Thursday, May 13, 2010

The ZeroDayScan scanner and Apache's mod_security


Today, while digging into the security scanner's logs, I found a strange response returned from one of the servers. We got "406 Not Acceptable" response saying that "An appropriate representation of the requested resource /xxx/yyyyyy.php could not be found on this server."

After some research, it turned out, that this error originated from the mod_security Apache module. This is a great tool, and indeed, it gives you a good layer of protection.

Regarding the web security scan performed by ZeroDayScan: we recommend webmasters to disable mod_security during ZeroDayScan website assessment because we want to identify security bugs in your website scripts. If you use mod_security, our web assessment attacks do not reach your scripts - they are blocked on the mod_security's

In addition, there are some ways to obfuscate web security attacks for example SQL injection attacks and mod_security will not detect them. We do not want to obfuscate web security assessment attacks because we will have to obfuscate them for every web security firewall. As a result, a number of attack signatures will grow significantly and thus the time of scan will grow considerably.

So how to disable mod_security?

It is very easy to do. Just add the following lines to your .htaccess file:

# Turn off mod_security filtering.
SecFilterEngine Off
SecFilterScanPOST Off

Best regards,
The ZeroDayScan team

No comments:

Post a Comment