Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
.htaccess simple web app firewall
Posted by: adam
Date: April 29, 2008 04:20PM

Hi all,

Apologies if someone has already posted about this but I wondered what your thoughts were:

http://www.0x000000.com/?i=558

Something you would recommend implementing on wordpress/joomla etc. (or just every site) type sites?

Adam

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: tx
Date: April 29, 2008 05:56PM

I don't consider it a substitution for some of the more robust WAFs available, however when I have a clients site that needs some quick defenses put up (esp. where there are budget concerns) Ronalds htaccess rules have been of invaluable assistance.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: .htaccess simple web app firewall
Date: April 30, 2008 02:15PM

The .htaccess example Ronald has provided is a good starting point for those who are unsure of exactly what needs to be done in order to implement a more secure environment for their content, but as tx said, "I don't consider it a substitution for some of the more robust WAFs available", and it is still no excuse for insecure coding and programming (neither are web application firewalls). As Ronald also points out the rules have been optimized for performance, because the file is parsed for every single object requested (the page and all subsequent images, embeddable content, et cetera), which means the larger the .htaccess the longer the delay on requests. There also may be some scenarios where some of these rules are not ideal depending on how the website has been developed.
Quote

RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
This pattern will match <, >, ', encoded line-feeds, encoded carriage returns, encoded apostrophes, encoded less-than characters, encoded greater-than characters, and encoded null bytes. While it is highly doubtful that anyone would want their visitors or users placing null bytes in requests if there are any client or server-side scripts that encode any of the other characters in a GET request the server will issue the 302 redirection. Again however this is really a matter of how the website was programmed, what was used (self-created versus content management system), and who created it.
If you're not too worried about the performance impact then by all means take the example and build upon it in a way that fits what you are trying to achieve. My .htaccess file is almost 400kb, but that's because I have created hundreds of custom rulesets to catch malicious activity (both human and automated) in addition to denying access to thousands of IP ranges that seem to harbor nothing but bots, scrapers, and SPAM (this is in addition to my web application firewall however). You should look into mod_security if you're running Apache.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Matt Presson
Date: April 30, 2008 04:23PM

@Awesome AnDrEw:

Would you mind posting your .htaccess so that others may learn from it as well? Ronald's is pretty robust, but the more examples the better and the more ideas people can glean as to how to mitigate attack vectors.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: rcbarnett
Date: April 30, 2008 04:40PM

The biggest attack vector that this missing is argument data past in POST payloads. Mod_Rewrite does not have a variable for this data so it would only catch attacks passed in QUERY_STRINGS. So, if you have an app (such as Joomla, WordPress, etc...) that accepts POSTs then this defense will not work.

Use ModSecurity - www.modsecurity.org - it is free and it allows for much better control over security rules and logging.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Gareth Heyes
Date: April 30, 2008 04:41PM

I've used and improved Ronald's excellent rules. I consider them a layer of defense, so I don't use it as an excuse not to filter my code.

Big thanks to Ronald for sharing his excellent knowledge!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 24, 2009 03:54PM

so i know this is a old thread but i was trying to deploy this on my server and to test it i made a little php script thats open to xss and tried to send it a few xss payloads, all of which worked. so the "app firewall" isnt working right? any ideas?

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: wireghoul
Date: February 24, 2009 09:10PM

Turn on rewrite log and check it?
The script/url/querystring will have to match one of the riles for it to work. Your regex foo should be of use here.

[www.justanotherhacker.com]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 25, 2009 02:17PM

thanx for the reply
well im trying to send <I>hello "which matches this rule >
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
right?" and it works fine, by fine i mean it renders my <I> tag and nothing in the log.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: thornmaker
Date: February 25, 2009 03:17PM

^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.*

I haven't tested it yet (so take this all with a grain of salt) but this regex should match strings starting with a forward slash char, i.e. /, followed by any one of the following , ; : < > "> "< / \..\ followed by any single character repeated 0 to 9999 times followed by any character repeated 0 to infinity times. Note that the | character is a meta-character in the regular expression syntax which means "or".

<|> will definitely not match, but any of the following should match this regex...

/,
/,,,,
/;
/<
/"<
/<
/<oeiwjfaoiwejfoaiwefjo
/;
/;aoweijfaowiefj

btw, the .{0,9999}.* at the end of the regex seems useless to me, but maybe I'm overlooking something. I suggest you read up some on regular expression syntax. http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html says that the RewriteCond syntax is mostly the same as Perl's regex syntax. See http://www.regular-expressions.info/ for general regex info.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: backbone
Date: February 26, 2009 02:49AM

@Anarchy Angel:

try this rule: (<|>|\\|\|)+



and using a tool while working with regex might be useful...

---
blog [-] microblog

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 26, 2009 11:21AM

nope still no love. heres the full .htaccess file:

Options +FollowSymLinks
RewriteEngine On
ServerSignature Off

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

RewriteLog "/var/log/rewrite.log"
RewriteRule ^(.*)$ index.php

<I>hello and <script>alert('hello')</script> still get rendered. i havnt tried any sqlis yet on it

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Gareth Heyes
Date: February 26, 2009 11:23AM

Shared hosting?

Try rewrite base

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 26, 2009 11:53AM

nothing, im using this on a ubuntu 8.04 LAMP with another "teh main one" site. i know mod_rewrite is installed and enabled but i just cant seem to work the magic right

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Gareth Heyes
Date: February 26, 2009 12:16PM

How are you passing the vectors?

like page.php?<script>alert(1)</script>

Some error messages would be nice

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 26, 2009 12:52PM

page.php?var=<script>hi</script>

no errors

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Gareth Heyes
Date: February 26, 2009 02:27PM

Search for AllowOverride in your httpd.conf and check it's set to "All"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 26, 2009 03:47PM

ok lol that seemed to have been an issue, thanx y0, but im not done just yet. I now get a 500 internal server error when i goto a dir with my .htaccess file in it which tells me mod_rewrite isnt running. but this line is in my httpd.conf file >
LoadModule rewrite_module lib/apache/mod_rewrite.so
now when i do find mod_rewrite.so or .c i get nothing
so maybe i dont have it in installed? crazy it would be in the conf file if i dont even have the mod on my box.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: backbone
Date: February 26, 2009 04:54PM

check out if the file exists...

also I would recommend that you whitelist user agent instead of blacklisting... a list of user agents (bots/spiders/robots) can be found here...

---
blog [-] microblog

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Gareth Heyes
Date: February 27, 2009 05:25AM

@Anarchy Angel

I think you'll need to recompile apache with mod_rewrite enabled or install this:-

http://www.apachefriends.org/en/xampp-linux.html

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: February 27, 2009 11:11AM

tybvm

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: rvdh
Date: February 27, 2009 08:08PM

thornmaker Wrote:

Quote

This regex should match strings starting with a forward slash char, i.e. /,

The REQUEST_URI registers at the scope of " / ". That's why it starts right there.

Quote

<|> will definitely not match

Yes it will. This is based upon the REQUEST_URI which is passed UNENCODED, rather than urlencoded as in the query string.

Quote

btw, the .{0,9999}.* at the end of the regex seems useless to me, but maybe I'm overlooking something.

This isn't useless, it's there for a reason. The maximum chars in the REQUEST_URI is set to 9999 (which is the maximum the mod_rewrite regex registers.) Now, there are plenty of attacks that use overlong request uri's for either denial of service attacks as well as canonicalization issues. Most of them are old attacks, but in some cases like Tomcat or in a Mac it still can happen. In a mac for example overlong request uri's like:
.:.:.:.:.:.:.:.:
can be problematic, as well in various other situations. Since it's never going to be legitimate, it's there to block, not to detect.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: rvdh
Date: February 27, 2009 08:21PM

@Anarchy Angel

Please put it into your httpd.conf if you have access to it, .htaccess is rather slow since Apache needs to parse the .htaccess every time, and the httpd.conf is loaded once on booting.

Options: ReplyQuote
Re: .htaccess simple web app firewall
Posted by: Anarchy Angel
Date: March 01, 2009 01:27AM

will do tyvm rvdh

Options: ReplyQuote


Sorry, only registered users may post in this forum.