OWASP ruleset vs XSS/SQL Injection

afridy · May 24, 2013, 1:43pm

Hello,

i have enabled OWASP modesecurty in our WHM Server.
then i tested the functionality with a website hosted in our server using the following sql statemnt.

a' union sElEcT 1,2,table_nAme fRom informAtion_schemA.tAbles WhErE tablE_scHemA=dAtabase()-- -

406 Not acceptable - mean rule in action.

a'/**//*!unIoN*//**//*!SelEct*//**/1,/*!table_name*/,database()/**/from/**/information_schema.tables/**/WheRe/**/tablE_SchEma=daTabase()--+-

successflly got in - rule set failed.

What could be wrong :mad::mad:

afridy · May 28, 2013, 8:23pm

any body pls!

Mittineague · May 28, 2013, 11:10pm

I’m guessing this is with MySQL?

If nobody comes by with OWASP modsecurity knowledge soon we could try moving the thread to the database forum.

afridy · May 29, 2013, 4:55am

yes mitti, will try like that then.

Mittineague · June 2, 2013, 11:41pm

Moved to the database forum, Hopefully someone can help you put together a rule.