A malicious query string is a type of attack that targets web applications by injecting malicious code into query strings that are sent to a web server.
Malicious query strings can be used to execute arbitrary code, steal sensitive data, and perform other types of malicious activities. They can also be used to bypass security controls, such as input validation and authentication, and to exploit vulnerabilities in web applications.
I am such a big Cloudflare fan and that’s what I use to stop most attacks.
These are my thoughts about dealing with malicious query strings using Cloudflare Firewall Rules
Table of Contents
Blocking Access to PHP Files
All sites are different and I don’t expect that my firewall rules don’t conflict with features provided by other plugins and services.
But let me tell you this if you are a blogger and If you have a site that is 100% dedicated to providing informational content, you can safely block access to PHP files.
If you do that, you will block lots of malicious query string attacks by blocking access to files that are not meant to be used by real visitors.
All my site visitors will get blocked when trying to access these URLs:
| Path | /l.php |
| Query string | ?u=//newmax.click |
| Path | /index.php |
| Query string | ?s=/index/index/xxx/${print(md5(123))} |
| Path | /site/wp-commentin.php |
| Query string | ?pass=f0aab4595a024d626315fb786dce8282 |
If you follow this recommendation, you don’t really need to worry about what the malicious query string is.
In this example, a user wants to block a malicious query string which is fine but that could also have been dealt with at the URI Path level by simply blocking access to PHP files.
This is just to illustrate a point, not all users can or want to block direct access to PHP files.
Challenging HTTP Versions
Another way to stop lots of malicious requests is by blocking or issuing a managed challenge to all requests using these HTTP versions:
| HTTP/1.0 |
| HTTP/1.1 |
According to my stats, more than 95% of bad requests come from bots using these two HTTP versions.
Having said that, you have to be careful with this approach since you don’t want to block good bots.
According to my stats, 97% of requests made using one of those versions didn’t pass the managed challenge issued by Cloudflare.
If you want to use this approach, you might want to create a rule for exceptions when a good bot or user agent is challenged.
Blocking Query Strings
The past two methods blocks most malicious requests made by bots.
When I have created rules to tackle malicious query strings, those rules don’t see much action.
If you don’t want to reinvent the wheel, you can build your custom firewall using the 7G Firewall by Perishable Press as a reference.
Building the firewall is easy, you just have to add a keyword present in the Query String
Use “or” to keep adding more keywords.
In case you want to use the expression editor, you might want to use this code and modify it.
(http.request.uri.query contains "concat") or (http.request.uri.query contains "alter") or (http.request.uri.query contains "update") or (http.request.uri.query contains "union") or (http.request.uri.query contains "set") or (http.request.uri.query contains "select") or (http.request.uri.query contains "script") or (http.request.uri.query contains "md5") or (http.request.uri.query contains "drop") or (http.request.uri.query contains "declare") or (http.request.uri.query contains "cast") or (http.request.uri.query contains "eval") or (http.request.uri.query contains "root") or (http.request.uri.query contains "passthru") or (http.request.uri.query contains "phpinfo") or (http.request.uri.query contains "benchmark") or (http.request.uri.query contains "convert") or (http.request.uri.query contains "create") or (http.request.uri.query contains "encode") Redirect Bad Queries
If you already run out of rules and you can add one more keyword, you can redirect query strings to a static URL you know your firewall is blocking.
For example
If a visitor includes “md5” in a query string, I am gonna redirect that bot to “https://example.com/badqueries.php” and that bot is gonna get blocked because I am blocking all access to all PHP files.
Have fun messing with bots
What Strings is the 7G Firewall Blocking?
These are the strings that are being blocked by the basic 7G Firewall
| ../ | 127.0.0.1 | localhost |
| loopback | javascript: | @copy |
| @eval | eval( | base64( |
| base64( | base64_ | mod=. |
| path=. | /config. | mosconfig |
| wp-config.php | benchmark( | concat( |
| phpinfo( | )select | select( |
| shell_exec( | sleep( | union( |
| etc/passwd | self/environ | timthumb |
| fckeditor | revslider | indoxploi |
| xrumer | allow_url_include | auto_prepend_file |
| curl_exec | disable_functions | document_root |
| execute | fgets | file_get_contents |
| file_put_contents | fputs | fsockopen |
| fwrite | gethostbyname | input_file |
| outfile | open_basedir | passthru |
| phpshell | proc_open | remoteview |
| root_path | safe_mode | user_func_array |
These are the string that are being blocked by the advanced 7G Firewall
| ^ | < | > |
| [ | ] | { |
| } | ? | ` |
| \ | @@ | /= |
| /$& | /:/ | /**/ |
| (0x | 0x3c62723e | ;!–= |
| GLOBALS= | GLOBALS[ | GLOBALS% |
| REQUEST[ | REQUEST% | +select+ |
| +delete+ | +concat+ | +union+ |
| boot.ini | win.ini | /makefile |
| /wwwroot | $_env | $_files |
| $_get | $_post | $_request |
| $_server | $_session | /inurl:/ |
| http:// | https:// | ftp:// |
| sftp:// | ftps:// | php:// |
| phps:// |
How do I Find Keywords to Block?
You can check the security events on your Cloudflare dashboard and that way build your custom Firewall.
If you are running out of free Cloudflare Firewall Rules, You can monitor live traffic or 404 errors with a security plugin and get rid of the plugin as soon as you think you have a robust firewall.
If you have a small site, you can create a rule to monitor all the traffic to the use and then use the logs to feed your Cloudflare firewall rule.
Based on this event, I think I should block “md5” as recommended by the 7G Firewall by Perishable Press.
