Instantly share code, notes, and snippets.

Embed
What would you like to do?
UPDATE 2019: Perfect .htaccess file for highspeed and security. You can use it for every WordPress-Website without problems. Highspeed and Security - testet on hundreds of Websites. If you are using a WordPress Multisite, change the last part of this file.
########################################################################
# OPTIMAL .htaccess FILE FOR SPEED AND SECURITY @Version 2019
# ----------------------------------------------------------------------
# @Author: Andreas Hecht
# @Author URI: https://andreas-hecht.com
# License: GNU General Public License v2 or later
# License URI: http://www.gnu.org/licenses/gpl-2.0.html
########################################################################
# ----------------------------------------------------------------------
# Rewrite from HTTP to HTTPS - if you want to use it, comment it out
# ----------------------------------------------------------------------
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#</IfModule>
# ----------------------------------------------------------------------
# | Activate CORS
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# -----------------------------------------------------------------------
# | 404 Fix: Block Nuisance Requests for Non-Existent Files - New in 2018
# https://perishablepress.com/block-nuisance-requests
# -----------------------------------------------------------------------
# Comment it out, if you don't use Let's Encrypt, because Let's Encrypt is using .well-known
# Wenn Du Let's Encrypt nutzt, kannst Du das nicht verwenden, weil Let's Encrypt .well-known nutzt.
#<IfModule mod_alias.c>
# RedirectMatch 403 (?i)\.php\.suspected
# RedirectMatch 403 (?i)\.(git|well-known)
# RedirectMatch 403 (?i)apple-app-site-association
# RedirectMatch 403 (?i)/autodiscover/autodiscover.xml
#</IfModule>
# ----------------------------------------------------------------------
# | Compressing and Caching - Version 2017 |
# ----------------------------------------------------------------------
# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
# HTML - Behält die Website eine Stunde im Cache, neues wird erst nach Ablauf einer Stunde
# angezeigt. Wenn nicht gewuenscht, bei 3600 eine Null eintragen
ExpiresByType text/html "access plus 3600 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media files
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web fonts
# Embedded OpenType (EOT)
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
# OpenType
ExpiresByType font/opentype "access plus 1 month"
# TrueType
ExpiresByType application/x-font-ttf "access plus 1 month"
# Web Open Font Format (WOFF) 1.0
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2 "access plus 1 month"
# Other
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
<IfModule mod_deflate.c>
# Insert filters / compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/vtt
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/js
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/atom+xml
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/ld+json
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/font-woff2
AddOutputFilterByType DEFLATE application/x-font-woff
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
# Exception: Images
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary
# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
#Alternative caching using Apache's "mod_headers", if it's installed.
#Caching of common files - ENABLED
<IfModule mod_headers.c>
<FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
</IfModule>
<IfModule mod_headers.c>
<FilesMatch "\.(js|css|xml|gz)$">
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
# Set Keep Alive Header
<IfModule mod_headers.c>
Header set Connection keep-alive
</IfModule>
# If your server don't support ETags deactivate with "None" (and remove header)
<IfModule mod_expires.c>
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
</IfModule>
<IfModule mod_headers.c>
<FilesMatch ".(js|css|xml|gz|html|woff|woff2|ttf)$">
Header append Vary: Accept-Encoding
</FilesMatch>
</IfModule>
# ----------------------------------------------------------------------
# | 6g Firewall for Security - Do not change this part @Update 2019
# ----------------------------------------------------------------------
# 6G FIREWALL/BLACKLIST - Version 2019
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000,})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>
# ----------------------------------------------------------------------
# Block WordPress files from outside access
# ----------------------------------------------------------------------
# No access to the install.php
<files install.php>
Order allow,deny
Deny from all
</files>
# No access to the wp-config.php
<files wp-config.php>
Order allow,deny
Deny from all
</files>
# No access to the readme.html
<files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# No access to the liesmich.html for DE Edition
<Files liesmich.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# No error log access
<files error_log>
Order allow,deny
Deny from all
</files>
#No access to the .htaccess und .htpasswd
<FilesMatch "(\.htaccess|\.htpasswd)">
Order deny,allow
Deny from all
</FilesMatch>
# Block access to includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# ----------------------------------------------------------------------
# | Blocking the »ReallyLongRequest« Bandit - New in 2018
# https://perishablepress.com/blocking-reallylongrequest-bandit/
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} .* [NC]
RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR]
RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC]
RewriteRule .* - [F,L]
</IfModule>
# --------------------------------------------------------------------------------------------
# Ultimate hotlink protection - IMPORTANT: Change »?domain\« in line 361 to your domain name
# Example: ?andreas-hecht\ ### if you do not use https, change https in line 361 to http
# --------------------------------------------------------------------------------------------
#<IfModule mod_rewrite.c>
# RewriteEngine on
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{REQUEST_FILENAME} -f
# RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain\. [NC]
# RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
#</ifModule>
# ----------------------------------------------------------------------
# Protect your WordPress Login with HTTP Authentification
# ----------------------------------------------------------------------
# If you want to use it, comment it out and set your path to .htpasswd
#<Files wp-login.php>
#AuthName "Admin-Bereich"
#AuthType Basic
#AuthUserFile /usr/local/www/apache24/your-path/your-domain.com/.htpasswd
#require valid-user
#</Files>
# ----------------------------------------------------------------------
# Switch off the security risk XML-RPC interface completely
# ----------------------------------------------------------------------
### @see https://digwp.com/2009/06/xmlrpc-php-security/
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# -----------------------------------------------------------------------------
# HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2019
# -----------------------------------------------------------------------------
### @see https://scotthelme.co.uk/hardening-your-http-response-headers
### UPDATE 2019
## No-Referrer-Header
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer"
</IfModule>
## X-FRAME-OPTIONS-Header
<IfModule mod_headers.c>
Header set X-Frame-Options "sameorigin"
</IfModule>
## X-XSS-PROTECTION-Header
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
## X-Content-Type-Options-Header
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
## Strict-Transport-Security-Header - if you are using https on your website, comment this block out
#<IfModule mod_headers.c>
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#</IfModule>
## This prevents that false issued certificates for this website can be used unnoticed. (Experimental)
## @see https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
<IfModule mod_headers.c>
Header set Expect-CT "enforce, max-age=21600"
</IfModule>
# ----------------------------------------------------------------------
# The original WordPress Rewrite Rules - Do not change anything here,
# except you are using a WordPress Multisite
# ----------------------------------------------------------------------
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
@2amredart

This comment has been minimized.

Copy link

2amredart commented Aug 4, 2018

Hi @HechtMediaArts,

When using the htaccess here

  • A password protected page is not working properly.
  • Correct, incorrect or blank password submitted will cause the page to go to a blank page (domain.com/wp-login.php?action=postpass)
  • Pressing back will bring the correct page. For example if the correct password was entered, the content of the page will be shown. If incorrect or blank password is used, the same password page will be shown.

I've narrowed down to htaccess issue after using the previous htaccess.

Is there a way to fix this?

@2amredart

This comment has been minimized.

Copy link

2amredart commented Aug 4, 2018

"Solved" it by changing

<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer"
</IfModule>

to

<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

Not sure whether this is the right way.

@virtual2gobr

This comment has been minimized.

Copy link

virtual2gobr commented Aug 28, 2018

Hi. Very nice script. Thanks so much.
Question: Do I still need to use plugins, like: WP Super Cache and WP-Optimize?

@HechtMediaArts

This comment has been minimized.

Copy link
Owner Author

HechtMediaArts commented Sep 18, 2018

Hi. Very nice script. Thanks so much.
Question: Do I still need to use plugins, like: WP Super Cache and WP-Optimize?

Hi,

use the following plugins for highspeed: Autoptimize and Cache Enabler. Much better as WP Super Cache and WP-Optimize.

@spicyindian

This comment has been minimized.

Copy link

spicyindian commented Jan 26, 2019

Seeking help from from You: htaccess Guru!

We are running a scan on our website using Vega.
It tries so many random things to break into the site.
Despite using this .htaccess, Vega detects the following...

  1. Bash Shellshock Injection
  2. Insecure Cross-Origin Resource Access Control
  3. Integer Overflow
  4. Page Fingerprint Differential Detected - Possible Local File Include
  5. Page Fingerprint Differential Detected - Possible Xpath Injection

Now expanding each one for better clarity

  1. In this test Vega shows that it tried an URL

GET /digital-advisory-services/

The Detailed request was

GET /digital-advisory-services/ HTTP/1.1
Accept-Language: () { :;}; /bin/sleep 31
Accept-Encoding: gzip,deflate
Host: newtestsite.domain.com
Connection: Keep-Alive
User-Agent: UserAgent

The response it gets was

HTTP/1.1 200 OK
Date: Fri, 25 Jan 2019 23:46:15 GMT
Server: Apache
Link: https://newtestsite.domain.com/wp-json/; rel="https://api.w.org/", https://newtestsite.domain.com/?p=39; rel=shortlink
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=3600
Expires: Sat, 26 Jan 2019 00:46:15 GMT
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Expect-CT: enforce, max-age=21600
Keep-Alive: timeout=5, max=98
Content-Type: text/html; charset=UTF-8
Accept-Ranges: none
Connection: keep-alive

The time taken field actually shows 32598 ms as the execution time.

This clearly tells me that the OS is somehow executing the sleep command.
However the OS is patched with all the latest updates.
So how is the sleep command getting executed?
And how can I use htaccess, to avoid this Bash Shellshock injection?

In this case vega for example tried an URL
GET /wp-content/plugins/accesspress-social-icons/js/frontend.js?ver=1.7.2

The detailed request was

GET /wp-content/plugins/accesspress-social-icons/js/frontend.js?ver=1.7.2 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: newtestsite.domain.com
Connection: Keep-Alive
User-Agent: UserAgent

The detailed response received back was

HTTP/1.1 200 OK
Date: Fri, 25 Jan 2019 22:45:24 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 16 Jan 2019 12:08:50 GMT
Accept-Ranges: none
Cache-Control: max-age=2592000, public
Expires: Sat, 25 Jan 2020 22:45:24 GMT
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Expect-CT: enforce, max-age=21600
Access-Control-Allow-Origin: *
Keep-Alive: timeout=5, max=99
Content-Type: application/javascript
Connection: keep-alive

(function ($) {
$(function () {
$('.aps-each-icon').hover(function () {
var animation_class = $(this).find('.anim
:
:
trimming that out...

Remediation shows:
Set the "Access-Control-Allow-Origin" response header to allow access from trusted domains only. Do not allow access from arbitrary domains.

Will that help you for enhancing your .htaccess.
I plan to try that solution

In this case, Vega tries this URL

GET /wp-content/themes/Divi/core/2147483648

Full request was

GET /wp-content/themes/Divi/core/2147483648 HTTP/1.1
Accept-Encoding: gzip,deflate
Host: newtestsite.domain.com
Connection: Keep-Alive
User-Agent: UserAgent

Full response received was

HTTP/1.1 404 Not Found
Date: Fri, 25 Jan 2019 23:16:57 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: https://newtestsite.domain.com/wp-json/; rel="https://api.w.org/"
X-Frame-Options: SAMEORIGIN
Upgrade: h2,h2c
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Expect-CT: enforce, max-age=21600
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
Content-Length: 37478
Accept-Ranges: none
Connection: keep-alive

Remediation shows:
The developer should investigate the error and determine if a vulnerability is present.

Since a 404 was received, did the request get honored?
No right? Since I received a 404 back.
Then should I be worried?
If yes, can htaccess help?
What line can I add?

Full test request sent by Vega was

GET /wp-content/plugins/accesspress-social-icons/css/animate.css?ver=/./ HTTP/1.1
Accept-Encoding: gzip,deflate
Host: newtestsite.domain.com
Connection: Keep-Alive
User-Agent: UserAgent

Response received was

HTTP/1.1 403 Forbidden
Date: Sat, 26 Jan 2019 00:14:06 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=75
Content-Type: text/html; charset=iso-8859-1
Content-Length: 268
Accept-Ranges: none
Connection: keep-alive

<title>403 Forbidden</title>

Forbidden

You don't have permission to access /wp-content/plugins/accesspress-social-icons/css/animate.css on this server.

It says
Vega has detected a different response page fingerprint in relation to a local file include injection request.
This means that the response page content returned by the web application has a different signature from that
returned by an ordinary request, which may indicate the existence of a local file include vulnerability.
This may indicate a local file include vulnerability, though this is not confirmed.

Remediation shows
To prevent this type of vulnerability, the developer should canonicalize the path of any filesystem resource
that has a path composed of externally-supplied input and then perform an authorization check prior to access.
The realpath() library call will return the canonical path of the resource.
It is implemented in PHP, Perl, and Python.
etc...

Should I be worried about this?
I received a 403 right?
Isnt that good?

In this test vega tried this request

GET /wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=e"%20or%201%20eq%201%20or%20"a"%20=%20"a

Full request was

GET /wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=e"%20or%201%20eq%201%20or%20"a"%20=%20"a HTTP/1.1
Accept-Encoding: gzip,deflate
Host: newtestsite.domain.com
Connection: Keep-Alive
User-Agent: UserAgent

Full response received was

HTTP/1.1 200 OK
Date: Fri, 25 Jan 2019 22:56:42 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Sun, 16 Dec 2018 08:59:38 GMT
Accept-Ranges: none
Cache-Control: max-age=2592000, public
Expires: Sat, 25 Jan 2020 22:56:42 GMT
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Expect-CT: enforce, max-age=21600
Access-Control-Allow-Origin: *
Keep-Alive: timeout=5, max=83
Content-Type: application/javascript
Connection: keep-alive

/********************************************
- THEMEPUNCH TOOLS Ver. 1.0 -
Last Update of Tools 08.03.2018
********************************************/
/

  • @fileOverview TouchSwipe - jQuery Plugin
  • @Version 1.6.9

:
:
trimming output

Vega says:

Vega has detected a different response page fingerprint in relation to an XPath injection request.
This means that the response page content returned by the web application has a different signature
from that returned by an ordinary request, which may indicate the existence of
an XPath injection vulnerability
This may indicate an XPath injection vulnerability, though this is not confirmed.
To prevent this type of vulnerability, the developer should consider adopting the use of
pre-compiled XPath statements or query parameterization options.

What is xpath?
What did Vega really try and what did the server really do?
How can htaccess help avoid this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment