1

To solve a penetration test finding I have to check on the value of a cookie. If the cookie is empty or a specific site, all is well. If it's another site, the cookie value should be emptied, so for example: Cookie [some other text that should not be touched] WASReqURL=https://an.evil.site [possibly more text that should not be touched] In this example https://an.evil.site should be replaced by an empty string. Webserver used is IBM HTTP Server. The rule I want to use in the webserver config is: 

RequestHeader edit Cookie "^WASReqURL=<empty or my.sites.url>" ""

I figured out that with

^((?!WASReqURL=http(s|)(%3a|:)(%2a|\/){2}(acc.|)my.site.url)[\s\S])*$

I can check whether the cookie contains a proper value or not, but that doesn't help me with removing the value. Any RegEx guru out there who can point me in the right direction?

Martijn de Jong
  • 31
  • 4

1 Answers1

0

This is pretty close but it's quite intimidating/fragile. It is very similar to what you started with, but using more cookie delims and captures.

RequestHeader edit Cookie (?i)(^|.*;)\s*(?:WASReqURL=(?!https?(?:%3a|:)(?:%2f|/){2}(?:acc.)?my.site.url(?:$|\s|;))(?:[^;]+);?)(.*)$   "$1$2"
  • Ignore case in the expression
  • First we grab any cookie before WASReqURL and put it in $1
  • Next, anchor to WSARequRL
  • A negative lookahead matches only when the value is not our whitelist domain
  • A non-capturing group gobbles up the bad domain
  • $3 gets any subsequent cookies

In IHS 9.0 / Apache 2.4, you'd be able to this in a lua script which would be a bit more imperative and not quickly get into "regex hell" with a more and more complicated single expression.

You could also do this in a C module in a pretty straighforward way, but that is a lot of baggage.

The simplest alternative is to drop all cookies w/o the whitelisted WASReqURL (= tainted or malicious request), which keeps the entire expression simpler and more reliable.

covener
  • 17,402
  • 2
  • 31
  • 45