Mod重写查询参数验证和阻止也请求url阻止 [英] Mod rewrite query parameter validation and blocking also request url blocking
问题描述
在我的网站上,只允许使用少量查询查询参数,但是,某些扫描器或黑客试图使用我的php应用程序不支持的唯一参数访问url,我可以通过验证$_GET
来阻止它们进入php应用程序级别参数,但是服务器正在加载,因此如果参数无效,我想显示403
On my site, only few query query parameters are allowed but, some scanners or hackers trying to access url with unique parameters which my php application doesn't support, I can block them in php application level, by validating $_GET
parameters, but my server is getting loaded, so I want to show 403 if parameters are not valid
查询参数可以任意顺序
到目前为止,我尝试的方法如下
So far what I tried is as follows
# IF there is query string
RewriteCond %{QUERY_STRING} ^.+$
# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} !(^|$)(query|debug|lang)=[^&]+(&|$) [NC]
RewriteRule ^(.*)$ - [F,L]
但是这里的问题是
http://example.com/search?query=test&debug=on&lang=en&foo=bar
即使黑客通过了foo=bar
,它也要通过,我想显示404,在到达php应用程序之前进行严格的参数检查.
its passing even if hacker pass foo=bar
, I want to show 404, strict parameter checking before reaching php application.
这里是:重写测试器
它没有显示404
带有查询参数的有效网址示例
Example of Valid url with query parameter
http://example.com/search?query=test&debug=on&lang=en
带有查询参数的无效网址的示例
Example of INVALID url with query parameter
(检查是否有除允许的一个查询参数之外的其他查询参数???)
(Check Is there any query parameter other than allowed one ??? )
http://example.com/search?query=test&debug=on&lang=en&foo=bar
http://example.com/search?a=1
http://example.com/search?a=2
http://example.com/search?query=test&a=1
我可以在php中做同样的事情,但是我想在到达我的php应用程序之前阻止请求.
Same I can do in php, But I want to block request before reaching my php application.
$allowed = array('query', 'lang', 'debug');
foreach($_GET as $key => $value)
{
if(!in_array($key, $allowed))
{
http_response_code(403)
die('Forbidden');
}
}
也在我的网站上,请求uri允许的字符为[A-Za-z0-9_-]
Also on my website, request uri allowed chars are [A-Za-z0-9_-]
如果请求uri包含多余的内容,我该如何阻止
How can I block if request uri containing anything extra
也想知道,
- 是否可以重写以检查POST变量?
- 我看到许多可疑的代理人串起我该如何阻止他们
- 我还在引荐网址黑客中看到试图注入xss和sqlinjection字符串的方法,如何阻止它们.
推荐答案
您可以使用以下规则替换现有规则:
You may replace your existing rule with this rule:
# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} ^(?!(?:query|debug|lang)=[^&]+(?:&(?:query|debug|lang)=[^&]+)*$). [NC]
RewriteRule ^ - [F]
如果URL中存在除query|debug|lang
以外的任何查询参数,则此规则将返回403
.
This rule will return 403
if any query parameter other than query|debug|lang
is present in URL.
此处(?!...)
是否定超前断言,如果查询字符串会失败除了给定的参数外,什么都没有.
Here (?!...)
is a negative lookahead assertion that will fail if query string has anything except given parameters.
RegEx详细信息:
-
^
:开始 -
(?!
:否定超前开始-
(?:query|debug|lang)=[^&]+
:匹配3个允许的查询参数之一及其值 -
(?:
:启动非捕获组-
&
:匹配&
-
(?:query|debug|lang)=[^&]+
:匹配3个允许的查询参数之一及其值
^
: Start(?!
: Start of negative lookahead(?:query|debug|lang)=[^&]+
: Match one of the 3 allowed query parameter and it's value(?:
: Start non-capture group&
: Match a&
(?:query|debug|lang)=[^&]+
: Match one of the 3 allowed query parameter and it's value
简单地说,当查询字符串具有除3个允许参数之外的任何查询参数时,否定超前断言断言失败.
In simple words negative lookahead asserts failure when query string has any query parameter other than the 3 allowed parameters.
这篇关于Mod重写查询参数验证和阻止也请求url阻止的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-
-