testing for valid web browser versions

Validate & Block Invalid Web Browser Versions Using Apache .htaccess

This is the fourth post in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess file and Project Honey Pot to help reduce spam traffic hitting your website. 

The Blue Plate WAF is for small websites on basic hosting plans that lack access to more sophisticated web security tools.  These basic plans are often used to host content management systems such as WordPress, Joomla, or Drupal which are ideal for small organizational websites.

Web browsers such as Chrome, Firefox, Internet Explorer, and Safari identify themselves by passing along their version information in the HTTP_USER_AGENT variable to the Apache HTTP Server.  By examining the HTTP_USER_AGENT variable, we can determine if a valid web browser version was submitted. 

PCCS Labs has observed that countless spam bots identify themselves as invalid or very out of date browser versions even though it is easy to spoof this information. Validating the browser version passed in HTTP_USER_AGENT filters out a significant amount of spam and bot traffic.

 

Getting Started with Browser Version Validation Using .htaccess

We will start with the previous .htaccess file we created in the previous blog.  The new code we create uses the framework introduced in previous blog posts to send suspicious traffic to our honeypot webpage using the Project Honey Pot system.

 

Legacy Browser Versions

The code below uses the RewriteCond command to scan the HTTP_USER_AGENT variable for web browser versions that are very out of date.  These versions are so out of date that an actual person would not be browsing with them.  If a real human were actually using these browser versions, you would not want them visiting your website because these browsers have significant security vulnerabilities.

The code below scans for the following legacy browser versions:

  •  Mozilla Code Base Versions 1-4
  • Chrome Versions 1-9
  • Firefox Versions 1-9
  • Internet Explorer Versions 1-6
  • Opera (Opera uses the string “OHR”)

The [NC] switch in the code below is used with RewriteCond to indicate that the string is not case sensitive.  If a string match is detected, the command RewriteRule is used to direct the suspicious traffic to the honeypot.  The [L] switch is used with RewriteRule to indicate that Apache should stop processing additional rule sets.

 

 

##### Redirect Really Old Web Browser and Therefore Probably Fake USER_AGENT Strings To Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla\/[1-4]\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Chrome\/[1-9]\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Firefox\/[1-9]\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*MSIE\s[1-6]\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Opera* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Really Old Web Browser and Therefore Probably Fake USER_AGENT Strings To Honeypot --  -- END

 

  

Invalid Mozilla Code Base User Agents

The below code uses the same framework as above but tests for Mozilla code base strings in the User Agent that do not follow Mozilla’s standard format and therefore invalid.

 

 

##### Redirect Fake Mozilla USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla* [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*Mozilla\/[1-9][0-9.][0-9.]* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Fake Mozilla USER_AGENT Missing "/[1-9]" To Honeypot – END

 

  

Invalid Chrome User Agents

The below code uses the same framework as above but tests for Chrome User Agent strings that do not follow Google’s standard format and therefore invalid.

 

 

##### Redirect Fake Chrome USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Chrome* [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*Chrome\/[1-9][0-9.][0-9.]* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Fake Chrome USER_AGENT Missing "/[1-9]" To Honeypot – END

 

   

Invalid Firefox User Agents

The below code uses the same framework as above but tests for Firefox User Agent strings that do not follow Mozilla’s standard format and therefore invalid.

  

 

##### Redirect Fake Firefox USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Firefox* [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*Firefox\/[1-9][0-9.][0-9.]* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Fake Firefox USER_AGENT Missing "/[1-9]" To Honeypot – END

 

  

Invalid Internet Explorer User Agents

The below code uses the same framework as above but tests for Internet Explorer User Agent strings that do not follow Microsoft’s standard format and therefore invalid.

  

 

##### Redirect Fake Internet Explorer USER_AGENT To Honeypot -- START

###MSIE Has a Different Format Than Other Browsers Eg. "MSIE VERSION"

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*MSIE* [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*MSIE\s[1-9][0-9.][0-9.]* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Fake Internet Explorer USER_AGENT To Honeypot – END

 

  

 The working file is available for download here.  Send your questions, comments, and thoughts on these techniques to This email address is being protected from spambots. You need JavaScript enabled to view it..

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Latest Cyber Threat Blogs

Twitter @PCCyberSecurity

Search