Open source web applications alike WordPress, Moodle, DruPal and others are commonly used to power websites. This makes them an attractive target for hackers. Thus, many vulnerabilities are exploited on these applications. It is important for website owners to keep their web application platform up to date to protect against these attacks.
However, it is not always possible to upgrade to the latest version of a software. Many times, due to web developer schedule, plugin incompatibilities the upgrades do not occur.
Here are few scripts that can be added to .htaccess file of a web application to help minimize the ability for hackers to exploit your system. These rewrites are no guarantee that an application will be secure. However, in the world of online security, nothing is secure but rather how difficult it is to break through.
The below blocks SQL injection attacks or DB manipulation:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]
The one below blocks multitude of request methods from files within the same directory, it is more comprehensive than the one above and may lead to false-positives:
RewriteEngine On
Options +SymLinksIfOwnerMatch
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
#RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC]
RewriteRule ^(.*)$ index.php
Last, are few lines you can add to .htaccess for folders that no scripts should run from it. This will prevent the attacker from running a script file from the folder if one was uploaded through an exploit (like blocks .php or .aspx files from running). In the below example, only xml, css, ico, txt, jpg, jpeg, png, gif, js, pdf files are allowed. You can add other extensions like xls?x doc?x:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|ico|txt|jpe?g|png|gif|js|pdf)$">
Allow from all
</Files>
Using a host that provides web application IPS like mod_security can be very helpful in eliminating problems with script injection attacks