Help: WAF rule not matching directory traversal attacks

I’ve set up a custom WAF rule to block directory traversal attacks on my website.

Here’s the expression I’m using:

( eq "" and http.request.uri.path contains "..")

This rule should block requests that contain the .. sequence in the URI path, but doesn’t work.

I’ve checked the request details and the order of my WAF rules, and everything seems to be in order. I’ve also verified that the rule is enabled and active.

I’ve noticed that when I enter any string that does not only contain .., such as, the rule works as expected, blocking requests that contain the sequence in the URI path. But when I add ../ or /.. to the URL, such as ../foo, the rule stops working and the request is allowed through.

Thanks beforehand :slight_smile:

1 Like

I wonder if it will be triggered once you’ve put the expression like if URI Path contains ../? :thinking:

I wonder how does your Web server process the “double-dots” in a URI path /../? :thinking:
Does it do some rewrite or a redirect, or executes them “as-is”?

Furthermore, what kind of type of the URL Normalization type have you got selected under the Cloudflare dashboard? :thinking:


(post deleted by author)

It is triggered when URI path contains foo../ or some times /, but never foo/../.
My server recieves the URI intact, with all the .. sequences, and processes them as a parent directory: foo/../boo becomes foo/boo.

I have tried both normalization options and even disabling it, but nothing changes.

1 Like

The reason for this is that the WAF normalizes the URL before sending it to the origin. This means that “…/” and “/…” are resolved to their corresponding directory paths, which makes your rule ineffective against such attacks.

In other words, the normalized URL is sent to the origin and exposed in rules, so your rule isnt effective against this type of attack.

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.