WAF rule to test for all lowercase URL

There is a bot trying URLs on my site as all lowercase. It’s changing referrer and anything I’d normally block with. So I’d like to test the URL and if it’s all lowercase then block. So the entire URL including params. Nothing I try seems to work or even seems to be allowed by Cloudflare. Any suggestions? I’ve tried things like this:

(http.request.uri contains lower(http.request.uri.query))

If you’re on a Business or Enterprise plan, you can probably run a regex test on it. Otherwise, you might try a bunch of Does Not Contain OR statements for each upper case letter. Even then, I’m not sure how well alphabet case testing would work, though I’ve seen evidence that some Firewall Rules are case sensitive.

1 Like

This site is on Pro plan. I’ve found that URI with contains is case sensitive. The idea of a bunch of OR for each uppercase letter is interesting. I’ll give it a try. Seems super inefficient, but if it works… Thanks for the idea.

Should you not check if http.request.uri equals lower(http.request.uri)? If they are equal, then the url is all lowercase.

1 Like

When I save “http.request.uri eq lower(http.request.uri)” I get:

Filter parsing error (1:21): http.request.uri eq lower(http.request.uri) ^^ invalid digit found in string while parsing with radix 16

It seems that Firewall Rules will only apply functions to the values extracted from requests, not to the values against which they should be compared.

The Cloudflare Firewall Rules language supports several functions that transform values extracted from HTTP requests.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.