403 Forbidden Error


Since installing the code snippet in the website script, a 403 Forbbiden Error occurs when loading the website. The website call is routed via an ApplicationGateway in Azure and this then forwards the requests in the backend to the website server. The reason why this doesn’t work is that a web application firewall is connected to the AppGW.

So: Client → AppGW → WAF → BackendServer

By surfing the website, the cookie is loaded into the client browser:
“ppms_privacy_0c00c49a-272c-4b8b-8dfa-e2a8a24a0d44={%22visitorId%22:%2222515141-14db-447e-8ac1-a622697325dd%22%2C%22domain%22:{%22normalized%22:% 22
www.b-mos.de%22%2C%22isWildcard%22:false%2C%22pattern%22:%22www.b-mos.de%22}%2C%22consents%22:{%22analytics%22:{% 22status%22:0%2C%22updatedAt%22:%222024-04-10T15:37:55.111Z%22}}%2C%22staleCheckpoint%22:%222024-04-10T15:37:28.791Z%22}”

The WAF uses the OWSAP 3.2 core ruleset. The rule: 942200 is hit by the cookie present in the browser and the request will never go through to the website server again as long as the cookie is not removed from the browser. Rule 942200 is in the group: REQUEST-942-APPLICATION-ATTACK-SQLI
Here is the Git link to the ruleset: coreruleset/rules at v3.2/master · coreruleset/coreruleset · GitHub

The cookie is therefore recognized as an SQL injection attempt by the client and blocked. The website server doesn’t notice anything.

The cookie is evaluated on the WAF via a RegEx, which is stipulated in the rule and causes a pattern match.

RegEx: (?i:(?:(?:(?:(?:trunc|cre|upd)at|renam)e|(?:inser|selec)t|de(?:lete|sc)|alter| load)\s*?(\s*?space\s*?(|,.?[)\da-f"‘]["'](?:["’].*? ["']|(?:\r?\n)?\z|[^"'`]+)|\Wselect.+\W?from))

CookieDecoded: {“visitorId”:“22515141-14db-447e-8ac1-a622697325dd”,“domain”:{“normalized”:“www.b-mos.de”,“isWildcard”:false,“pattern”:“www .b-mos.de”},“consents”:{“analytics”:{“status”:0,“updatedAt”:“2024-04-10T15:37:55.111Z”}},“staleCheckpoint”:“2024 -04-10T15:37:28.791Z”}"

If you check this via regex101: build, test, and debug regex The following hits are generated:

So the first match happens at ,“domain”:{“normalized”: and then ,“isWildcard”:false would cause a hit.

Can the cookie be adjusted so that the RegEx does not have a pattern match?

Welcome to the community!

You could play around with the custom code tag and set up a script there that would change the content of the cookie so that it does not match the RegEx pattern. Alternatively, you could set up a script that changes the content of the cookie that will make the RegEx not recognize the pattern. However, this may impact some aspects of the data collection or user recognition and that is why I would advise you to be careful with changing the cookie’s content.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.