Validate QUERY_STRING on RewriteCond for XSS protection

Question

I would like to create a rewrite condition which validate the QUERY_STRING to prevent from XSS.

My item look like:

/ItemPage.jsp?itemId=item_12345_12

where item_12345 is required and "_{VERSIONNUMBER} is optional in query string.

In the past I created a RewriteCond for many javascript parts which could be critical.

Example:

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} script [NC,OR]
RewriteCond %{QUERY_STRING} img [NC,OR]
RewriteCond %{QUERY_STRING} svg [NC,OR]
...
RewriteRule ^/ItemPage\.jsp?$ /StartPage.jsp [L,R=301]

After I found in the time of use many new possible strings to filter, the list grow more and more. And now I want to redirect all request, which don't use this schema to minimize the rules.

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} ^((?!itemId=[\w]).)* [NC,OR]
RewriteRule ^/ItemPage\.jsp?$ /StartPage.jsp [L,R=301]

But if I use this condition I'll be redirected all the time. ItemId is not required on ItemPage.jsp but if ItemId is set in query string it's required that ItemId=item_12345 + optional ItemId=item_12345_12.

Is that rule possible in Apache2.4 to filter XSS code?

Andrew Schulman · Accepted Answer · 2020-10-31T08:41:38.867

0

I think what you want is:

RewriteCond %{QUERY_STRING} !^(ItemId=[[:alpha:]]+_\d+(_\d+)?)?$ [NC]
RewriteRule ^/ItemPage\.jsp$ /StartPage.jsp [L,R=301]

Note, don't include a ? in the condition of the RewriteRule, as you did in your question. That doesn't match the literal ? in the request. Instead it makes the "p" in /ItemPage.jsp optional, so you also match /ItemPage.js.

edited Oct 31 '20 at 08:41

answered Oct 31 '20 at 01:26

Andrew Schulman

8,561
21
31
47

1

Thx a lot. I replaced `[[:alpha:]]` with item and now my vaildation works fine. – B3nny Nov 09 '20 at 14:54

Validate QUERY_STRING on RewriteCond for XSS protection

1 Answers1