Forum

PreventSQLi = yes,441 not working

Akash talole
16 March 2016, 11:46
PreventSQLi = yes,441 custom response code not working gives error Syntax error in hiawatha.conf
Hugo Leisink
16 March 2016, 14:45
Did you place it in a VirtualHost{} section?
Akash Talole
16 March 2016, 15:40
yes
Hugo Leisink
17 March 2016, 07:35
I think you must have made a typo somewhere. Can you show me your complete configuration?
akash Talole
17 March 2016, 10:03
VirtualHost {
RequiredBinding = Bind_443
Hostname = www.hostname.com
WebsiteRoot = /var/tmp
ReverseProxy ^/.* https://127.0.0.1:4433/ 95 keep-alive
TLScertFile = /usr/local/etc/hiawatha/hostname.pem
PreventSQLi = yes, 441
PreventXSS = yes
#PreventCSRF = yes
AccessLogfile = /usr/local/var/log/hiawatha/hostname.access.log
ErrorLogfile = /usr/local/var/log/hiawatha/hostname.error.log
}
Akash Talole
17 March 2016, 10:04
And gives error at PreventSQLi = yes, 441
Hugo Leisink
17 March 2016, 10:05
What Hiawatha version are you using? If not the latest, try that one first.
Akash Talole
17 March 2016, 10:09
Hiawatha v10.0, cache, IPv6, Monitor, reverse proxy, TLS v2.2.0, Tomahawk, URL toolkit, XSLT
Hugo Leisink
17 March 2016, 10:12
Upgrade to v10.1 to make this work.
Akash Talole
17 March 2016, 10:12
Thanks.
Akash Talole
17 March 2016, 10:23
In new version it gives error for SSLcertFile in Binding Section as well as Virtualhost section
Binding {
BindingId = Bind_54434
Port = 54434
SSLcertFile = /usr/local/etc/hiawatha/serverkey.pem
MaxKeepAlive = 100
MaxRequestSize = 100000
MaxUploadSize = 550
}
Hugo Leisink
17 March 2016, 10:25
Yes, all 'SSL' terms have been replaced with 'TLS' many versions ago. Since that release, I removed support for the SSL term. So, you should now use TLScertFile instead.

Please, read the changelog of every new release. It contains messages like this.
Akash Talole
17 March 2016, 10:33
XSS is not detected in this version when i set PreventXSS = yes
Hugo Leisink
18 March 2016, 10:27
What URL did you use to test this?
Akash Talole
18 March 2016, 12:14
https://127.0.0.1/dvwa/vulnerabilities/xss_r/?name=%3CIMG+SRC%3D%23+onmouseover%3D%22alert%28%27xxs%27%29%22%3E#
Hugo Leisink
19 March 2016, 11:34
What is the issue? The characters ", <, > and ' in the URL will be replaced with an underscore. This makes any HTML tag in the harmless. How is this not working for you?
This topic has been closed.