Support

Admin Tools

#39788 Help with creating a WAF Deny Rule

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.4
PHP version
8.1
Admin Tools version
7.4.3

Latest post by nicholas on Monday, 13 November 2023 08:42 CST

Friday, 10 November 2023 10:17 CST

Malalana

Hello,

I'm trying to create a WAF Deny Rule, but I find the documentation a bit unclear, especially when it comes to regex patterns.

Basically, what I want to do, is ensure that parameters that should be numeric (such as id, catid, Itemid..) are forced to be numeric, preventing attackers from trying to do stuff like this:

p8M5q4k.png

 

I tried creating a WAF Deny Rule with the following settings (also allowing a dash character - and a colon character : as I know Joomla can also use those):

 

Query Parameter filter type: RegEx
Query Parameter: ^(id|catid|Itemid)$
Query content: ^[^0-9:-]+$

However, it doesn't seem to work. Am I doing something wrong in the regex pattern?

Thank you for your help :)

Also, I feel like this protection for numeric-only values should be shipped by default with Admin Tools, to be honest.

 

Edited by Malalana on 2023-11-10 10:19 CST

Friday, 10 November 2023 10:32 CST

nicholas

You forgot the delimiters in your regular expressions.

Query Parameter: #^(id|catid|Itemid)$#

Query Content: #^-?[\d]+$#

That said, id is a VERY generic parameter which should not be restricted to just a plain integer. There are many valid cases where it has to be an array (cannot be expressed as a regular expression), or it might be a string etc. Please remember that Joomla components use input validation, so the URL examples you showed have zero chance of success. Not to mention that they are not even valid SQL Injection attempts, which is why the SQLiShield filter didn't stop them.

In short, I am telling you that if you set up a rule like this you will probably break what is not currently broken. Please don't come back asking why something doesn't work on your site if you've put such a generic rule in place. There's a reason we have never implemented such a feature in our software.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 10 November 2023 10:44 CST

Malalana

I see. Thanks for your pointers and suggestions. I might not implement the rule then :)

Best,

Andy

Friday, 10 November 2023 11:03 CST

Malalana

PS: Out of curiosity, I still tried your regex, and it didn't work. I also think it should be the opposite, because this is the pattern to be blocked, not the pattern to allow.

I tried something like this:

Query content: #^[^\w-:]+$#

But still doesn't seem to work.

Edited by Malalana on 2023-11-10 11:04 CST

Monday, 13 November 2023 07:42 CST

nicholas

I am pretty sure you were typing something wrong. This does exactly what you asked me for:

It also does have side-effects which I already told you about: it blocks more than you bargained for, including Smart Search.

The reason you don't see it blocking you is either because the SEF extension you are using kicks in first and redirects to the canonical URL before Admin Tools has the chance to do anything with the request, or your IP is in one of the allow lists, or both.

Again, I very strongly recommend AGAINST using this kind of rule. This is trying to kill a mosquito by burning down your house with you in it.

You are pretty insistent on asking me how to shoot your feet, so I am telling you how to shoot your feet right off. Don't come crying later that you did shoot your feet off following my instructions – it's the expected outcome.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 13 November 2023 07:58 CST

Malalana

I think with that regex you wrote you are BLOCKING the numeric IDs and allowing the letter IDs. I just tested it and this is what happens.

So &Itemid=35& is blocked

But &Itemid=35dfjdklfjdkfjdkfj& is allowed.

Which is the opposite of what I wanted to do... 

With that said, I don't think this is as drastic as you're making it out to be. There are variables that should always be numeric.

Maybe 'id' is an exception to that, as it can be a string as well, but others such as Itemid, catid, limit, start, etc - there's nothing wrong with making sure they're numeric. As if they're not numeric, something is wrong.

And also, even if this were to cause any side effects, it's nothing that can't be worked around by disabling the rule in case something stops working.

Edited by Malalana on 2023-11-13 07:58 CST

Monday, 13 November 2023 08:42 CST

nicholas

You can use a ! in front of the regex to negate its meaning.

Itemid can be numeric or empty. The RegEx will block a request with an empty Itemid which will cause a lot of issues.

limit, and start are supposed to be numeric for core Joomla! components and components using the Joomla! MVC to display a paginated view. Other components may have different interpretation of either or both request parameters.

You can't really have a rule like that with no side-effects. We looked into that. If it was possible, it would have been a feature of Admin Tools. That's what I keep repeating.

Also keep in mind that since you're using a SEF extension which kicks in before Admin Tools the rule you are creating will not take effect. I know which one you're using, and it has its own workaround for this kind of requests in core components (and some third party components which have an integration plugin, as far as I can understand). So, even if you have a working rule you might see no change to what that extension reports.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!