Hapi plugin to safely redirect requests to URLs commonly used in 'spray and pray' attacks.
npm i --save @trippnology/hapi-forbidden-urls
const Hapi = require('@hapi/hapi');
const routes = require('./routes'); // Your normal routes
const init = async () => {
const server = Hapi.server({
port: 3000,
host: 'localhost',
});
// Register routes directly
server.route(routes);
// Register the forbidden URLs plugin
await server.register({
plugin: require('@trippnology/hapi-forbidden-urls'),
// Optionally specify your own list of URLs and methods, and target host to redirect to
options: {
forbidden_urls: ['/.env'],
method: 'GET',
redirect_to: 'https://www.google.com',
},
});
await server.start();
console.log(`Server running on ${server.info.uri}`);
console.log(`Visiting ${server.info.uri} should show hello world`);
console.log(`Visiting ${server.info.uri}/.env should redirect`);
};
process.on('unhandledRejection', (err) => {
console.error(err);
process.exit(1);
});
init();| Option | Type | Default | Notes |
|---|---|---|---|
forbidden_urls |
Array | See list below | Must follow hapi's path parameter rules |
method |
String or Array | ['GET', 'POST'] |
See route options for details |
redirect_to |
String | http://127.0.0.1 |
Must not end in a / |
This is the list of URLs that are redirected if you do not supply your own:
'/.env',
'/.git/{p?}',
'/.git2/{p?}',
'/_profiler/{p?}',
'/backup/{p?}',
'/cgi-bin/{p?}',
'/cms/{p?}',
'/console/{p?}',
'/crm/{p?}',
'/default.asp/{p?}',
'/default.php/{p?}',
'/demo/{p?}',
'/dns-query/{p?}',
'/index.php/{p?}',
'/lib/{p?}',
'/phpunit/{p?}',
'/vendor/{p?}',
Adding /{p?} to the end means that sub-paths are covered too.
- Fork it!
- Create your feature branch:
git checkout -b my-new-feature develop - Commit your changes:
git commit -am 'Add some feature' - Push to the branch:
git push origin my-new-feature - Submit a pull request :D
TODO: Write history
Copyright Rikki Tripp - Trippnology
MIT See: LICENSE