When testing for the correct behavior of the OWASP ModSecurity Core Rule Set, a popular Web Application Firewall rule set, I needed to send empty Acccept- and User-Agent headers. This is relatively simple on the command line with curl: $> curl –header “User-Agent;” https://example.com Pulling this off with libcurl (pycurl in my case), was way […]
Let’s consider Dave Wichers and the OWASP Top 10 project resists all the pressure and the 2017 edition of OWASP Top 10 will include the new A7 “Insufficient Attack Protection”. Lately the discussion has turned more constructive so maybe that prospect is not all that unrealistic. But honestly, I can not tell if A7 will […]
You can go exploited for long periods of time, yet continue to do business in a state of ignorance, as Swiss Ruag did for years. But with Distributed Denial of Service attacks the case is entirely different. Your service comes to a halt within minutes and panic breaks out. You will notice, your boss will […]
Damiano Esposito of ZHAW and I run a little test project where we want to measure the effectiveness of the OWASP ModSecurity Core Rule Set 3.0 (CRS3) under attack by several security scanners. The testing is only about to start, but I would like to document the setup of the ModSecurity server a bit to […]
The flight back from San Francisco to Europe was rather tedious. I used the time to write a summary of the third day of the Usenix Enigma 2017 conference to complete the previous coverages of day 1 and day 2. Matt Jones from WhatsApp was the first to talk on the third and final day […]