ColdFusion Muse

ISAPIRewrite or Mod_Rewrite Rules

For those of you interested in stopping the SQLi attack before it even hits your ColdFusion server, you might try these rewrite rules are from the CF-Linux email list (run by House of Fusion). They were provided by list member Mike Chytracek and forwarded to me by Linux CFG Ryan Stille. These rules are for for use with Helicon's ISAPI Rewrite filter, but with very little tweaking these rules aught to work for Apache Mod_rewrite as well.


# Helicon ISAPI_Rewrite configuration file
# Version 3.1.0.54
RewriteEngine On
RewriteCompatibility2 On
RepeatLimit 20
RewriteBase
# unsupported directive: [ISAPI_Rewrite]
# CacheClockRate 300
RewriteRule ^.*DECLARE%20.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*NVARCHAR.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*sp_password.*$ http://www.cybercrime.gov/
[NC] RewriteRule ^.*%20xp_.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*EXEC\(@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^.*%20@.*$ http://www.cybercrime.gov/ [NC]
RewriteRule ^METHOD$ OPTIONS

Please note that these rules will actually redirect the request to the governments cybercrime website. That's going to freak a few folks out if you end up with any fals positives :)

Comments
Matt's Gravatar How about on IIS?
# Posted By Matt | 8/8/08 2:58 PM
Matt's Gravatar I really should have read it first before I posted. I just saw Linux and ignored the rest. My bad.
# Posted By Matt | 8/8/08 3:08 PM
Brett S.'s Gravatar We redirect them back to REMOTE_ADDR ;)
# Posted By Brett S. | 8/8/08 3:34 PM
mark kruger's Gravatar @Brett,

Ooh! I like it! That's tasteful without being gaudy.

-mark
# Posted By mark kruger | 8/8/08 3:55 PM
Brett S's Gravatar Also, I believe you would want to use [I,R] instead of [NC] to redirect them to the CyberCrime site.
# Posted By Brett S | 8/8/08 3:55 PM
Brett S's Gravatar Actually now that I look closer, I'm not sure of [NC] vs [I,R]. I the rule set is for Helicon's Filter (per the comments).

We use Ionic ISAPI rewrite http://www.codeplex.com/IIRF and it is definitely [I,R]

Sorry for any confusion, and thanks for the post, I added a couple of the rules to our server that we were not using.
# Posted By Brett S | 8/8/08 4:00 PM
simon's Gravatar Can anyone explain how exactly to do this in apache 2+?
# Posted By simon | 8/8/08 11:22 PM
Brad Wood's Gravatar LOL, you're going to start getting calls from the CIA wanting to know why half of their traffic is all redirects from your site...

As much as I don't like filtering due to false positives and an over-grown sense of security, I do think the web server is the place to do it. Why even waste the CF thread, if Apache or IIS can handle the problem? I'm likley to mess around with a few rules, but I don't want to leave them in place permanently assuming these specific attacks will eventually go away. The next big attack may use an entirely different method which will require a brand new rewrite rule...
# Posted By Brad Wood | 8/9/08 3:36 AM
sb's Gravatar How do I tweak this to get it to work with mod rewrite?
# Posted By sb | 8/11/08 2:51 PM
Matt Smith's Gravatar The suggested ISAPIRewrite rules are helpful in detecting the current attack, but when tested against the HP Scrawlr (SQL injector and crawler testing tool), the rules, as currently written, fail the test. I haven't yet identified what needs to be added or changed. Anyone have any suggestions how to make the rules more robust?
# Posted By Matt Smith | 8/23/08 10:46 AM
jon's Gravatar any word on how to go about this type of thing with IIS?
# Posted By jon | 8/28/08 1:07 PM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.