Simple Web Application Firewall
Null byte has posted a very simple web application “firewall” using only .htaccess mod_rewrite rules. It can effectively mitigate some basic web application attacks by filtering requests by patterns in the query string, such as XSS and command injection, as well as some of the more dangerous HTTP verbs. While it is definitely no substitute for secure coding practices, and will not protect against more advanced (or unknown) attacks, it may help protect against the typical “low hanging fruit’ vulnerabilities.
As these rules run at the web server level, they’re completely language and application agnostic. Thus, these simple rules can protect from a variety of exploits on a variety of web applications now and in the future.
It also filters requests based on user agent, such as scripting languages, fuzzers, and common scanners. Although this is an effective way to cut down on malicious traffic generated by automated scanners, bots, and less skilled attackers - it is important to remember that it can easily be circumvented. User agent headers are trivial to spoof - most scripts and tools can be modified to make the request appear to come from a Mozilla-compatible browser.
One note on filtering by HTTP verb - if you are using an application with a REST interface, you will probably want to allow the “DELETE” method, as this is used in REST API calls. It is not typically used when accessing a REST application over the web, as most browsers do not natively support the “PUT” or “DELETE” verbs through HTML. Frameworks such as Ruby on Rails overcome this limitation by using a “POST” request with a hidden field containing the actual HTTP verb.
Loading...