Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What HTTP code should be sent in response to a suspected malicious request

Tags:

http-headers

So say I find that I'm getting requests to my web application that are obviously SQL injection attacks or similar. I write a short test to check request variables for "naughty" strings. If I find one, what code ought I to respond with?

I'm thinking of returning "403 Forbidden" and no content, but I'm not sure.

like image 264
Alex Avatar asked Sep 06 '25 23:09

Alex


2 Answers

I would think 403 Forbidden means that the resource shouldn't be accessed.

I'd thus use 400 Bad Request instead. After all, the user is allowed to the page so long as they're making a legitimate request.

like image 62
Dan Avatar answered Sep 11 '25 01:09

Dan


http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
To me the '400: Bad request' seems the most logical option.

Edit: Maybe it depends more on the context.

If it's really impossible to continue your script, return the 400 or 404 code.

In all other situations, the user (hacker) shouldn't be notified when your code 'detects' a malicious attempt. Your validation should be of the kind that detects invalid input, not malicious attempts.

The only exception are brute-force attacks (more information on how to prevent those at Preventing Brute Force Logins on Websites ).

E.g.:
If your form contains a text box for username and the user (hacker) tries to login/register with some sort of quoted SQL statement, your validation should automatically state 'Invalid username'.

On the other hand, for login purposes, you should secure your application against brute-force attacks with the options stated in the link.

like image 40
Nullius Avatar answered Sep 11 '25 01:09

Nullius



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!