Jump to content

rewritecond and request params...


Drongo_III

Recommended Posts

Hi Guys

 

This may be a silly question. Apologies in advance.

 

Lets say I wanted to write a rewrite condition where I need to test both the query_string and the resquest_uri against the same regex. Is it possible to almost parametise these in one line?

 

e,g.

RewriteCond %{REQUEST_URI, QUERY_STRING} SOME-PATTERN etc.

Or would I have to always split these across two lines using the [OR] flag:

RewriteCond %{REQUEST_URI  SOME-PATTERN etc. [OR]
RewriteCond %{QUERY_STRING}  SOME-PATTERN etc.

Thanks,

 

Drongo

 

 

Link to comment
Share on other sites

It's possible but there's no good reason why you should. Stick with the [OR]ed solution because it's much easier to understand and work with.

 

[edit] You do know REQUEST_URI will include the query string, right? What is it that you're testing that needs both? Or at the very least needs REQUEST_URI instead of just using RewriteRule?

Edited by requinix
Link to comment
Share on other sites

It's possible but there's no good reason why you should. Stick with the [OR]ed solution because it's much easier to understand and work with.

 

[edit] You do know REQUEST_URI will include the query string, right? What is it that you're testing that needs both? Or at the very least needs REQUEST_URI instead of just using RewriteRule?

 

Thanks for the reply.  So if I did wish to do it all in one line what is the correct syntax?

 

Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri:

 

 

REQUEST_URI The path component of the requested URI, such as "/index.html". This notably excludes the query string which is available as as its own variable named QUERY_STRING.

 

 

The real reason I'm exploring this is a long story but it has to do with trying to sniff out dodgy url encoded data to stop reflected xss attacks - i.e. through scripts appended to the url.  I've seen fixes for this that all target the query string parameters but the xss attack i'm trying to fix doesn't use a query string. So I figured it would be prudent to run a condition on both the query string and the url.  Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess.

Link to comment
Share on other sites

Thanks for the reply.  So if I did wish to do it all in one line what is the correct syntax?

Concatenate the values, but that can mess up the matching if it tests for something that starts in one value and bleeds over into the other. Which is why I was saying not to do it.

 

Also, are you sure that request_uri contains the query string data? It's just on the apache website they state for request_uri:

I had remembered doing URL matching against the REQUEST_URI specifically, including matching stuff in the query string, but I guess I was doing that in PHP code rather than using mod_rewrite. So... no.

 

Incidentally this is for a flat php website so there isn't much I can do to protect the url besides htaccess.

...and fix the injection point. Because I guarantee you that you won't be able to protect against everything an attacker can dream up by using just mod_rewrite.
Link to comment
Share on other sites

Thanks Requqinix - your advice is much appreciated.  I will use the OR flag then to not complicate things :)

 

 

I can't really fix the injection for this xss attack as it's based on someone appending to a valid url. So I'm not sure how I've thwart that.

 

I have another post on here where it's all explained: http://forums.phpfreaks.com/topic/292145-reflected-xss/

 

I was looking to use x-content-security-policy header but I've since read that trying to recognise certain patterns in the url is also a way to go.

 

How would you recommend getting around an xss where someone appends something like this to the url?

%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E6f54e?sub=t

Sorry btw - don't mean to start covering things from other threads but as it came up...

Link to comment
Share on other sites

I had a reply drafted for that other thread. Guess I didn't send it.

 

XSS is always fixable. You might be using something like PHP_SELF in... I don't know, is that a

? For a form specifically you can leave the action empty to have the page post back to itself, but if you must use it then you should htmlspecialchars() the value so the quotation mark they embedded in the URL (%22) doesn't break your HTML and thus lead to XSS.

Post the code for whatever generates the HTML that the XSS is exploiting (so put that in your browser, do a View Source on the page, and see where it's being outputted) and it'll take all of a few seconds to correct it.

 

The problem with things like X-Content-Security-Policy is they rely on browser support - IE being the problem child, as always. You can return it if you wish but you still have to do everything else.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.