So say I find that I'm getting requests to my web application that are obviously SQL injection attacks or similar. I write a short test to check request variables for "naughty" strings. If I find one, what code ought I to respond with?
I'm thinking of returning "403 Forbidden" and no content, but I'm not sure.
I would think 403 Forbidden means that the resource shouldn't be accessed.
I'd thus use 400 Bad Request instead. After all, the user is allowed to the page so long as they're making a legitimate request.
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
To me the '400: Bad request' seems the most logical option.
Edit: Maybe it depends more on the context.
If it's really impossible to continue your script, return the 400 or 404 code.
In all other situations, the user (hacker) shouldn't be notified when your code 'detects' a malicious attempt. Your validation should be of the kind that detects invalid input, not malicious attempts.
The only exception are brute-force attacks (more information on how to prevent those at Preventing Brute Force Logins on Websites ).
E.g.:
If your form contains a text box for username and the user (hacker) tries to login/register with some sort of quoted SQL statement, your validation should automatically state 'Invalid username'.
On the other hand, for login purposes, you should secure your application against brute-force attacks with the options stated in the link.
If you're able to identify the problems with the requests and they are asking for something allowed, just in a sneaky way, you should be able to prevent any damage from them and just handle them. But if the requests make no sense, 400 Bad Request is probably the best choice.
I agree with the premise of the question that there should be an HTTP code for malicious request. Informing the hacker that this is a malicious request is not a problem because they already know it is malicious. And the fact that they now know that the server knows could be a deterrent. In any case, it wouldn't give the attacker any advantage. However, the big advantage of such a code is that any service provider handling that request would now know this was a malicious request and could then take specific actions. For example, a company like CloudFlair could use this to automatically ban IP addresses from which such malicious requests emanate.
