WAF REGEX issue

Hi,
i have REGEX problem with WAF.

I want to block URI like that: /?12345678=87654321
and
NOT like that: /go/ajax/checkUser.php?username=8charusr

when my WAF is set like that:
(http.request.uri matches "^/\\?[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")
both URI are blocked

I tested my regex on tester, and it is correct - but CloudFlare does not apply block rule.

Do I have to escape “?” char? Tried to do that, without success :frowning:

Regex: http://regexr.com/4f3fh

Thats the known double escape issue in the editor *)

Dont use the expression builder but manually edit it and specify the following

(http.request.uri matches "^/\?[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")

Alternatively this should work with the builder too

(http.request.uri.path eq "/" and http.request.uri.query matches "^[a-zA-Z0-9]{8}=[a-zA-Z0-9]{8}$")

*) The problem is the builder does not take into account that the backslash could actually be escaping a character but always believes it actually needs to escape the backslash itself, so instead of an escaped/literal question mark you end up with an optional backslash character.

2 Likes

Oh God, thank You!
Fight with that few hours, event edit directly in manual edit. No luck.

It works right now :smiley:

This topic was automatically closed after 30 days. New replies are no longer allowed.