Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.
RewriteEngine on
#SQL Injection Protection --Read More www.cybercrime.gov
#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly
RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]
#Ignore images and this would be last rule --if the condition matched
RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC]
#Ignore CSS or JS files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC]
#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC]
RewriteRule ^$ index.cfm [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]
Blog
Recent Entries
One Language, Every Runtime: BoxLang Expands Beyond the Server
Discover how BoxLang’s multi-runtime architecture helps developers build beyond the server with support for serverless functions, desktop applications, CI/CD workflows, Java integrations, containers, runtime management, and more.
MatchBox and WebAssembly: Running BoxLang in the Browser and at the Edge
The MatchBox open beta is live at https://boxlang.ortusbooks.com/boxlang-framework/matchbox, and it brings something genuinely new to the BoxLang ecosystem: a path into WebAssembly.
That means BoxLang code can now move into browser applications, static-site deployments, edge runtimes, and WASI-style containers - without requiring a JVM. The feature is still beta, but the core direction is already useful: write BoxLang, compile it with MatchBox, and ship the generated WASM artifact to wherever a small portable runtime makes sense.
BoxLang 1.14.0 : BoxSet is Here: BoxLang's New First-Class Set Type
BoxLang 1.14.0 ships something that JVM developers have wanted for a long time: a true first-class Set type baked directly into the language. Not a wrapper you reach for manually, not a createObject( "java", "java.util.HashSet" ) incantation you paste from a Stack Overflow answer years ago. A real BoxSet with literal syntax, operator overloads, a full functional pipeline, change listeners, JSON serialization, and deep Java interop.
Add Your Comment
(2)
Aug 08, 2008 19:34:48 UTC
by O?uz Demirkap?
Great work! Thanks :)
Sep 16, 2008 08:47:54 UTC
by Mark Mazelin
Luis:
Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule?
Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...