Avoid Cross-site scripting with mod_rewrite

Fix it!!

Avoid Cross-site scripting with mod_rewrite

Postby judas » Fri Jul 28, 2006 1:22 am

Hi to everyone,

I'm trying to deny typing javascript on the address bar in order to avoid XSS injection.

Everyone talk me to recode all the servlets, packages, etc. to prevent this attacks, but I would like to prevent it with apache directives.

The only one directive I have found to prevent XSS is RewriteRule. I'm trying to rewrite all the URL's containing the character '<' and redirect them to an error page, but I haven't make it work.

I'm not used to write mod_rewrite directives, so I don't really know if my problem is on my RewriteRule syntax or if the is that I can't prevent these attacks with Apache.

I show you my code:

RewriteRule ^<* /error.htm

Has anyone prevented this kind of attacks with mod_rewrite? If not, does anyone know another way to prevent them by Apache?

Thanks in advance
judas
 
Posts: 5
Joined: Fri Jul 28, 2006 1:10 am

Postby richardk » Fri Jul 28, 2006 6:07 am

Everyone talk me to recode all the servlets, packages, etc. to prevent this attacks

You should listen to them.

How about this (untested, i get a forbidden error whenever there's a < or an >):
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteRule < /error.htm [R=301,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby judas » Fri Jul 28, 2006 12:17 pm

Hi Richard,

Thanks for your help.

I agree with you about recoding all the application, I'm sure that's the best way preventing XSS attacks, but this is not my application. I'm always afraid for modify code owned by another corporations...

In addition, there are some calls on the code to internal Oracle packages, so I don't have source code for them... That's the reason why I'm trying to do it with Apache directives.

Anyway I will try with your code sample, I will keep you feedbacked with the results.

Thank you so much.
judas
 
Posts: 5
Joined: Fri Jul 28, 2006 1:10 am

Postby judas » Wed Aug 02, 2006 2:11 am

Hi,

I have tested that code and didn't work. On Oracle Portal, there are two configuration files that anyone can write apache policies, httpd.conf (standard file of Apache) and plsql.conf (Oracle configuration file). I have tested this code on both files and the XSS injection is still working.

Anyway, seems that RewriteRule can do this work, any URL with "<" character can be redirectioned to an error page, but I can't understand Rewrite syntax. In all related documents I have found the meaning of all the mod_rewrite directives, but any notes related about how to write patterns... I think that's my problem, the pattern is not wrotten well. Can anyone tell me or get me any document explaining how the pattern have to be wrotten.

Thanks
judas
 
Posts: 5
Joined: Fri Jul 28, 2006 1:10 am

Postby richardk » Wed Aug 02, 2006 2:36 am

I have tested this code on both files and the XSS injection is still working.

Try putting it in the <Directory> block for your document root.

Can anyone tell me or get me any document explaining how the pattern have to be wrotten.

http://www.regular-expressions.info/
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby judas » Tue Aug 08, 2006 8:19 am

Hi Richard,

I'm back...

I tested the code on the <Directory> block as you told me and the result was the same...

Maybe my problem is the place of the character on the URL I use to test. I suspect that Apache doesn't look any character after the '?' symbol. If I am right seems to be a big problem... mod_plsql has configuration parameters to reject certain URL's (exclusion_list), but neither worked, and it seems that the problem is the same, the script injection is done in the parameter section, after '?' symbol. My URL test is something like this:

http://myoracleserver/pls/mydad/package ... parameter=<script>alter('Hello')</script>

I have here my security hole, always on the parameter section of the URL.

What do you think about this? Am I right or am I wrong?

Thanks for the tutorial link, I begin to understand regular expressions.

Regards
judas
 
Posts: 5
Joined: Fri Jul 28, 2006 1:10 am

Postby richardk » Tue Aug 08, 2006 8:36 am

I suspect that Apache doesn't look any character after the '?' symbol.

If you want to test the query string aswell you can use this:
Code: Select all
Options +FollowSymLinks

RewriteEngine On

# Test the URI
RewriteRule < /error.htm [R=301,L]

# Test the query string
RewriteCond %{QUERY_STRING} <
RewriteRule .* /error.htm [R=301,L]

If you don't want to test the URI, you can remove the first RewriteRule.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby judas » Fri Aug 11, 2006 12:04 am

Hi Richard,

Finally... it works!!!

Thank you so much for your help.

That was the problem, the symbol '?'. I didn't know the QUERY_STRING condition.

So, finally this post is closed, I think.

Regards
judas
 
Posts: 5
Joined: Fri Jul 28, 2006 1:10 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 12 guests

cron