Mod重写查询参数验证和阻止也请求url阻止 [英] Mod rewrite query parameter validation and blocking also request url blocking

问题描述

在我的网站上，只允许使用少量查询查询参数，但是，某些扫描器或黑客试图使用我的php应用程序不支持的唯一参数访问url，我可以通过验证$_GET来阻止它们进入php应用程序级别参数，但是服务器正在加载，因此如果参数无效，我想显示403

On my site, only few query query parameters are allowed but, some scanners or hackers trying to access url with unique parameters which my php application doesn't support, I can block them in php application level, by validating $_GET parameters, but my server is getting loaded, so I want to show 403 if parameters are not valid

查询参数可以任意顺序

到目前为止，我尝试的方法如下

So far what I tried is as follows

# IF there is query string
RewriteCond %{QUERY_STRING} ^.+$

# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} !(^|$)(query|debug|lang)=[^&]+(&|$) [NC]

RewriteRule ^(.*)$ - [F,L]

但是这里的问题是

http://example.com/search?query=test&debug=on&lang=en&foo=bar

即使黑客通过了foo=bar，它也要通过，我想显示404，在到达php应用程序之前进行严格的参数检查.

its passing even if hacker pass foo=bar, I want to show 404, strict parameter checking before reaching php application.

这里是:重写测试器

它没有显示404

带有查询参数的有效网址示例

Example of Valid url with query parameter

http://example.com/search?query=test&debug=on&lang=en

带有查询参数的无效网址的示例

Example of INVALID url with query parameter

(检查是否有除允许的一个查询参数之外的其他查询参数???)

(Check Is there any query parameter other than allowed one ??? )

http://example.com/search?query=test&debug=on&lang=en&foo=bar
http://example.com/search?a=1
http://example.com/search?a=2
http://example.com/search?query=test&a=1

我可以在php中做同样的事情，但是我想在到达我的php应用程序之前阻止请求.

Same I can do in php, But I want to block request before reaching my php application.

$allowed = array('query', 'lang', 'debug');
foreach($_GET as $key => $value)
{
         if(!in_array($key, $allowed))
         {
                  http_response_code(403)  
                  die('Forbidden');
         }
}

也在我的网站上，请求uri允许的字符为[A-Za-z0-9_-]

Also on my website, request uri allowed chars are [A-Za-z0-9_-]

如果请求uri包含多余的内容，我该如何阻止

How can I block if request uri containing anything extra

也想知道，

1. 是否可以重写以检查POST变量?
2. 我看到许多可疑的代理人串起我该如何阻止他们
3. 我还在引荐网址黑客中看到试图注入xss和sqlinjection字符串的方法，如何阻止它们.

推荐答案

您可以使用以下规则替换现有规则:

You may replace your existing rule with this rule:

# Then parameters can be only query|debug|lang
# block any extra parameter
RewriteCond %{QUERY_STRING} ^(?!(?:query|debug|lang)=[^&]+(?:&(?:query|debug|lang)=[^&]+)*$). [NC]

RewriteRule ^ - [F]

如果URL中存在除query|debug|lang以外的任何查询参数，则此规则将返回403.

This rule will return 403 if any query parameter other than query|debug|lang is present in URL.

此处(?!...)是否定超前断言，如果查询字符串会失败除了给定的参数外，什么都没有.

Here (?!...) is a negative lookahead assertion that will fail if query string has anything except given parameters.

RegEx详细信息:

• ^:开始
• (?!:否定超前开始
  • (?:query|debug|lang)=[^&]+:匹配3个允许的查询参数之一及其值
  • (?::启动非捕获组
    • &:匹配&
    • (?:query|debug|lang)=[^&]+:匹配3个允许的查询参数之一及其值
    • ^: Start
    • (?!: Start of negative lookahead
      • (?:query|debug|lang)=[^&]+: Match one of the 3 allowed query parameter and it's value
      • (?:: Start non-capture group
        • &: Match a &
        • (?:query|debug|lang)=[^&]+: Match one of the 3 allowed query parameter and it's value

        简单地说，当查询字符串具有除3个允许参数之外的任何查询参数时，否定超前断言断言失败.

        In simple words negative lookahead asserts failure when query string has any query parameter other than the 3 allowed parameters.

        这篇关于Mod重写查询参数验证和阻止也请求url阻止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！