WAF Custom Rules, URI, URI Full or URI Path none seem to work

Website, Application, Performance Security
1

I’m having a hard time getting a WAF custom rule to work. We have a content management system that keeps getting caught on our XSS WAF rules. I’m attempting a custom rule to match with a URI containing…exampledomain.com/example/destination/content/

After the final / there’s a different string of characters each time. I’ve tied a few variations using all three options URI, URI Full & URI Path but so far no joy. There’s a specific page which will generate the same string after /content/ and using URI full to match the full path It’s still not working.

The domain is proxied via cloudflare and if I try a custom rule with IP instead of URI it works just fine.

Any suggestions would be much appreciated.

1 Like
4

Hello!

I the string keeps changing, using URI will be challenging as it won’t match all the time.

Are you able to getthe ASN or User Agent?

5

The users are based around the country and use differenet equipment / operating systems so I cannot gaurantee the ASN or User Agent would be idential.

Does this mean all variants of URI wont work unless it’s a perfect match?

I have a specific page which always gives the same URI I’ve been using for testing and using URI FULL and entering the entire path as is has not been a successful match for the WAF.

6

Do not use URI Full. Use instead URI Path and the operator “contains” with the non-variable part of the path. In your original example, that would be:

/example/destination/content/

2 Likes
7

Thanks for the suggestion but I’ve tried this already and sadly no joy, I feel perhaps a bug with WAF considering it didn’t match given the full path too.

8

There’s no bug, please share a screenshot of your rule (you may blur domain), as vague claims that something doesn’t work won’t help us help you.

9

Yes no problem

Here is the rule as it stands currently

image
image926×440 56.8 KB

I’ll have to add the errors in seperate comments as the website only allows me to upload one media file.

11

image
image694×128 3.64 KB

12

image
image912×453 28.9 KB

13

With the Ray ID from that last screenshot, go to Dashboard > Security > Events and filter to find the related event, see what service, and if WAF, what rule is blocking it.

14

Here are the results from the RayID from the last screenshot.

image
image910×590 55.1 KB

15

image
image847×308 6.64 KB

17

With the Skip action, have you marked the last option?

image

18

For the purposes of my testing I’ve ticked all components

image
image1067×611 18.9 KB

20

It was just brought to my attention that your rule is using the URI Path, as suggested, but you inserted in it the whole URL (which was obfuscated in your screenshot.) Please remove the domain part and leave only the path proper.

/path/to/my/file

not

https://example.com/path/to/my/file
1 Like
21

This has worked which is fantastic, however my concern is I have 4 seperate websites on seperate subdomains this rule now applies to all of my websites when I only really wish to have it configured for one, is there anything I can do to lock this rule down further?

22

Add the relevant hostname as another condition. The reason why this is better than using URI Full is that some requests might arrive with port number specified in the URL and that could have unintended consequences.

AND 
Hostname equals "example.com"
2 Likes
23

I’ve just spotted that option, thanks for all your assistance!

1 Like
24

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.