size Limits
Written By Josh Zlatin

    One of the more useful features of ModSecurity is it's persistant storage capabilities. ModSecurity uses the SDBM library, which comes with the Apache Portable Runtime (APR). When using ModSecurity collections for anything beyond trivial use, you may quickly hit the arbitrary SDBM library limit of 1008 bytes. That limit is on the combined size of both the key and record length. When you hit the SDMB size limit, you get the following cryptic error message:

0 Comments
| 3,417 Hits
Read More
ModSecurity, purewaf

Most Popular List

Skype 0day vulnerabilitiy d...
06/05/2011 | Written By Gordon Maddern | 62,079 Hits
About a month ago I was chatting on skype to a colleague about a payload for...
Remove Lost iPhone Backup P...
15/10/2011 | Written By Ty Miller | 17,495 Hits
Lets say that at some point you decided to adhere to security best practices...
Building dependable enterpr...
28/06/2011 | Written By Sandeep Nain | 15,436 Hits
Coming from a family of civil engineers, I always knew that it is a rigorous...
Skype Bug Full Disclosure
24/05/2011 | Written By Gordon Maddern | 8,474 Hits
Skype has patched and released the fix for the Skype bug we found so we can d...

Most Recent Posts List

Speeding Up Lua Script Exec...
19/05/2013 | Written By Josh Zlatin | 3,190 Hits
Often when implementing customised ModSecurity solutions we need to...
Ethical Hacking Unveiled
07/05/2013 | Written By Richard Brown | 313 Hits
The term ‘ethical hacker’ is often misrepresented as the keywords...
Fight PCI trolls by trollin...
05/04/2013 | Written By Gordon Maddern | 462 Hits
I recently had to go in to bat for a client who was told by their PCI auditor...
Hacking in the Year 2030
04/03/2013 | Written By Ty Miller | 2,268 Hits
  If you are anything like me, when you hear "Hacking in the Year 2...