Skip to content

Better exploit blocking #4771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Better exploit blocking #4771

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
79b12e8
Initial plan
Copilot Sep 19, 2025
21e1697
Significantly enhance block-exploits.conf with comprehensive security…
Copilot Sep 19, 2025
dd2e443
Remove overly restrictive rules based on feedback - PUT/DELETE method…
Copilot Sep 19, 2025
2185b82
Refine security patterns: reduce false positives in null byte detecti…
Copilot Sep 19, 2025
85d3917
Merge pull request #1 from fuomag9/copilot/fix-8ec03630-c3d1-4216-a4b…
fuomag9 Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
245 changes: 228 additions & 17 deletions docker/rootfs/etc/nginx/conf.d/include/block-exploits.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
## Block SQL injections
set $block_sql_injections 0;

# Traditional SQL injection patterns
if ($query_string ~ "union.*select.*\(") {
set $block_sql_injections 1;
}
Expand All @@ -13,17 +14,49 @@ if ($query_string ~ "concat.*\(") {
set $block_sql_injections 1;
}

# Enhanced SQL injection patterns
if ($query_string ~ "(select|insert|update|delete|drop|create|alter|exec|execute).*[\s\(]") {
set $block_sql_injections 1;
}

if ($query_string ~ "(or|and).*[\s]*[0-9]+[\s]*[=<>]+[\s]*[0-9]+") {
set $block_sql_injections 1;
}

if ($query_string ~ "[\s]*['\"`][\s]*(or|and)[\s]*['\"`][\s]*[=<>]") {
set $block_sql_injections 1;
}

if ($query_string ~ "information_schema|mysql\.user|pg_user|pg_shadow") {
set $block_sql_injections 1;
}

if ($query_string ~ "(sleep|benchmark|waitfor)\s*\(") {
set $block_sql_injections 1;
}

# NoSQL injection patterns (MongoDB, CouchDB, etc.)
if ($query_string ~ "(\$ne|\$gt|\$gte|\$lt|\$lte|\$regex|\$where)") {
set $block_sql_injections 1;
}

if ($query_string ~ "javascript:|constructor|prototype|__proto__") {
set $block_sql_injections 1;
}

if ($block_sql_injections = 1) {
return 403;
}

## Block file injections
set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {
# Remote file inclusion
if ($query_string ~ "[a-zA-Z0-9_]=(https?|ftp|ftps|file|data|php|expect|gopher)://") {
set $block_file_injections 1;
}

# Directory traversal - enhanced patterns
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
Expand All @@ -32,17 +65,60 @@ if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}

# Additional traversal patterns
if ($query_string ~ "(\.\./)|(\.\.\\\\)|(\.\.%2f)|(\.\.%5c)") {
set $block_file_injections 1;
}

if ($query_string ~ "(\.\.%252f)|(\.\.%255c)|(%2e%2e%2f)|(%2e%2e%5c)") {
set $block_file_injections 1;
}

# Windows system files
if ($query_string ~ "(boot\.ini)|(win\.ini)|(system\.ini)|(\.\.\\\\windows)") {
set $block_file_injections 1;
}

# Unix system files
if ($query_string ~ "(\/etc\/passwd)|(\/etc\/shadow)|(\/etc\/hosts)") {
set $block_file_injections 1;
}

# Null bytes and dangerous encoding attacks
if ($query_string ~ "(%00|%0a%0d|%0d%0a)") {
set $block_file_injections 1;
}

if ($block_file_injections = 1) {
return 403;
}

## Block common exploits
set $block_common_exploits 0;

# XSS protection - enhanced patterns
if ($query_string ~ "(<|%3C).*(script|iframe|object|embed|applet|meta|link|form|input|img).*(\s|%20).*(>|%3E)") {
set $block_common_exploits 1;
}

if ($query_string ~ "(javascript|vbscript|onload|onerror|onclick|onmouseover|onfocus|onblur|onchange|onsubmit):") {
set $block_common_exploits 1;
}

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}

# Enhanced XSS vectors
if ($query_string ~ "(document\.|window\.|eval\(|setTimeout\(|setInterval\(|function\s*\()") {
set $block_common_exploits 1;
}

if ($query_string ~ "(expression\s*\(|url\s*\(|@import|behaviour:)") {
set $block_common_exploits 1;
}

# PHP globals and superglobals
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
Expand All @@ -51,6 +127,11 @@ if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}

if ($query_string ~ "(_GET|_POST|_COOKIE|_SESSION|_FILES|_SERVER|_ENV)(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}

# System information disclosure
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
Expand All @@ -59,46 +140,49 @@ if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}

# Encoding attacks
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}

if ($block_common_exploits = 1) {
return 403;
# Command injection patterns
if ($query_string ~ "(`|%60|\$\(|%24%28|\|\||%7C%7C|&&|%26%26|;|%3B)") {
set $block_common_exploits 1;
}

## Block spam
set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
if ($query_string ~ "(cat|ls|pwd|id|whoami|uname|nc|netcat|wget|curl|ping)\s") {
set $block_common_exploits 1;
}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
# LDAP injection
if ($query_string ~ "(\*\)|\(\||\&\(|\|\()") {
set $block_common_exploits 1;
}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
# XML/XXE attacks
if ($query_string ~ "(!DOCTYPE|!ENTITY|SYSTEM|PUBLIC|xmlns)") {
set $block_common_exploits 1;
}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
# Server-side template injection
if ($query_string ~ "(\{\{|\}\}|\{%|%\}|\$\{|\}$)") {
set $block_common_exploits 1;
}

if ($block_spam = 1) {
if ($block_common_exploits = 1) {
return 403;
}

## Block user agents
## Block malicious user agents
set $block_user_agents 0;

# Original user agents
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools.
# Common bandwidth hoggers and hacking tools
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
Expand Down Expand Up @@ -131,6 +215,133 @@ if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}

# Enhanced malicious bots and tools
if ($http_user_agent ~ "(sqlmap|nmap|masscan|zmap|nikto|dirb|dirbuster|gobuster)") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(havij|pangolin|sqlninja|bbqsql|NoSQLMap|commix)") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(nessus|openvas|nexpose|metasploit|burpsuite|owasp.zap)") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(w3af|skipfish|arachni|wpscan|joomscan|cms.scanner)") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(hydra|brutus|medusa|ncrack|john.ripper|hashcat)") {
set $block_user_agents 1;
}

# Scrapers and harvesters
if ($http_user_agent ~ "(harvest|extract|scrape|spider|crawl|bot).*email") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(winhttp|urllib|python-requests|curl).*script") {
set $block_user_agents 1;
}

# Suspicious patterns
if ($http_user_agent ~ "^-$|^$|^\.$") {
set $block_user_agents 1;
}

if ($http_user_agent ~ "(<|>|\||&|'|\"|;|\$|\(|\)|`|\{|\})") {
set $block_user_agents 1;
}

# Common attack frameworks
if ($http_user_agent ~ "(exploit|payload|shellcode|backdoor|webshell)") {
set $block_user_agents 1;
}

if ($block_user_agents = 1) {
return 403;
}

## Block suspicious request methods
set $block_methods 0;

if ($request_method ~ "^(TRACE|TRACK|DEBUG|OPTIONS|CONNECT)$") {
set $block_methods 1;
}

if ($block_methods = 1) {
return 405;
}

## Block suspicious headers
set $block_headers 0;

if ($http_x_forwarded_for ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|SCRIPT|IFRAME|OBJECT|EMBED)") {
set $block_headers 1;
}

if ($http_referer ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
set $block_headers 1;
}

if ($http_cookie ~ "(SELECT|INSERT|UPDATE|DELETE|UNION|<script|javascript:|vbscript:)") {
set $block_headers 1;
}

# Block requests with suspicious Host headers
if ($host ~ "[\x00-\x20\x7f-\xff]") {
set $block_headers 1;
}

if ($block_headers = 1) {
return 403;
}

## Block excessive request size (basic DoS protection)
set $block_size 0;

if ($content_length ~ "^[0-9]{8,}$") {
set $block_size 1;
}

if ($block_size = 1) {
return 413;
}

## Block requests with too many parameters (potential DoS)
set $block_params 0;

if ($args ~ "^([^&]*&){50,}") {
set $block_params 1;
}

if ($block_params = 1) {
return 403;
}

## Block protocol attacks
set $block_protocol 0;

# HTTP Request Smuggling patterns
if ($http_transfer_encoding ~ "chunked.*chunked") {
set $block_protocol 1;
}

if ($http_content_length ~ "^[0-9]+.*[0-9]+$") {
set $block_protocol 1;
}

# Block requests with null bytes in URI
if ($request_uri ~ "[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]") {
set $block_protocol 1;
}

# Block requests with control characters
if ($request_uri ~ "%00|%0a|%0d|%27|%3c|%3e|%00") {
set $block_protocol 1;
}

if ($block_protocol = 1) {
return 400;
}