| PandoraBox |
28.08.2008 03:18 |
[.htaccess] XSS Filter
I started with this a month ago, and I made it into a little project for myself. I deleted a few blog items, as they we're getting too confusing. So this post talks about filtering out any malicious but keeping HTML in two steps. I'm still working on this project so I update it regularly. My goal is to make it as hard as possible to insert malicious code but still allow basic HTML and inline CSS.
JavaScript function to replace pieces of code.
Код:
function Strip(input) {
var text = input;
text = text.replace(/n/m,"<br />"); // new line to br
text = text.replace(/r/m,"<br />"); // return to br
text = text.replace(/<?/gi, " "); // php
text = text.replace(/?>/gi, " "); // php
text = text.replace(/<?php/gi, " "); // php
text = text.replace(/<%/gi, " "); // asp
text = text.replace(/%>/gi, " "); // asp
text = text.replace(/%00/m," "); // null removal
text = text.replace(/\00/m," "); // unicode removal
text = text.replace(/&#/g," "); // &# removal (# allowed for inline CSS)
text = text.replace(/</gi," "); // < removal
text = text.replace(/('/," "); // (' removal
text = text.replace(/')/," "); // ') removal
text = text.replace(/(/*)/," "); // comments script obfuscation
text = text.replace(/![CDATA/gi," "); // script obfuscation
text = text.replace(/javascript/gi," "); // script instance
text = text.replace(/<script>/gi," "); // script instance
text = text.replace(/</script>/gi," "); // script instance
text = text.replace(/<script/gim," "); // script instance
text = text.replace(/on(.*)B[(.*)="]/gi," "); // Event handlers
text = text.replace(/on(.*)B[(.*)=(.*)]/gi," "); // Event handlers
text = text.replace(/eval((.*))/gi, " "); // Eval stuff
text = text.replace(/fromCharCode/gi, " "); // fromCharCode
text = text.replace(/getElementBy(.*)/gi, " "); // getElementBy
text = text.replace(/!--/gi, " "); // SSI
text = text.replace(/<!/gi, " "); // html
text = text.replace(/<meta/gi, " "); // html
text = text.replace(/<base/gi, " "); // html
text = text.replace(/<style/gi, " "); // html
text = text.replace(/<ilayer/gi, " "); // html
text = text.replace(/<iframe/gi, " "); // html
text = text.replace(/<frame/gi, " "); // html
text = text.replace(/<embed/gi, " "); // html
text = text.replace(/<link/gi, " "); // html
text = text.replace(/<import/gi, " "); // html
text = text.replace(/(vbscript(.*)b[(*):]|data(.*)b[(*):]|base64(.*)b[(*):]|expression(.*)b[(*):]|urn(.*)b[(*):])/gi," ");
text = text.replace(/(binding(.*)b[(*):]|moz-binding(.*)b[(*):]|behavior(.*)b[(*):])/gi," ");
text = text.replace(/(window|document|style).(location|cookie|images|frames)/gi," ");
document.getElementById('output').innerHTML = text;
}
.htaccess blocking URI XSS & SQL injection.
Код:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]
logging URI attacks: log.php
Код:
<?php
$r= $_SERVER['REQUEST_URI'];
$q= $_SERVER['QUERY_STRING'];
$i= $_SERVER['REMOTE_ADDR'];
$u= $_SERVER['HTTP_USER_AGENT'];
$mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u;
mail("admin@site.com","bad request",$mess,"from:bot@site.com");
echo "Ugly!";
?>
|
