-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.js
50 lines (46 loc) · 1022 Bytes
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
const pkg = require('./package.json');
const defaults = {
forbidden_urls: [
'/.env',
'/.git/{p?}',
'/.git2/{p?}',
'/_profiler/{p?}',
'/backup/{p?}',
'/cgi-bin/{p?}',
'/cms/{p?}',
'/console/{p?}',
'/crm/{p?}',
'/default.asp/{p?}',
'/default.php/{p?}',
'/demo/{p?}',
'/dns-query/{p?}',
'/index.php/{p?}',
'/lib/{p?}',
'/phpunit/{p?}',
'/vendor/{p?}',
],
method: ['GET', 'POST'],
// Redirect back to the attacker's own machine lol
redirect_to: 'http://127.0.0.1',
};
const forbiddenUrlsPlugin = {
register: (server, options) => {
// Merge user-provided options with default settings
const config = { ...defaults, ...options };
config.forbidden_urls.forEach((url) => {
server.route({
method: config.method,
path: url,
options: {
auth: false,
},
handler: (request, h) => {
return h.redirect(`${config.redirect_to}${request.path}`);
},
});
});
},
name: 'forbiddenURLs',
version: pkg.version,
};
module.exports = forbiddenUrlsPlugin;