This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Appendix D: Additional important stuff"

From OWASP
Jump to: navigation, search
(Fixes/enhancements: add fix #1)
Line 16: Line 16:
  
 
This section contains fixes and/or enhancements to the rulesets (time permitting).
 
This section contains fixes and/or enhancements to the rulesets (time permitting).
 +
 +
# Fix for 'rulefile_10_improper-error-handling.conf' (13 Dec 2008):
 +
 +
Their wasn't enough filtering so this rule was being invoked in other situations where it shouldn't have been. Change the first line below and add the 2nd one immediately after like this:
 +
 +
<pre>
 +
  SecRule ARGS:menu "!@eq 1100" "t:none,pass,skip:2"
 +
  SecRule &ARGS:Username "@eq 0" "t:none,pass,skip:1"
 +
</pre>

Revision as of 10:58, 14 December 2008

This Appendix will get updated when necessary and major updates will be noted in the News section of the main project page at https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project

This wiki in a Word doc

This zipped Word doc (3.1 meg) is a snapshot of the wiki on 28 November 2008 and might be easier to reference than navigating around on the wiki.

File:OWASP ModSecurity Securing WebGoat wiki 28Nov2008.zip

Other material

This zip file (1.4 meg) is a short version and long version of ppt prezos that I gave at the OWASP EU Summit in Portugal on November 3-7, 2008. If somebody can figure out how to stop stupid Powerpoint from automatically inserting the damned bullets, please email me at stephencraig_dot_evans_at_gmail_dot_com or subscribe to the project mailing list at https://lists.owasp.org/mailman/listinfo/owasp-webgoat-using-modsecurity and post a message there.

File:OWASP EU Summit 2008 ModSec on WebGoat.zip

Fixes/enhancements

This section contains fixes and/or enhancements to the rulesets (time permitting).

  1. Fix for 'rulefile_10_improper-error-handling.conf' (13 Dec 2008):

Their wasn't enough filtering so this rule was being invoked in other situations where it shouldn't have been. Change the first line below and add the 2nd one immediately after like this:

  SecRule ARGS:menu "!@eq 1100" "t:none,pass,skip:2"
  SecRule &ARGS:Username "@eq 0" "t:none,pass,skip:1"