Security Defenses

Member Login

Home

Server Security

Web Crawler Protection

Wednesday, 13 July 2011 08:06

This documentation is written in the regard of keeping your web locations safe from web crawlers which may crawl your location in order to mirror and dissect your web location / technology used in the writing of the web location. This information can be used to penetrate into your web applications in order to directly effect your web site.

Web Crawler applications (not those run from search engines) can pose a security risk on your organizational web locations. Web crawlers are utilized by attackers to mirror web locations in order to search for hidden field comments, e-mail addresses, phone numbers, hidden form values, links to additional servers and more. This information can then be extracted for use during an attack.

What attackers normally look for when they begin a web crawl is 3 basic implementations. Of those implementations include: Contacts, hidden form values and web comments. However, this information can be used for the following (of the first two) Social Engineering, spamming, and targeting of specific targets of the web location. The last mentioned, can be used to gain further information such as: user names, and passwords, a general idea of how the code was written (a code road map if you will), and in turn can lead to using the source code against the web server in order to access areas a normal user shouldn't have access, and to further penetrate into the server.

The entire point of web crawling is to assemble the information locally in an IIS or Apache web server as so the attacker can then test the security, before he or she then decides to break into the target. Doing so limits the amount of alarms which can be set off during the actual attack; thus allowing the attacker direct access to a one-time shot at gaining successful access to the location. This is where the protections section of web crawling comes to play. It shall be noted that if implemented incorrectly; the effects of search engines to crawl and index your web location can possibly fail. As, this document is providing that ONLY specific browsers access your web location: Netscape, Mozilla, IE, Safari, Konqueror.

.htaccess Protection:

If you are utilizing the .htaccess files to protect your web site you can implement the following (Provided that RewriteEngine is enabled):

ReWriteEngine on # Mozilla 4/5 Browsers RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $compatible;\ MSIE\ [3-9]\.[0-9.]+ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ \(Macintosh;\ .+$\ \AppleWebKit/[1-9]\.[0-9.]+\ $KHTML,\ like\ Gecko$\ \Safari/[0-9]{3,8}$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $Macintosh;\ I;\ PPC$$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $X11;\ U;\ Linux\ i686;\ [a-z]{2}-[A-Z]{2};\ rv:[1-9]\.[0-9.]+$\ Gecko/Debian-[1-9]\.[0-9.]+-[0-9]+\ Galeon/[2-9]\.[0-9.]+\ $Debian\ package\ [2-9]\.[0-9.]+-[0-9]+$$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $compatible;\ Konqueror/([0-9]+\.)+[0-9]+.+\ 20[0-9]{6}$$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $compatible;\ Konqueror/([0-9]+\.)+[0-9]+;\ Linux$\ $KHTML,\ like\ Gecko$$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ $.+;\ rv:([0-9]+\.)+[0-9a-z]+$\ Gecko/20[0-9]{6} RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[4-5]\.[0-9]+\ WebTV/([0-9]+\.)+[0-9]+\ $compatible;\ MSIE\ [5-9]\.[0-9]+ # Others RewriteCond %{HTTP_USER_AGENT} !^Avant\ Browser\ \(http://www\.avantbrowser\.com$$ RewriteCond %{HTTP_USER_AGENT} !^Microsoft\ Internet\ Explorer/[34]\.[0-9]{1,2} RewriteCond %{HTTP_USER_AGENT} !^Mozilla/(3\.01¦4\.0)\ $compatible;$$ RewriteCond %{HTTP_USER_AGENT} !^Mozilla/[3-4]\.[0-9]+\ \[[a-z]{2}\](\ $.+$)? RewriteCond %{HTTP_USER_AGENT} !^Mozilla/4\.0\ $PSP\ \(PlayStation\ Portable$;\ [0-9.]+\)$ RewriteCond %{HTTP_USER_AGENT} !^Opera/[5-9]\.[0-9]+ RewriteRule .* - [F]

Demonstrating how to block a web browser by userAgent in .htaccess file.

Javascript Denial:

Some web developers when they want to block user agents, they will employ the usage of javascript code in order to do so. However, the problem with certain javascript applications is that, they cannot provide as much security as the .htaccess files can. And, the security methods employed here can be circumvented by using an application such as wget to get the information, modifying it and replaying it back to the server; Or, downloading the information with wget and then viewing it offline. The javascript code which enables web developers to selectively determine which user agents they want to allow is as follows (This is a basic example and a simpler version does exist. This is just for demonstration purposes.)

if (navigator.userAgent == "Browser_Type_And_Information") { alert("this is ok.") } else { alert("This web browser is not valid."); }

Demonstrating how to block a web browser by userAgent.

To back a success rate of blocking a browser based upon user agent, you should also utilize the .htaccess method mentioned above. Also, be aware that you will also have to include this information inside each of the pages you create. A cheaper way to include this would be to call it from an external JS file so that you can reference it; breaking it out of the onLoad form event.

PHP Denial:

<?php $browser = getenv("HTTP_USER_AGENT"); if ($browser == "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080715 Ubuntu/7.10 (gutsy) Firefox/2.0.0.16") { echo "The browser ".$browser." is allowed"; } else { echo "alert('this web browser is not supported') window.location='http://www.ask.com' "; } ?>

Demonstrating how to block a web browser by userAgent in PHP code.

Last Updated on Friday, 26 August 2011 14:01