I have finally tested and tuned my obj.conf from the previous post on using the sed_request filter in Sun One/iPlanet Web Server 7 to provide some amount of SQL Injection and XSS protection. My final entry, which is added at the end of the Service entries in the default section of obj.conf is:
Input fn="insert-filter"
method="(GET|HEAD|POST)"
filter="sed-request"
sed="s/</\\</g"
sed="s/%3c/\\</g"
sed="s/%3C/\\</g"
sed="s/>/\\>/g"
sed="s/%3e/\\>/g"
sed="s/%3E/\\>/g"
sed="s/\x3C ?iframe//g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/\\<href\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\\<alert\\>[^a-zA-Z_0-9]*?\x28//g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<http://g"
sed="s/\\<type\\>[^a-zA-Z_0-9]*?\\<text\\>[^a-zA-Z_0-9]*?\\<vbscript\\>//g"
sed="s/\\<href\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/\\<url\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\x3C ?script\\>//g"
sed="s/\\<type\\>[^a-zA-Z_0-9]*?\\<text\\>[^a-zA-Z_0-9]*?\\<javascript\\>//g"
sed="s/\\<url\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/(asfunction|javascript|vbscript|data|mocha|livescript)://g"
sed="s/(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)//g"
sed="s/(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)//g"
sed="s/(?i:<link[ /+\t].*?href[ /+\t]*=)//g"
sed="s/(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)//g"
sed="s/(?i:<embed[ /+\t].*?SRC.*?=)//g"
sed="s/(?i:[ /+\t\"\'`]on\x63\x63\x63+?[ +\t]*?=.)//g"
sed="s/(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<isindex[ /+\t>])//g"
sed="s/(?i:<form.*?>)//g"
sed="s/(?i:<script.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<script.*?>)//g"
sed="s/\\<select\\>.{0,40}buser\\>//g"
sed="s/\\<select\\>.{0,40}\\<substring\\>//g"
sed="s/\\<select\\>.{0,40}\\<ascii\\>//g"
sed="s/\\<user_tables\\>//g"
sed="s/\\<user_tab_columns\\>//g"
sed="s/\\<all_objects\\>//g"
sed="s/\\<drop\\>//g"
sed="s/\\<substr\\>//g"
sed="s/\\<sysdba\\>//g"
sed="s/\\<user_password\\>//g"
sed="s/\\<user_users\\>//g"
sed="s/\\<user_constraints\\>//g"
sed="s/\\<column_name\\>//g"
sed="s/\\<substring\\>//g"
sed="s/\\<object_type\\>//g"
sed="s/\\<object_id\\>//g"
sed="s/\\<user_ind_columns\\>//g"
sed="s/\\<column_id\\>//g"
sed="s/\\<table_name\\>//g"
sed="s/\\<object_name\\>//g"
sed="s/\\<rownum\\>//g"
sed="s/\\<user_group\\>//g"
sed="s/\\<utl_http\\>//g"
sed="s/\\<select\\>.*?\\<to_number\\>//g"
sed="s/\\<group\\>.*\\<byb.{1,100}?\\<having\\>//g"
sed="s/\\<select\\>.*?\\<data_type\\>//g"
sed="s/\\<isnull\\>[^a-zA-Z_0-9]*?\x28//g"
sed="s/\\<union\\>.{1,100}?\\<select\\>//g"
sed="s/\\<insert\\>[^a-zA-Z_0-9]*?\\<into\\>//g"
sed="s/\\<select\\>.{1,100}?\\<count\\>.{1,100}?\\<from\\>//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\\<drop\\>//g"
sed="s/\\<select\\>.*?\\<to_char\\>//g"
sed="s/\\<dbms_java\\>//g"
sed="s/\\<nvarchar\\>//g"
sed="s/\\<utl_file\\>//g"
sed="s/\\<inner\\>[^a-zA-Z_0-9]*?\\<join\\>//g"
sed="s/\\<select\\>.{1,100}?\\<from\\>.{1,100}?\\<where\\>//g"
sed="s/\\<intob[^a-zA-Z_0-9]*?\\<dumpfile\\>//g"
sed="s/\\<delete\\>[^a-zA-Z_0-9]*?\\<from\\>//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\\<shutdown\\>//g"
sed="s/\\<dba_users\\>//g"
sed="s/\\<select\\>.{1,100}?\\<top\\>.{1,100}?\\<from\\>//g"
Don't forget to import the changes into the repository for it to be effective!
No comments:
Post a Comment