| Wednesday April 23rd 2014

Feedburner

Subscribe by email:

We promise not to spam/sell you.


Search Amazon deals:

Prevent XSS and SQL Injection


Binary Code imageToday I was toying with Apache and made a .htaccess for all of you; that prevents most used XSS and SQL injection vectors in the request uri. It looks at the request uri and sends the malicious user to a log file which sends an e-mail to the webmaster with all his information and what happened when this user was trying to punk with some scripts. I don’t think you should use that e-mail part, just log it into a database. But, hey that’s up to you I guess. Don’t test my intelligence, it’s not on this server. The vectors are case insensitive and match anywhere in the URI and in every var. It checks the normal char as the encoded one. Do not think this will fix everything on your server, it is only a extra clever freebie.

Ok, so what does it do…

XSS:

http://www.somesite.com/,;<>’`

http://www.somesite.com/file.php?var=”>abc<

http://www.somesite.com/file.php?var=<script>abc

http://www.somesite.com/file.php?var=javascript:abc

SQL:
http://www.somesite.com/file.php?var=; sqlfunction abc
http://www.somesite.com/file.php?var=’ sqlfunction abc
http://www.somesite.com/file.php?var=” sqlfunction abc

.htaccess
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

log.php
<?php
$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
mail("admin@site.com","bad request",$mess,"from:bot@site.com");
echo "Ugly!";
?>

Related Posts: On this day...

Reader Feedback

5 Responses to “Prevent XSS and SQL Injection”

  1. David says:

    Great post, was looking for something exactly like this to block XSS and also notify by email.

  2. Mark says:

    I delight in, lead to I found exactly what I used to be having a look for. You have ended my four day long hunt! God Bless you man. Have a great day. Bye

  3. Don says:

    I have been browsing online more than 3 hours lately, but I by no means found any interesting article like yours. It is lovely worth enough for me. In my view, if all website owners and bloggers made just right content as you did, the web will probably be much more helpful than ever before.

  4. Fenwick says:

    I’m no longer sure the place you are getting your information, however good topic. I must spend some time studying much more or working out more. Thanks for wonderful information I used to be looking for this info for my mission.

  5. Jake C says:

    Thank you for another wonderful post. Where else may anybody get that type of info in such an ideal manner of writing? I’ve a presentation subsequent week, and I am at the look for such information.

Leave a Reply

You must be logged in to post a comment.