Firewall rule to match specific query string parameter using regex

I’m trying to create a firewall rule that triggers a challenge based on the presence of a URL parameter in the query string. While I can create a regex that matches the specific param=value portion of the query string, I can’t seem to get the regex to match the entire query string.

I want to challenge any request that has myparam=1234 in the URL (4 digits for the value). myparam=12345 would not be challenged. I have a rule that handles this if the matched param+value is the only thing in the query sting. But if my query string is myparam=1324&otherparam=abc or foo=bar&myparam=1234, then the pattern doesn’t match. Here’s my pattern:

(\W|^)myparam=[0-9]{4}(\W|$)

I’ve tried adding “" and ".” to the beginning and end in various places, but it basically gets ignored.

Anyone have a suggestion as to how to properly handle a wildcard for preceding and trailing params?

Thanks!

Markup messed up my example. Should have read:

I’ve tried adding * and .* variously to the beginning and end in various places, but it basically gets ignored.

Hi,

I don’t think you’d need (\W|^) or (\W|$)

But you’d probably need to exclude myparam= with more than 4 digits.

Try:

(http.request.uri.query matches "myparam=[0-9]{4}" and not http.request.uri.query matches "myparam=[0-9]{5}")

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.