[.htaccess] XSS Filter I started with this a month ago, and I made it into a little project for myself. I deleted a few blog items, as they we're getting too confusing. So this post talks about filtering out any malicious but keeping HTML in two steps. I'm still working on this project so I update it regularly. My goal is to make it as hard as possible to insert malicious code but still allow basic HTML and inline CSS. JavaScript function to replace pieces of code. Code: function Strip(input) { var text = input; text = text.replace(/n/m,"<br />"); // new line to br text = text.replace(/r/m,"<br />"); // return to br text = text.replace(/<?/gi, " "); // php text = text.replace(/?>/gi, " "); // php text = text.replace(/<?php/gi, " "); // php text = text.replace(/<%/gi, " "); // asp text = text.replace(/%>/gi, " "); // asp text = text.replace(/%00/m," "); // null removal text = text.replace(/\00/m," "); // unicode removal text = text.replace(/&#/g," "); // &# removal (# allowed for inline CSS) text = text.replace(/</gi," "); // < removal text = text.replace(/('/," "); // (' removal text = text.replace(/')/," "); // ') removal text = text.replace(/(/*)/," "); // comments script obfuscation text = text.replace(/![CDATA/gi," "); // script obfuscation text = text.replace(/javascript/gi," "); // script instance text = text.replace(/<script>/gi," "); // script instance text = text.replace(/</script>/gi," "); // script instance text = text.replace(/<script/gim," "); // script instance text = text.replace(/on(.*)B[(.*)="]/gi," "); // Event handlers text = text.replace(/on(.*)B[(.*)=(.*)]/gi," "); // Event handlers text = text.replace(/eval((.*))/gi, " "); // Eval stuff text = text.replace(/fromCharCode/gi, " "); // fromCharCode text = text.replace(/getElementBy(.*)/gi, " "); // getElementBy text = text.replace(/!--/gi, " "); // SSI text = text.replace(/<!/gi, " "); // html text = text.replace(/<meta/gi, " "); // html text = text.replace(/<base/gi, " "); // html text = text.replace(/<style/gi, " "); // html text = text.replace(/<ilayer/gi, " "); // html text = text.replace(/<iframe/gi, " "); // html text = text.replace(/<frame/gi, " "); // html text = text.replace(/<embed/gi, " "); // html text = text.replace(/<link/gi, " "); // html text = text.replace(/<import/gi, " "); // html text = text.replace(/(vbscript(.*)b[(*):]|data(.*)b[(*):]|base64(.*)b[(*):]|expression(.*)b[(*):]|urn(.*)b[(*):])/gi," "); text = text.replace(/(binding(.*)b[(*):]|moz-binding(.*)b[(*):]|behavior(.*)b[(*):])/gi," "); text = text.replace(/(window|document|style).(location|cookie|images|frames)/gi," "); document.getElementById('output').innerHTML = text; } .htaccess blocking URI XSS & SQL injection. Code: Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC] RewriteRule ^(.*)$ log.php [NC] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC] RewriteRule ^(.*)$ log.php [NC] RewriteCond %{QUERY_STRING} (javascript:).*(;).* [NC] RewriteRule ^(.*)$ log.php [NC] RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC] RewriteRule ^(.*)$ log.php [NC] RewriteRule (,|;|<|>|'|`) /log.php [NC] logging URI attacks: log.php Code: <?php $r= $_SERVER['REQUEST_URI']; $q= $_SERVER['QUERY_STRING']; $i= $_SERVER['REMOTE_ADDR']; $u= $_SERVER['HTTP_USER_AGENT']; $mess = $r . ' | ' . $q . ' | ' . $i . ' | ' .$u; mail("admin@site.com","bad request",$mess,"from:bot@site.com"); echo "Ugly!"; ?>
Here is a good tool by Gareth Heyes called Hackvertor: _http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php It is designed to test web apps using various vectors including XSS, SQL, Fuzzing and a lot of others. You can generate the vectors and post the data to your script, so you ll check if it is possible to bypass your filters