undefined | Better HN

0 pointsRiverCrochet1y ago0 comments

That would be in the body of the request. OP is talking about URLs in the actual request, which is part of the header.

While I don't have experience with a great number of WAFs I'm sure sophisticated ones let you be quite specific on where you are matching text to identify bad requests.

As an aside, another "easy win" is assuming any incoming HTTP request for a dotfile is malicious. I see constant unsolicitied attempts to access `.env`, for example.

0 comments

2 comments · 2 top-level

berkes1y ago

A lot of modern standards rely on .well-known urls to convey abilities, endpoints, related services and so on.

In my case, I never run anything PHP so I'll just plain block out anything PHP (same for python, lua, activedirectory etc). And, indeed, .htaccess, .env etc. A rather large list of hardcoded stuff that gets an instant-ban. It drops the bot-traffic with 90% or more.

These obviously aren't targeted attacks. Protecting against those is another issue alltogether.

josephcsible1y ago

When legitimate users viewed that forum post, their browsers would, in the course of loading the image, attempt to HTTP GET /phpmyadmin/whatever.png, with that being the URL in the actual request in the header.

j / k navigate · click thread line to collapse