Search string is banning IP at DK

George Jaros

Posted on 12/02/2024 19:14:47

We had a client that reported an issue with a customer getting a 403 error and then not being able to access the site. They were entering a value into a form that turned out was getting their IP banned, I'm guessing because it was being falsely flagged as a SQL injection attack. We have been able to replicate this by searching for the value that they had entered.

This is the value that was being passed by the form that also results in getting banned when searched:

4601 CVR 36'' x 96'' US26d'’ MLRXLM

There are several issues with this search phrase, including the right single quote mark (hex character 0x92) included after the apostraophe after US26d, plus the person using two apostrophes to search for inches instead of a double quote. After a bit of trial and error and testing I found that the cause of the flag is having two single quotes (apostrophes) followed by any text and then a third single quote (apostrophe) in the search term. So something like this also causes the ban:

''test'

''test''

36'' x 96''

However, these don't cause the ban:

'''

'test''

Is this something that can be handled since they are legitimate (if poorly formed) search terms and not SQL injection attacks? Or do we just have to tell the client that their customer entered invalid characters that were flagged as a security risk and hope they can educate their users better?

Replies

George Jaros

Posted on 12/02/2024 19:39:27

For some reason this also results in getting banned:

4601 CVR 36" x 96" US26d MLRXLM

Nicolai Pedersen

Posted on 19/02/2024 17:35:20

Hi George

There are some complicated rules related to the scanning - you can see in monitoring which rule it was (hard to read as it is regex) and can be tested on i.e. regexr.com why.

But you can mark the name of the field on the whitelist in security: https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/web-and-http#3518

Thet Nong Phu

Posted on 06/08/2024 07:23:47

Dear Nicolai,

Our customer facing the same issue of query string searches. We have added the field name “Search” to the whitelist, but we are still encountering problems with banned IPs. Could you please advise on how we can resolve this issue?

searchpage?Search=Women%27s%20Shirt%27s

Nicolai Pedersen

Posted on 06/08/2024 11:09:21

Have you removed the already banned IPs?

Delete the /Files/System/_BannedIps.txt file.

If this is not it, I need a link to investigate your settings.

Ya Min Thu

Posted on 07/08/2024 10:28:51

Dear Nicolai,

We have removed the banned IPs from the list and deleted the BannedIps.txt file, but the IPs are still being blocked. You can log in using the link below. If you need backend credentials, please contact me via WhatsApp at +9596885020.

Best regards,

Yamin

Nicolai Pedersen

Posted on 07/08/2024 10:50:23

Hi Yamin

I changed your settings to not include spaces for the field parameters:

Ya Min Thu

Posted on 07/08/2024 11:25:05

Dear Nicolai,

We tried again on the frontend, but the IP is still banned.

Best Regards,

Yamin

Nicolai Pedersen

Posted on 07/08/2024 12:20:55

This post has been marked as an answer

Hi Yamin

You have some querystring parameters related to the typeahead that is missing from the field section:

Seems like you need to add 'searchkey' and 'key' querystring parameters to the list of skipped fields.

Votes for this answer: 1

Ya Min Thu

Posted on 08/08/2024 13:26:45

Dear Nicolai,

We have added those query string parameters to the list of skipped fields, and it's working now. Thank you so much for your suggestion.

Best regards,

Yamin (Support Team)

Nicolai Pedersen

Posted on 08/08/2024 15:42:14

Great!

Glad you made it work.

You must be logged in to post in the forum

Developer forum

Search string is banning IP at DK

Replies