Advanced Topic of the Week: Preventing Malicious PDF File Uploads
Many reports have indicated that malicious PDFs that exploit flaws in Adobe's Acrobat Reader are ...
Read More
Advanced Topic of the Week: XSS Defense via Content Injection
Introduction In last week's post on Identifying Improper Output Handling, we showed a method to use ...
Read MoreAdvanced Topic of the Week: Identifying Improper Output Handling (XSS Flaws)
A Topic Presents Itself
Read MoreAdvanced Topic of the Week: Validating SessionIDs
This week's topic discusses how to validate application SessionIDs submitted by clients.
Read MoreWASC WHID Bi-Annual Report for 2010
The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web ...
Read MoreAdvanced Topic of the Week: Real-time Blacklist Lookups
This week's feature is the effective use of Real-time Blacklist lookups (@rbl).
Read MoreAdvanced Topic of the Week: Transformation Functions
This week's feature is the effective use of Transformation functions.
Read MoreOWASP ModSecurity CRS Project Promoted to Release Quality
I am excited to announce that the OWASP ModSecurity Core Rule Set (CRS) has completed its official ...
Read MoreOWASP ModSecurity Core Rule Set (CRS) v2.0.8 Released
Greetings everyone, I wanted to announce the availability of the OWASP ModSecurity CRS v2.0.8. ...
Read MoreAdvanced Topic of the Week: Validating Byte Ranges
We are starting a new blog post series here on the ModSecurity site called "Advanced Feature of the ...
Read MoreWhat's up @ ModSecurity?
Since Black Hat and DEFCON we have been busying building teams and aligning objectives over here at ...
Read MoreImpedance Mismatch and Base64
There was a recent blog article stating that ModSecurity can be bypassed by adding invalid ...
Read MoreOWASP AppSec DC Update
I presented on the OWASP ModSecurity Core Rule Set (CRS) Project yesterday here at the AppSec DC ...
Read MoreModSecurity Training at Blackhat USA 2009
Just a quick note to let everyone know that a 2-day ModSecurity training class was added to the ...
Read MoreModSecurity Vulnerabilities Fixed
ModSecurity versions 2.5.8 and 2.5.9 have been released to fix two vulnerabilities which could be ...
Read MoreFixing Both Missing HTTPOnly and Secure Cookie Flags
In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify ...
Read MoreHelping Protect Cookies with HTTPOnly Flag
If you are unfamiliar with what the HTTPOnly cookie flag is or why your web apps should use it, ...
Read MoreSecuring WebGoat using ModSecurity
This year, the OWASP's Summer of Code event contains one project that's of particular interest to ...
Read MoreModSecurity's Source Code Repository Is Now Open
I spent the last week importing ModSecurity's source code repository into subversion at Source ...
Read MoreModSecurity at ApacheCon US 2008
In a few weeks' time I will present my favourite talk, Web Intrusion Detection with ModSecurity, at ...
Read MoreModProfiler Presentation at OWASP AppSec Israel 2008
I will be giving the updated version of our ModProfiler presentation this Sunday (14th) at the ...
Read MoreModProfiler: Leading ModSecurity Towards Positive Security
Several years ago, a few more than I'd like to admit, I realised our chances for writing completely ...
Read MoreModSecurity Issue Tracker Now Available
I am happy to announce that we've just launched a public issue tracking facility for ModSecurity. ...
Read MoreMicrosoft and Oracle Helping 'Time-to-Fix' Problems
Before I talk to the title of this post, I have to provide a little back story. I have had an ...
Read MoreModSecurity 2.5.6 and Mlogc
The ModSecurity Log Collector (mlogc) is used to send ModSecurity audit log data to a console or ...
Read MoreTransformation Caching Unstable, Fixed, But Deprecated
We have just released ModSecurity 2.5.6 to address several issues with transformation caching: the ...
Read MoreModSecurity In Solaris
Although Solaris has been supported as a platform for ModSecurity since the very beginning, it has ...
Read More