URL Normalization

Hello,
I saw other threads. Even confused. I have enabled url normalization and removed percent encoding firewall rule. It says url normalization is applied in these HTTP fields:

http.request.uri.path
http.request.full_uri
http.request.uri

My question is: I have a firewall rule about http.request.uri.query contains "%3Cscript"

Should I remove it?

As it is uri.query not uri.path or full_uri or uri, will url normalization impact this?

I’m pretty sure “yes” because full_uri and uri go all the way to the end of the URI. [CORRECTION: I guess not…apparently they don’t include .query]

I’d say “not yet” just to be sure. If you’ve enabled normalization, I suggest you test it out and watch Firewall Event Log and your Server Log to see what does through. If you’ve normalized it all the way through to your origin, it should work.

Thank you sdayman. I have checked and found strange result.
My firewall rule has a line:

(http.request.uri.query contains "<script") or (http.request.uri.query contains "%3Cscript") or

When I delete last part, any query with <script doesn’t get blocked. But if I keep full line, %3Cscript converts to <script and get blocked.

So I rather keep it.

Thanks for your time.

1 Like

Hi @sumon1068, as mentioned in the documentation only those 3 fields are normalized. Thus, http.request.uri.query isn’t and you should use something like url_decode(http.request.uri.query) contains "<script" instead.

If your intention with that rule is to block a specific type of XSS payload and you have a PRO plan or above for your zone, you can also use the Managed Rules / WAF to block it.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.