Today I was toying with Apache and made a .htaccess for all of you; that prevents most used XSS and SQL injection vectors in the request uri. It looks at the request uri and sends the malicious user to a log file which sends an e-mail to the webmaster with all his information and what happened when this user was trying to punk with some scripts. I don’t think you should use that e-mail part, just log it into a database. But, hey that’s up to you I guess. Don’t test my intelligence, it’s not on this server. The vectors are case insensitive and match anywhere in the URI and in every var. It checks the normal char as the encoded one. Do not think this will fix everything on your server, it is only a extra clever freebie.

Ok, so what does it do…

XSS:
http://www.somesite.com/,;<>’`
http://www.somesite.com/file.php?var=”>abc<
http://www.somesite.com/file.php?var=<script>abc
http://www.somesite.com/file.php?var=javascript:abc

SQL:
http://www.somesite.com/file.php?var=; sqlfunction abc
http://www.somesite.com/file.php?var=’ sqlfunction abc
http://www.somesite.com/file.php?var=” sqlfunction abc

.htaccess
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|’|”|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|’|`) /log.php [NC]

log.php
<?php
$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ‘ | ‘ . $q . ‘ | ‘ . $i . ‘ | ‘ .$u;
mail(”admin@site.com”,”bad request”,$mess,”from:bot@site.com”);
echo “Ugly!”;
?>

Filed under: b3st pract1c3s, codemonkey, exploit, security