I’ve set up a custom WAF rule to block directory traversal attacks on my website.
Here’s the expression I’m using:
(http.host eq "domain.com" and http.request.uri.path contains "..")
This rule should block requests that contain the .. sequence in the URI path, but doesn’t work.
I’ve checked the request details and the order of my WAF rules, and everything seems to be in order. I’ve also verified that the rule is enabled and active.
I’ve noticed that when I enter any string that does not only contain .., such as ..foo, the rule works as expected, blocking requests that contain the ..foo sequence in the URI path. But when I add ../ or /.. to the URL, such as ../foo, the rule stops working and the request is allowed through.
It is triggered when URI path contains foo../ or some times /..foo/, but never foo/../.
My server recieves the URI intact, with all the .. sequences, and processes them as a parent directory: foo/../boo becomes foo/boo.
I have tried both normalization options and even disabling it, but nothing changes.
The reason for this is that the WAF normalizes the URL before sending it to the origin. This means that “…/” and “/…” are resolved to their corresponding directory paths, which makes your rule ineffective against such attacks.
In other words, the normalized URL is sent to the origin and exposed in rules, so your rule isnt effective against this type of attack.