Added SQL Injection attack protection with Rewrite Rules 5

Posted June 7, 2008

Sure you can protect against SQL injection attacks at the code layer, but what happens when hackers find something you missed? With Rewrite Rules, using mod_rewrite on apache or ISAPI_Rewrite for IIS, you can add rules to ignore URL based SQL Injection all together. Below is and example of some basic protection you can add.

In ISAPI_Rewrite

RewriteRule .*DECLARE.* /security-violation.htm [I]
RewriteRule .*NVARCHAR.* /security-violation.htm [I]
RewriteRule .*INSERT .* /security-violation.htm [I]
RewriteRule .*INSERT %20.* /security-violation.htm [I]
RewriteRule .* xp_.* /security-violation.htm [I]
RewriteRule .*%20xp_.* /security-violation.htm [I]
RewriteRule .*%20@.* /security-violation.htm [I]
RewriteRule .* @.* /security-violation.htm [I]
RewriteRule .*@%20.* /security-violation.htm [I]
RewriteRule .*@ .* /security-violation.htm [I]
RewriteRule .*';* /security-violation.htm [I]
RewriteRule .*EXEC\(@.* /security-violation.htm [I]
RewriteRule .*sp_password.* /security-violation.htm [I]
RewriteRule /security-violation.htm /security.cfm[I,L]

In mod_rewrite

RewriteRule .*DECLARE.* /security-violation.htm [NC]
RewriteRule .*NVARCHAR.* /security-violation.htm [NC]
RewriteRule .*INSERT .* /security-violation.htm [NC]
RewriteRule .*INSERT %20.* /security-violation.htm [NC]
RewriteRule .* xp_.* /security-violation.htm [NC]
RewriteRule .*%20xp_.* /security-violation.htm [NC]
RewriteRule .*%20@.* /security-violation.htm [NC]
RewriteRule .* @.* /security-violation.htm [NC]
RewriteRule .*@%20.* /security-violation.htm [NC]
RewriteRule .*@ .* /security-violation.htm [NC]
RewriteRule .*';* /security-violation.htm [NC]
RewriteRule .*EXEC\(@.* /security-violation.htm [NC]
RewriteRule .*sp_password.* /security-violation.htm [NC]
RewriteRule /security-violation.htm /security.cfm[NC,L]

Add security.cfm to your webroot:

<cfoutput>
 
<h1>
HACK ATTEMPT LOGGED FROM IP: #remote_addr# 
</h1>
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
#script_name#&#query_string#
 
</cfoutput>
 
<cfmail to="Sysadmin" from="Your Website" subject="HACK ATTEMPT FROM IP: #remote_addr#">
 
HACK ATTEMPT RECORDED:
 
#DateFormat(Now(), "MM-DD-YYYY")# @ #TimeFormat(Now(), "HH:MM:SS")#
 
IP: #remote_addr#
 
ATTEMPT:
 
http://#server_name##script_name#&#query_string#
</cfmail>
<cfabort>

Get Adobe Flash playerPlugin by wpburn.com wordpress themes