So say I find that I'm getting requests to my web application that are obviously SQL injection attacks or similar. I write a short test to check request variables for "naughty" strings. If I find one, what code ought I to respond with?
I'm thinking of returning "403 Forbidden" and no content, but I'm not sure.
I would think 403 Forbidden
means that the resource shouldn't be accessed.
I'd thus use 400 Bad Request
instead. After all, the user is allowed to the page so long as they're making a legitimate request.
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
To me the '400: Bad request' seems the most logical option.
Edit: Maybe it depends more on the context.
If it's really impossible to continue your script, return the 400 or 404 code.
In all other situations, the user (hacker) shouldn't be notified when your code 'detects' a malicious attempt. Your validation should be of the kind that detects invalid input, not malicious attempts.
The only exception are brute-force attacks (more information on how to prevent those at Preventing Brute Force Logins on Websites ).
E.g.:
If your form contains a text box for username and the user (hacker) tries to login/register with some sort of quoted SQL statement, your validation should automatically state 'Invalid username'.
On the other hand, for login purposes, you should secure your application against brute-force attacks with the options stated in the link.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With