[jrockway]

Good idea. It would be nice to feed these bad requests into the per-IP rate limiter and just count them as being more than one request. Fetch index.html, that counts towards the rate limit as 1 request. Fetch DROP DATABASE users.html, that counts as 1000 requests. If your quota is 120 requests per minute (the arbitrary value I picked for my personal website), you're gone for 8 minutes.

How useful it is to rate limit on known attacks, I don't actually know. I feel like you really only need one request to exploit a 0day, so it probably provides no protection.

[usernamebias]

Loading a big .txt file into memory and comparing each request to it feels like a good first start. Hopefully the open source community takes it further.

[jrockway]

Yeah. This is kind of a thing that already exists, it's typically marketed as a "web application firewall". Like most antivirus, it's more for show than anything. Nice layer of protection if someone is really piping HTTP headers directly into database queries without quoting, or installed a 20 years out of date app behind the firewall. Most people aren't really doing that anymore, so the value is unclear to me. But, plenty of people will sell you one, so there must be some value. (Notably, it's required for certain compliance certifications.)

[usernamebias]

Is there one that comes in (.txt, .csv, etc) that I can download for free? I'd like to put together a proof of concept for ExpressJS (NodeJS) tomorrow.

[jrockway]

Doubt this is the state of the art, but ModSecurity seems to exist and has rulesets floating around, like this one from OWASP: https://github.com/coreruleset/coreruleset

Here is a random Node binding for libModSecurity I found: https://github.com/manishmalik/Modsecurity-nodejs