2

A repeat visitor to my site keeps manipulating query strings. For example a valid page address would look like:

myPage.php?subject=3

This visitor has visited several times and keeps entering the following addresses:

myPage.php?subject=3%26%26SlEEp%283%29
myPage.php?subject=3%20AND%201=1
myPage.php?subject=3%20and%201%3E1
myPage.php?subject=3%20and%201%3D1
myPage.php?subject=32121121121212.1

I've tried blocking their ip, but they just return with a different one, although (so far) they've only used French ip addresses. On their latest visit, their HTTP_USER_AGENT was undefined, but in the past has held these values:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.179[128]; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)

 

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; dial; E-nrgyPlus; .NET CLR 1.1.4322; InfoPath.1)

 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

 

Opera/9.27

I'm currently tracking all open sessions on the site. Would it be an effective and reasonable tactic to also track query failures and end any session that exceeds a specified amount of failures? If so what is a reasonable number of failures? Should I also end all sessions with an undefined user agent?

There is a similarly titled question here How should I detect and respond to bad actors who perform SQL injections?, but it seems specific to "Microsoft Azure".

Dummy
  • 23
  • 4

1 Answers1

1

If it is happening too often and repeatedly it is most likely a bot, the thing is in first hand, if it is not important to you try to use least as possible query appended urls instead use myPage.php/3 3 will internally rewritten by your server or front controller. I am not saying it will solve your problem but it will save you from giving your variable names to internet.

And for now you should block any access on condition which are trying to input patterns you mentioned above. create a regex which matches the above input patterns and block them or warn them whatever you feel. don't do them manually if they are bots.

Abhishek Gurjar
  • 198
  • 1
  • 5
  • Thank you for your response. I will block access. I will also start rewriting to limit my use of appended queries. In the mean-time, instead of a regex (which might only work for this particular user and not others) would it be better to white-list the query strings, and if a query is entered which isn't on the whitelist, instruct the page to die or something like this: `$white_list = array(e, t, c); if(!in_array($some_query, $white_list)) { die("Sorry. Page could not be loaded."); }` – Dummy May 13 '17 at 13:55
  • Mmmhhh, by meaning of regex I mean that you should match the patterns which are constantly occurring but at your end choose whatever is best for you :). – Abhishek Gurjar May 13 '17 at 14:44