WAF Rule for Concat( not working

What is the name of the domain?

What is the issue you’re encountering

I applied a rule to block user agents that contain ‘contact(’, yet the bots are still getting through

What steps have you taken to resolve the issue?

Here’s the full rule:

(http.request.uri contains “/wp-login”) or (http.request.uri contains “/wp-include”) or (http.request.uri contains “/wp-content”) or (http.request.uri contains “/wp-admin”) or (http.request.uri contains “/wp-json”) or (http.request.uri contains “phpmyadmin”) or (http.request.uri contains “vendor/phpunit”) or (http.request.uri contains “.sql.”) or (http.request.uri contains “/.ssh/”) or (http.request.uri contains “/filezilla”) or (http.request.uri contains “/winscp”) or (http.request.uri contains “/WS_FTP”) or (http.request.uri eq “*.cfg”) or (http.request.uri contains “/modules/”) or (http.request.uri contains “/phpunit/”) or (http.request.uri contains “/vendor/”) or (http.request.uri contains “eval-stdin.php”) or (http.request.uri contains “.zip”) or (http.request.uri contains " /administrator/") or (http.request.uri contains “/manager/”) or (http.request.uri contains “/a2billing/”) or (http.request.uri contains “/filemanager/”) or (http.request.uri contains “/vtigercrm/”) or (http.request.uri contains “/laravel/”) or (http.request.uri contains “/mailchimp/”) or (http.request.uri contains “/phpThumb/”) or (http.request.uri contains “union+all+select”) or (http.request.uri contains “CONCAT(”) or (http.request.uri contains “/phpthumb/”) or (http.request.uri contains “COUNT(”) or (http.request.uri contains “floor(”) or (http.request.uri contains “0x3a6f79753a”) or (http.request.uri contains “/plugins/”) or (http.request.uri eq “/themes/”) or (http.request.uri contains “/.env”) or (http.request.uri contains “+and+1=”) or (http.request.uri contains “/administrator/”) or (http.request.uri contains “/temp/”) or (http.request.uri contains “wallet.dat”) or (http.request.uri contains “/phpMyAdmin”) or (http.request.uri contains “INFORMATION_SCHEMA”) or (http.request.uri contains “CHARACTER_SETS”) or (http.request.uri contains “%20AND%20”) or (http.request.uri contains “wlwmanifest.xml”) or (http.request.uri contains “/horde/”) or (http.request.uri contains “%20ORDER”) or (http.request.uri contains “%20UNION%20SELECT”) or (http.request.uri contains “concat(”)

What are the steps to reproduce the issue?

For some reason the “concat(” rule does not work. I’m still receiving:

Edge status codes
404 Not Found
226

When I visit the links with concat( in them, it appears to block me. I’m confused why these ips are being served with 404 not found.

Here is the exact link this bot is requesting over and over and over: https://www.infinitesweeps.com/RSS/concat("https:/www.infinitesweeps.com/login.php

You must copy and past to include the concat("link and it bypasses the blocks…

When I visit https://www.infinitesweeps.com/concat(testing test I am blocked.

There appears to be some type of pregmatch error or something when visiting links with concat("

Something is wrong here, any of the above terms in your custom WAF rule are passed through to your origin as I got 403 served from the origin server, instead of Cloudflare page.

Is the rule still enabled?

Are both A www and A infinitesweeps.com (or CNAME) proxied :orange: ?

Is it the only custom WAF rule on the list or you’ve got some other as well?
Is it the 1st from above on the list?

Despite there are some ideas for optimization and changes, it works for me:

(http.request.uri contains "/wp-login") or (http.request.uri contains "/wp-include") or (http.request.uri contains "/wp-content") or (http.request.uri contains "/wp-admin") or (http.request.uri contains "/wp-json") or (http.request.uri contains "phpmyadmin") or (http.request.uri contains "vendor/phpunit") or (http.request.uri contains ".sql.") or (http.request.uri contains "/.ssh/") or (http.request.uri contains "/filezilla") or (http.request.uri contains "/winscp") or (http.request.uri contains "/WS_FTP") or (http.request.uri eq "*.cfg") or (http.request.uri contains "/modules/") or (http.request.uri contains "/phpunit/") or (http.request.uri contains "/vendor/") or (http.request.uri contains "eval-stdin.php") or (http.request.uri contains ".zip") or (http.request.uri contains " /administrator/") or (http.request.uri contains "/manager/") or (http.request.uri contains "/a2billing/") or (http.request.uri contains "/filemanager/") or (http.request.uri contains "/vtigercrm/") or (http.request.uri contains "/laravel/") or (http.request.uri contains "/mailchimp/") or (http.request.uri contains "/phpThumb/") or (http.request.uri contains "union+all+select") or (http.request.uri contains "CONCAT(") or (http.request.uri contains "/phpthumb/") or (http.request.uri contains "COUNT(") or (http.request.uri contains "floor(") or (http.request.uri contains "0x3a6f79753a") or (http.request.uri contains "/plugins/") or (http.request.uri eq "/themes/") or (http.request.uri contains "/.env") or (http.request.uri contains "+and+1=") or (http.request.uri contains "/administrator/") or (http.request.uri contains "/temp/") or (http.request.uri contains "wallet.dat") or (http.request.uri contains "/phpMyAdmin") or (http.request.uri contains "INFORMATION_SCHEMA") or (http.request.uri contains "CHARACTER_SETS") or (http.request.uri contains "%20AND%20") or (http.request.uri contains "wlwmanifest.xml") or (http.request.uri contains "/horde/") or (http.request.uri contains "%20ORDER") or (http.request.uri contains "%20UNION%20SELECT") or (http.request.uri contains "concat(")


Hi,

Yes - the rule is still active in my account.

What do you mean by it’s not working? For me, all of the rules work except concat(" being in the URL seems to bypass the rules.

Are other rules not blocking for you? Which “link” did you goto for that 403 message?

I think there is some type of pregmatch error happening with the cloudflare contains for special characters.

You want exactly to match lowercase or UPPERCASE, or both, and with double-quotes " as well? :thinking:

Might have to escape such character and use Expression builder with raw string:

This topic was automatically closed after 15 days. New replies are no longer allowed.