Jump to content
Silviu

htaccess file to help prevent sql injection attempts

By Silviu, in Programare

Recommended Posts

Silviu Rookie

Silviu

Posted
Posted (edited)

I use the text below in a .htaccess file to help prevent sql injection attacks that seem to crop up from time to time.

This will look for common attack methods and redirect them to a page called hack.cfm which I will commonly just leave as a blank page while recording the type of attack.


RewriteEngine On

Options +FollowSymLinks
ServerSignature Off

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC]

RewriteRule ^(.*)$ hack.cfm

sursa

Edited by Silviu
Link to comment
Share on other sites
Nytro Mentor

Nytro

Posted
Posted

STUPID. Nu se previne SQL Injection din .htaccess.

Porcaria asta:

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

NU se poate numi filtrare!

Pe langa faptul ca nu previne nimic ci doar incurca putin atacatorul, mai poate provoca si grave probleme de functionalitate.

SQL Injection ca si orice alt tip de problema de securitate pe parte de aplicatie web se filtreaza din aplicatia web!

Link to comment
Share on other sites
  • Active Members
dancezar Newbie

dancezar

Posted
  • Active Members
Posted
STUPID. Nu se previne SQL Injection din .htaccess.

Porcaria asta:

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

NU se poate numi filtrare!

Pe langa faptul ca nu previne nimic ci doar incurca putin atacatorul, mai poate provoca si grave probleme de functionalitate.

SQL Injection ca si orice alt tip de problema de securitate pe parte de aplicatie web se filtreaza din aplicatia web!

Exact de ce toata lumea cauta ocolisuri scripturi prostii in loc sa rezolve problema de la radacina.Mai mult de 2 linii de cod nu ia.

Link to comment
Share on other sites
eusimplu Newbie

eusimplu

Posted
Posted
STUPID. Nu se previne SQL Injection din .htaccess.

Porcaria asta:

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

NU se poate numi filtrare!

Pe langa faptul ca nu previne nimic ci doar incurca putin atacatorul, mai poate provoca si grave probleme de functionalitate.

SQL Injection ca si orice alt tip de problema de securitate pe parte de aplicatie web se filtreaza din aplicatia web!

Total de acord.

Parerea mea e ca metodele critice de genul, ca redirectionarea, sunt total nerecomandate deoarece incurca total aplicatia.

Maxima actiune facuta in cazul detectarii unei posibile sintaxe SQL ar trebui sa fie un simplu mail si/sau adaugarea unei linii in db, dar doar atat.

Intotdeauna securitatea a incurcat usability-ul, dar dragi developeri trebuie sa tragem si noi undeva o linie. Una este cateva secunde sa completezi un captcha(de exemplu) dar cu totul alta este sa redirectionezi vizitatorul pentru un simplu cuvant.

---------------

Pe de alta parte, daca doriti o masura CRITICA puteti filtra abosulut TOATE variabilele ce pot tine de utilizator. Adica: $_GET, $_POST, $_COOKIE, $_SERVER(doar unele elemente), si header-ele (in caz ca va jucati cu ele prea mult)

Daca chiar doriti sa aveti cateva variabile nefilitrate cu aceasta masura critica va creati un mini-framework ca sa puteti avea control total asupra aplicatiei fara prea multa bataie de cap.

Solutii sunt multiple, dar exista o limita care este atinsa, este inacceptabil sa redirectionezi sau sa banezi ip-ul vizitatorului doar pentru o POSIBILA sintaxa SQL.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...