Friday, December 4, 2020

Web Security Techniques Using Apache .htaccess

.htaccess Code to Block SQL Injection Attacks in QUERY_STRING

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START
#QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test
#Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives
RewriteCond %{QUERY_STRING} !^$
RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{QUERY_STRING} union [NC,OR]
RewriteCond %{QUERY_STRING} select [NC,OR]
RewriteCond %{QUERY_STRING} cast [NC,OR]
RewriteCond %{QUERY_STRING} declare [NC,OR]
RewriteCond %{QUERY_STRING} drop [NC,OR]
RewriteCond %{QUERY_STRING} md5 [NC,OR]
RewriteCond %{QUERY_STRING} benchmark [NC,OR]
RewriteCond %{QUERY_STRING} table [NC,OR]
RewriteCond %{QUERY_STRING} column [NC,OR]
RewriteCond %{QUERY_STRING} distinct [NC,OR]
RewriteCond %{QUERY_STRING} substr [NC,OR]
RewriteCond %{QUERY_STRING} concat [NC,OR]
RewriteCond %{QUERY_STRING} schema [NC,OR]
RewriteCond %{QUERY_STRING} hex [NC,OR]
RewriteCond %{QUERY_STRING} truncate [NC,OR]
RewriteCond %{QUERY_STRING} convert [NC,OR]
RewriteCond %{QUERY_STRING} exec [NC,OR]
RewriteCond %{QUERY_STRING} passthru [NC,OR]
RewriteCond %{QUERY_STRING} system [NC,OR]
RewriteCond %{QUERY_STRING} popen [NC,OR]
RewriteCond %{QUERY_STRING} proc [NC,OR]
RewriteCond %{QUERY_STRING} load [NC,OR]
RewriteCond %{QUERY_STRING} between [NC,OR]
RewriteCond %{QUERY_STRING} null [NC,OR]
RewriteCond %{QUERY_STRING} delay [NC,OR]
RewriteCond %{QUERY_STRING} char [NC,OR]
RewriteCond %{QUERY_STRING} sleep [NC,OR]
RewriteCond %{ QUERY_STRING } schema [NC,OR]
RewriteCond %{QUERY_STRING} unhex [NC]
RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END


Hackers have adapted their methods to disguise or obfuscate SQL Injection and Code Injection commands from web application firewalls using character encoding. The below code uses the same framework as above but tests for character encoding in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.

##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START
#QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test
#Excluded "%20", "%2F", "%26", "%3A", "%3D"  due to use in site URL variables
RewriteCond %{QUERY_STRING} !^$
RewriteCond %{REQUEST_URI} ! honeypot.php/
RewriteCond %{QUERY_STRING} %00 [OR]
RewriteCond %{QUERY_STRING} %0A [NC,OR]
RewriteCond %{QUERY_STRING} %0D [NC,OR]
RewriteCond %{QUERY_STRING} %21 [OR]
RewriteCond %{QUERY_STRING} %22 [OR]
RewriteCond %{QUERY_STRING} %23 [OR]
RewriteCond %{QUERY_STRING} %24 [OR]
RewriteCond %{QUERY_STRING} %25 [OR]
RewriteCond %{QUERY_STRING} %27 [OR]
RewriteCond %{QUERY_STRING} %28 [OR]
RewriteCond %{QUERY_STRING} %29 [OR]
RewriteCond %{QUERY_STRING} %40 [OR]
RewriteCond %{QUERY_STRING} %60 [OR]
RewriteCond %{QUERY_STRING} %2A [NC,OR]
RewriteCond %{QUERY_STRING} %2B [NC,OR]
RewriteCond %{QUERY_STRING} %2C [NC,OR]
RewriteCond %{QUERY_STRING} %2D [NC,OR]
RewriteCond %{QUERY_STRING} %3B [NC,OR]
RewriteCond %{QUERY_STRING} %3C [NC,OR]
RewriteCond %{QUERY_STRING} %3E [NC,OR]
RewriteCond %{QUERY_STRING} %5B [NC,OR]
RewriteCond %{QUERY_STRING} %5C [NC,OR]
RewriteCond %{QUERY_STRING} %5D [NC,OR]
RewriteCond %{QUERY_STRING} %5E [NC,OR]
RewriteCond %{QUERY_STRING} %5F [NC,OR]
RewriteCond %{QUERY_STRING} %7B [NC,OR]
RewriteCond %{QUERY_STRING} %7C [NC,OR]
RewriteCond %{QUERY_STRING} %7D [NC,OR]
RewriteCond %{QUERY_STRING} %7E [NC,OR]
RewriteCond %{QUERY_STRING} > [OR]
RewriteCond %{QUERY_STRING} < [OR]
RewriteCond %{QUERY_STRING} ;
RewriteRule ^(.*)$ / honeypot.php/ [NC,L]
 ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END

To block Code Injection attempts we will scan the QUERY_STRING variable for common programmatic commands that are not used in standard written English. Unless your website is focused on programming, it would be highly suspicious to see these strings in normal a webform submission. The below code uses the same framework as the previous two code snippets but tests for programmatic commands in the QUERY_STRING input variable and suspicious traffic is sent to the honeypot.

##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START
RewriteCond %{QUERY_STRING} !^$
RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{QUERY_STRING} sanitize [NC,OR]
RewriteCond %{QUERY_STRING} eval [NC,OR]
RewriteCond %{QUERY_STRING} base64 [NC,OR]
RewriteCond %{QUERY_STRING} echo [NC,OR]
RewriteCond %{QUERY_STRING} @set [NC,OR]
RewriteCond %{QUERY_STRING} @ini [NC,OR]
RewriteCond %{QUERY_STRING} dirname [NC,OR]
RewriteCond %{QUERY_STRING} decode [NC]
RewriteRule ^(.*)$ / honeypot.php/ [NC,L]
 ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END
How to Enable Apache Mod_Rewrite on an Ubuntu »
« Stop SQL Injection from .htaccess

Subscribe

  • RSS Atom

ອອນລາຍ: 1 | ມື້ນີ້: 13 | ວານນີ້: 15 | ທິດນີ້: 108 | ເດືອນນີ້: 887 | ປີນີ້: 11847 | ລວມ: 78950