Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
User Panel

Posted: 6/21/2011 8:00:34 AM EDT
A project at work has me testing ModSecurity.  I have it running on Apache 2.2.19 without problems, but not being much of a hacker (at all) I have no idea what some of the exploits I can test would be.

Software I'll be trying to compromise would be later versions of Wordpress, Joomla, Drupal, OpenCart, OsCommerce, Zencart, ModX, Concrete5, Magento, Gallery2, ZenPhoto, and others.

Popular components, plugins, extensions, modules, etc. with known vulnerabilities would be helpful also.

I have WordpressExploits.com and the rest of the *Exploits.com sites at my disposal, but they simply tell me what it was, not how to perform it myself.
Link Posted: 6/21/2011 8:57:28 AM EDT
[#1]
I'm by no means some kind of security expert, but if there are documented exploits, wouldn't you just write code to exploit them?  
Link Posted: 6/21/2011 9:06:26 AM EDT
[#3]
Link Posted: 6/21/2011 9:09:06 AM EDT
[#4]



Quoted:


mod-security is decent,  but you will also want to learn how to make good .htaccess files to stop invalid client IDs, proxies, etc.



There are entire eBooks on the topic, and many pentest (Penetration Testing) forums/hacking forums that you can learn from.  



Never do a Pen Test on a system you do not have complete rights to, or full permission from the person with complete rights.  Jail is getting more popular due to recent events.


And I would avoid pentesting a production machine.  



 
Link Posted: 6/21/2011 9:23:33 AM EDT
[#5]
Penetration testing is happening on an isolated machine not in Production state. No worries there.  Thanks for the comments so far. I am learning SQL injection, which a basic instance of mod_security seems to prevent against. Seems it stops globals too, although since php5 globals are disabled by default.
Link Posted: 6/21/2011 4:37:13 PM EDT
[#6]
Link Posted: 6/21/2011 6:29:29 PM EDT
[#7]
You could always put it outside the firewall, then post the IP on 4chan and label it the most secure server in the world
Close Join Our Mail List to Stay Up To Date! Win a FREE Membership!

Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!

You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.


By signing up you agree to our User Agreement. *Must have a registered ARFCOM account to win.
Top Top