Cross Site Scripting Rewrites
3 posts
• Page 1 of 1
Cross Site Scripting Rewrites
Hi, trying to continue this thread: http://www.helicontech.com/forum/12759- ... ponse.html
I have this URL
and these rules:
The log basically ignores everything after the ? but on my site, the whole url gets returned and parsed
I would like to know what extra steps do i have to do to parse the whole URL and rewrite it accordingly, at this point i'm stumped.
Thanks
I have this URL
- Code: Select all
/scripts/?"><script>alert('s%20truts_sa_surl_xss%20plugin')</script>
or
/scripts/?"><script>alert('s truts_sa_surl_xss plugin')</script>
and these rules:
- Code: Select all
RewriteEngine on
RewriteBase /
RewriteCond METHOD (GET|HEAD|POST)
RewriteRule (.*)%00(.*) $1$2 [NC]
RewriteRule [^?]*\?.*[0-9;\t\s%()<>](?:select|delete|declare|script|set|cast|exec|char|nvarchar)[0-9;\t\s%()<>].* / [NC]
RewriteRule [^?]*\?.*(?:\<script\>|\<\/script\>).* / [NC]
RewriteRule (.*)(<|%3c)(script|%73%63%72%69%70%74)(>|%3e)(.*) / [NC]
...
The log basically ignores everything after the ? but on my site, the whole url gets returned and parsed
- Code: Select all
(2) init rewrite engine with requested uri /scripts/?%22%3E%3Cscript%3Ealert('s%20truts_sa_surl_xss%20plugin')%3C/script%3E
(1) Htaccess process request C:\Program Files\Helicon\ISAPI_Rewrite3\httpd.conf
(1) Htaccess process request c:\users\rodrigo\documents\website\.htaccess
(3) applying pattern '(.*)%00(.*)' to uri 'scripts/'
(3) applying pattern '[^?]*\?.*[0-9;\t\s%()<>](?:select|delete|declare|script|set|cast|exec|char|nvarchar)[0-9;\t\s%()<>].*' to uri 'scripts/'
(3) applying pattern '[^?]*\?.*(?:\<script\>|\<\/script\>).*' to uri 'scripts/'
(3) applying pattern '(.*)(<|%3c)(script|%73%63%72%69%70%74)(>|%3e)(.*)' to uri 'scripts/'
...
I would like to know what extra steps do i have to do to parse the whole URL and rewrite it accordingly, at this point i'm stumped.
Thanks
- HeliconAndrew
-
- Posts: 1264
- Joined: 07 Mar 2012, 10:16
Re: Cross Site Scripting Rewrites
Hello,
The reason this happens is because the /script part is located in querystring, not in the rule itself. And according to the syntax you need to perform the check in a condition, not in the rule, as in the following:
Regards
Andew
The reason this happens is because the /script part is located in querystring, not in the rule itself. And according to the syntax you need to perform the check in a condition, not in the rule, as in the following:
- Code: Select all
RewriteCond %{QUERY_STRING} (?:\<script\>|\<\/script\>).* [NC]
RewriteRule .* / [NC,L]
Regards
Andew
Re: Cross Site Scripting Rewrites
Awesome,
Ended up using
so it redirects without the query string if found offending.
Thanks a lot
Ended up using
- Code: Select all
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E).* [NC]
RewriteCond %{QUERY_STRING} (<|%3c)(script|%73%63%72%69%70%74)(>|%3e).* [NC]
RewriteRule (.*) http://www.site.com/$1? [R=301,L]
so it redirects without the query string if found offending.
Thanks a lot
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 14 guests