Looking for help!
NAME
Plack::Middleware::Security::Common - A simple security filter for Plack with common rules.
VERSION
version v0.12.0
SYNOPSIS
use Plack::Builder;
# import rules
use Plack::Middleware::Security::Common;
builder {
enable "Security::Common",
rules => [
archive_extensions, # block .tar, .zip etc
cgi_bin, # block /cgi-bin
script_extensions, # block .php, .asp etc
unexpected_content, # block GET with body params
...
];
...
};
DESCRIPTION
This is an extension of Plack::Middleware::Security::Simple that provides common filtering rules.
Most of these rules don't directly improve the security of your web application: they simply block common exploit scanners from getting past the PSGI layer.
Note that they cannot block any exploits of proxies that are in front of your PSGI application.
See "EXPORTS" for a list of rules.
You can create exceptions to the rules by adding qualifiers, for example, you want to block requests for archives, except in a /downloads folder, you could use something like
builder {
enable "Security::Common",
rules => [
-and => [
-notany => [ PATH_INFO => qr{^/downloads/} ],
-any => [ archive_extensions ],
],
...
];
...
};
Note that the rules return an array of matches, so when qualifying them you will need to put them in an array reference.
EXPORTS
archive_extensions
This blocks requests with common archive file extensions in the path or query string.
backup_files
This includes "misc_extensions" plus filename suffixes associated with backup files, e.g. example.com-database.zip.
Added in v0.8.0.
cgi_bin
This blocks requests that refer to the cgi-bin
directory in the path or query string, or a cgi_wrapper
script.
cms_prefixes
This blocks requests that refer to directories with common CMS applications, libraries, or web servers.
Added in v0.8.0.
document_extensions
This blocks requests for file extensions associated with common document formats, e.g. Office documents or spreadsheets.
This does not include audio, video or image files.
If you provide downloads for specific files, then you may need to add exceptions for this rule based on the file type and path.
Added in v0.9.2.
dot_files
This blocks all requests that refer to dot-files or ..
, except for the /.well-known/ path.
exchange_prefixes
This blocks paths associated with Exchange servers.
fake_extensions
This blocks requests with fake extensions, usually done with image extensions, e.g. /some/path;.jpg.
Added in v0.5.1.
header_injection
This blocks requests that attept to inject a header in the response. e.g. GET /%20HTTP/1.1%0d%0aX-Auth:%20accepted%0d%0a
.
Any path with an HTTP protocol suffix or newline plus carriage return will be rejected.
Added in v0.7.0.
ip_address_referer
This blocks all requests where the HTTP referer is an IP4 or IP6 address.
Added in v0.5.0.
misc_extensions
This blocks requests with miscellenious extensions in the path or query string.
This includes common extensions and suffixes for backups, includes or configuration files.
non_printable_chars
This blocks requests with non-printable characters in the path.
null_or_escape
This blocks requests with nulls or escape chatacters in the path or query string.
protocol_in_path_or_referer
This blocks requests that have non-web protocols like file
, dns
, jndi
, unix
, ldap
or php
in the path, query string or referer.
Added in v0.5.1.
require_content
This blocks POST or PUT requests with no content.
This was added in v0.4.1.
script_extensions
This blocks requests that refer to actual scripts or source code file extension, such as .php
or .asp
. It will also block requests that refer to these scripts in the query string.
script_injection
This block requests that inject scripts using data-URLs.
system_dirs
This blocks requests that refer to system or metadata directories in the path or query string.
unexpected_content
This blocks requests with content bodies using methods that don't normally have content bodies, such as GET or HEAD.
Note that web sites which do not differentiate between query and body parameters can be caught out by this. An attacker can hit these website with GET requests that have parameters that exploit security holes in the request body. The request would appear as a normal GET request in most logs.
webdav_methods
This blocks requests using WebDAV-related methods.
wordpress
This blocks requests for WordPress-related pages.
SOURCE
The development version is on github at https://github.com/robrwo/Plack-Middleware-Security-Simple and may be cloned from git://github.com/robrwo/Plack-Middleware-Security-Simple.git
BUGS
Please report any bugs or feature requests on the bugtracker website https://github.com/robrwo/Plack-Middleware-Security-Simple/issues
When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.
Suggestions for new rules or improving the existing rules are welcome.
AUTHOR
Robert Rothenberg <rrwo@cpan.org>
COPYRIGHT AND LICENSE
This software is Copyright (c) 2014,2018-2024 by Robert Rothenberg.
This is free software, licensed under:
The Artistic License 2.0 (GPL Compatible)