Created
August 3, 2016 09:36
-
-
Save stiplady/ac933922efb041760ecff0597880b7e3 to your computer and use it in GitHub Desktop.
xss.conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # To be included into httpd.conf using: | |
| # Include conf.d/xss.conf | |
| <Directory ~ "/var/www/*/public_html/"> | |
| # Custom rule added by STiplady, Acunetix report scpecifically targets script tags in the request url | |
| # Block out any script that includes a <script> tag in URL. | |
| RewriteCond %{REQUEST_URI} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| # Following 4 rules are straight from Joomla .htaccess security rules | |
| # Block out any script trying to base64_encode data within the URL. | |
| RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] | |
| # Block out any script that includes a <script> tag in URL. | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| # Block out any script trying to set a PHP GLOBALS variable via URL. | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| # Block out any script trying to modify a _REQUEST variable via URL. | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
| # If any of the above rules matched eturn 403 Forbidden header | |
| RewriteRule .* - [F] | |
| </Directory> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment