Welcome to WebmasterWorld Guest from 54.198.106.21

Forum Moderators: Ocean10000 & incrediBILL & phranque

Best way to block URIs for %00 ?

nullchar

     
5:56 am on Jul 11, 2017 (gmt 0)

New User

joined:July 11, 2017
posts: 5
votes: 0


Hi,

Similar question was asked before here -> [webmasterworld.com...]
But the solutions provided doesn't work for blocking the requests that contains %00(null char) in the URL.

Any idea/solution?
9:43 am on July 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


welcome to WebmasterWorld, ercancelik! [webmasterworld.com]

what have you tried so far and what results did you get?
10:41 am on July 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8995
votes: 409


Is the %00 in the requested URL or the referral URL?
11:28 am on July 11, 2017 (gmt 0)

New User

joined:July 11, 2017
posts: 5
votes: 0


This issue is reported from our security team.

Actually i tried the below solution but the url not matched with the rule.

RewriteCond %{THE_REQUEST} \%(25)*00
RewriteRule .* - [F]


@keyplyr, the %00 is in the requested URL.
12:28 pm on July 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


Where do you see %00 in the requested URL? The server access log file?
12:37 pm on July 11, 2017 (gmt 0)

New User

joined:July 11, 2017
posts: 5
votes: 0


The %00 char is in the requested url. The security team is checking the server for vulnerabilities and find out that our system is not secured against the requests that contains %00 char in the request uri. The interesting thing is that Chrome browser do not take any action when i call the url(probably when it sees the %00 char in the url, interprets it as unsecure), but Safari and Firefox requested the url.
6:44 pm on July 11, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


\%(25)*00

Tangentially: the \ escape isn't needed, though it isn't actively harmful. I understand the point of (25)* -- in fact I've got the same construct, not in access rules but in my log-wrangling functions, since % = %25 -- but it isn't really needed in this context.

The reason everyone is asking about request vs. referer is that the referer remains percent-encoded, but the request is disencoded (er... decoded?) before it reaches your RewriteRules. So you'd probably need to use the literal character. Urk. Yeah. (Can it even be done with non-displaying characters? In other contexts, like text editing or major programming languages, there are ways to find characters by codepoint. I don't think Apache supports these locutions, though.)

How did your security folks find the character?
8:53 pm on July 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8995
votes: 409


@keyplyr, the %00 is in the requested URL
If you have no inhouse links that contain "00" then the simplest (though not the most efficient) way of blocking is:
RewriteRule 00 - [F]
10:48 pm on July 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


RewriteRule 00 - [F]


this would work if mod_rewrite sees the encoded version of the url and if the %00 is in the path part of the url.
if the %00 is in the query string you must examine %{THE_REQUEST}.
10:50 pm on July 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


Where do you see %00 in the requested URL? The server access log file?

How did your security folks find the character?

essentially the same question...
10:52 pm on July 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8995
votes: 409


this would work if mod_rewrite sees the encoded version of the url and if the %00 is in the path part of the url
the %00 is in the requested URL
Just did a quick test. Works perfect. I have no inhouse link paths that contain "00" though, ercancelik might.

Oh, and BTW ercancelik welcome to WebmasterWorld [webmasterworld.com]
11:32 pm on July 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


Just did a quick test. Works perfect.

as i mentioned above, your ruleset won't blocks requests if the %00 is in the query string part of the url (i.e. after the "?")
11:40 pm on July 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8995
votes: 409


phranque - ercancelik said it was in the URL.
@keyplyr, the %00 is in the requested URL


Yes, I agree with your query string comment, but that's not what ercancelik said. Of course he/she could be wrong.
5:06 am on July 12, 2017 (gmt 0)

New User

joined:July 11, 2017
posts: 5
votes: 0


Thank for all the replies. A sample url is below. I couldn't give the domain name for company's security rules.

<protocol>://<domain_name>/<context_path>this%20page%20has%20moved.%20Please%20call%20Ercan%20Celik%2005323524243%00

00 character could be exist in the requested url because a product page's url is like this .../products/12300232. The last part is an id of a product sometimes. So i must check exactly %00 char.
11:26 am on July 12, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


I agree with your query string comment, but that's not what ercancelik said.

the query string is not part of the path but it is part of the url so i'm not sure what you are saying.
so far ercan hasn't ruled out a possible query string situation, which would require examining %{THE_REQUEST}.
11:28 am on July 12, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


Actually i tried the below solution but the url not matched with the rule.
RewriteCond %{THE_REQUEST} \%(25)*00
RewriteRule .* - [F]


please try this instead:
RewriteCond %{THE_REQUEST} \x00
RewriteRule .* - [F]
5:15 pm on July 12, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


please try this instead:

Does this work on your server? I experimented on my test site and it didn't seem to know what to do with the \x construction in a RewriteCond--although, unlike the \o or \u or \octal constructions, it didn't result in a 500 error, so I guess that's something.

Intriguing detail:

#1 Error logs use the forms \xc3\xa0 (lower case, unicode) while access logs use %C3%A0 (upper-case, percent).
#2 The existence of a RewriteCond referring to \xblahblah causes the server to be unable to find the 404 document (it looks in the server default location, not in the location specified by site's htaccess)--as if it can't read htaccess, but normally that would result in a 500 condition.

Huh.
7:53 pm on July 12, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10888
votes: 72


I didn't experiment - I suggested trying \x00 because it is PCRE syntax.
8:28 am on July 26, 2017 (gmt 0)

New User

joined:July 11, 2017
posts: 5
votes: 0


Hi Guys,

Sorry for the late response. The problem still continues. I couldn't find a rewrite rule to solve this issue.

Here is the access logs of apache httpd. Any suggestion?

xx.xx.79.10 xx.xx.199.56 - - [26/Jul/2017:10:09:11 +0200] "GET /home%2fsfsdfsfsfsfsdfsdfsdfd%00 HTTP/1.1" 404 235 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0"
8:36 am on July 26, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8995
votes: 409


ercancelik - You never have any control over what is requested. People and bots request all sorts of odd looking strings.

Not sure why your "security team" alerted you, but I'd just ignore those requests. Judging from your example, this is *not* a security issue.

If you (yourself) watch your raw server logs on an hourly/daily basis, you'll see a great many similar requests and much more.
6:14 pm on July 26, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13841
votes: 485


Based on the IP and on the surrounding requests, is that a human or a robot? If it's a robot, just ignore it. Admittedly it's a tiny bit of extra work for your server to have to go look for a nonexistent file, but in the end a 404 is probably the most useful thing to send an unwanted robot anyway.

You may also want to look at what other requests are coming in from this IP, assuming it's the same one over and over. If there are no humans in the neighborhood, you may be better off blocking the whole range.

:: detour to test site ::

Hm, now that's interesting. In the case of a displayable ASCII character, access logs will show whatever form I actually typed in, like /4.html vs. %34.html, while error logs and the browser's address bar show the decoded form (4 in this example). If, on the other hand, you request a displayable non-ASCII character, access logs will always show the encoded form. And, finally: if I manually type in \x Firefox will convert the \ to / (possibly in response to all those stupid TV ads that say "backslash" when they mean "slash" leading to slews of erroneous type-ins). Safari does approximately the same, with added business.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members