CODEWITHSUNDEEP
regexapache
Developer
Developer

Reputation: 6350

Match request data in Apache Httpd.conf

I want to match request parameters in httpd.conf if the request has malicious data i want to return 404 http status code to the client. Request data should have number , words and & = sign .If there is anything apart from this in request we don't have to process the request further

How we can do this Apache 2.2

Invalid URL :

http://ip/index.html?daa=1; rm /tmp/f;mkfifo /tmp/f;cat /tmp/f%7C/bin/sh -i %26

Valid URL

http://ip/index.html?daa=1&data=1

After adding :

<Directory "folder/scripts">
    RewriteEngine On
    RewriteCond %{QUERY_STRING} !^[a-zA-Z0-9&=?\-]*$
    RewriteRule . test.html [R=404,L]
</Directory>

It is not redirecting to my test.html page

Upvotes: 0

Views: 303

Answers (2)

revo
revo

Reputation: 48731

If you are trying to filter query strings only, you could add this on top of your rules:

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} !^[a-zA-Z0-9&=@?]*$
RewriteRule . /index.php [R=404,L]

Note: You only have to put allowed characters in character class.

Upvotes: 1

anubhava
anubhava

Reputation: 785286

You can use this rule as your top rule to block all requests with characters you don't want to allow:

RewriteEngine On

RewriteCond %{THE_REQUEST} [A-Z]{3,}\s/+\S*[^/\w?&=.@-]\S*\sHTTP [NC]
RewriteRule ^ - [B,F]

Upvotes: 0

Related Questions