I'm trying to create a MODSECURITY rule (using PCRE) for whitelisting ASP session id key in the cookie header. Here is what came to my mind so far:
^(?!.*?ASP.NET_SessionId=[a-z0-9]+;.*?$).+
The website cookie header is like this:
Cookie: PortalAlias=Portal; Language_PostPortal=en-US; ASP.NET_SessionId=opn4y4n1qja0mtzm4sx4514k; portalroles=50FA411EBBAC79
So any cookie value with characters except [a-z0-9] in the ASP.NET_SessionId key must be blocked.Is there a best and more optimized regex(PCRE) to do this?
Instead of matching you can go through a replace method so that you are able to remove whole unwanted session id:
ASP\.NET_SessionId=[a-z0-9]*[^a-z0-9;][^;]*;\s*
Live demo
Related
In IIS I need to rewrite some URLs of the following format ...
https://intranet.test.ch/default.asp?rq_AppGuid=1797F2EBEDBAA87403CF202FD726B63FBB064C02&rq_TargetPageGuid=3851012A27819643BB79B647961B0D668FB9FD08&rq_RecId=31333535&rq_Lang=de
to
https://intranet.test.ch/doc/1355
From the first URL the ID is URL encoded 31333535 = 1355
So actually I need to extract the ID and used it to redirect to the other URL.
With (?<=&rq_RecId=)\d* I can geht the ID, but without filtering the not needed 3s. Also the ID can be between 1-9999, means 31-39393939.
Can this be done with regex, so I have a resulting group to use in the redirecting URL?
We have a WSO2 Identity Server 5.8.0 currently setup and running. By default it looks like the apostrophe isn’t acceptable in the username or email address for the user.
Three places give me errors with the current configuration:
In the Home > Add New User: I get a “Username pattern policy
violated”
In the Home > Update Profile: I get a “Email is not valid”
In the API to POST: api/identity/user/v1.0/validate-username I get Invalid = 60002
Where do I change the setting to allow apostrophe in username and email address?
Looking in documentation it seems like I should be able to change the User Store > Username Regex but when changed I get “Error occurred while updating user stories”
Also checked Identity > Claims > List but it seems strange to update the claim regex?
Any help appreciated.
Yes, Apostrophe is not supported by default and need to change the username regex to allow that. For IS 5.8 and older versions, we need to change the following regex props in /repository/conf/user-mgt.xml
1.
<Property name="UsernameJavaRegEx">{Regex}</Property>
To change the regular expression to validate usernames (In BE). By default, strings having a length of 5 to 30 between non-empty characters are allowed.
<Property name="UsernameJavaScriptRegEx">{Regex}</Property>
To change the regular expression used by the front-end components for username validation.
You can find the WSO2 recommendation for username regex here https://is.docs.wso2.com/en/latest/references/usernames-in-identity-server/#best-practices-for-username-creation
When I use a URL Pattern in the url field of chrome.cookies.get, I am not able to retrieve a cookie. When I type in a full URL, I am able to get the cookie. Is it not possible to use a url pattern in the url field of chrome.cookies.get?
Basically, I am trying to show a certain div when the user first logs into the site, but only the first time. I figured I can achieve this by checking the session, and it looks like the JWT token changes on each new session.
I tried this:
chrome.cookies.get({url: '*://www.mysite.com/*', name: 'JWT'}, function (cookie) {...} but it doesn't seem to work.
Do I need to use a full path? On https://developer.chrome.com/extensions/cookies#method-getAll it says
The URL with which the cookie to retrieve is associated. This
argument may be a full URL, in which case any data following the URL
path (e.g. the query string) is simply ignored. If host permissions
for this URL are not specified in the manifest file, the API call will
fail.
The 'may be a full URL' part makes me believe that you should be able to use a pattern in the URL field.
In my manifest file, I have
"webRequest",
"activeTab",
"storage",
"alarms",
"tabs",
"cookies",
"webNavigation",
"pageCapture",
"desktopCapture",
"tabCapture",
"http://*/*",
"https://*/*"
],
"https://*/*" should be able to match *://www.mysite.com/*.
Again, when I put the full url into the url field, I am able to get the cookie.
I have this url:
"url": "/application/userId=5678"
This url will contains the logged in userId, i am trying to map this userId with regex to be mapped on all url's in Wiremock Testing.
So far, i've tried this
"urlPattern": "/application/userId=[0-9]+"
But this is not working, any idea how to make this url work for any UserId?
RegEx should be something like:
^\/application\/userId=[0-9]+$
See also this question + answer:
Wiremock not matching regex
Ok, so my new problem in Elixir is that I can't set the explicit domain while creating cookies.
In this case:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 cookie2=2"] ) do
When I create a cookie it will store a domain like .httpbin.org but for dummy reason I need to set domain value like httpbin.org (without previous dot) .
I tried also with:
HTTPoison.get("httpbin.org/cookies", [{"User-agent", #userAgent}], hackney: [
cookie: "cookie1=1 domain=httpbin.org cookie2=2"] ) do
But of course the syntax expects domain as a cookie name and httpbin.org as a cookie value.
Thank you!
What's the reason you want to remove the dot in the beginning? It's optional and it should match the entire domain with/without the dot.
How do browser cookie domains work?
Also, I think the domain attribute would be for the Set-Cookie header returned from HTTP server rather than requesting from the client. The httpbin (https://httpbin.org/cookies/set) returns the Set-Cookie header, but it doesn't specify domain attribute (just Path=/). It would be taken as .httpbin.org by clients like browsers.
iex(25)> response = HTTPoison.get!("https://httpbin.org/cookies/set?k2=v2&k1=v1")
%HTTPoison.Response{body: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>Redirecting...</title>\n<h1>Redirecting...</h1>\n<p>You should be redirected automatically to target URL: /cookies. If not click the link.",
headers: [{"Server", "nginx"}, {"Date", "Fri, 18 Dec 2015 23:49:46 GMT"},
{"Content-Type", "text/html; charset=utf-8"}, {"Content-Length", "223"},
{"Connection", "keep-alive"}, {"Location", "/cookies"},
{"Set-Cookie", "k2=v2; Path=/"}, {"Set-Cookie", "k1=v1; Path=/"},
{"Access-Control-Allow-Origin", "*"},
{"Access-Control-Allow-Credentials", "true"}], status_code: 302}
iex(26)> :hackney.cookies(response.headers)
[{"k1", [{"k1", "v1"}, {"Path", "/"}]}, {"k2", [{"k2", "v2"}, {"Path", "/"}]}]
Sorry if I'm missing the point.