I have a security loophole to fix by blocking a keyword in my request. If either the get or post request contains a keyword "ENTITY" I would like url rewrite to block the request and send 403.
Can someone help me write the rule in urlrewrite.xml? This is what I have tried which does not work.
<rule>
<note>
Restrict keyword ENTITY in get or post request.
</note>
<name>Restrict URI Access</name>
<condition type="request-uri" operator="equal">ENTITY</condition>
<from>(/.*)</from>
<set type="status">403</set>
<to last="true">null</to>
</rule>
Thanks ...Manas
The following rule should do the trick. Here filter is the parameter of request that may contain keyword "ENTITY".
PS: Because it is a URL there may be many combination of Upper and lower case the parameter "filter" can be written. (e.g. FILTER, filter, Filter etc..)
<rule>
<note>
Stop ENTITY keyword
</note>
<name>StopENTITYKEYWORD</name>
<condition type="parameter" name="filter" next="or">ENTITY</condition>
<from>(/.*)</from>
<set type="status">403</set>
<to last="true">null</to>
</rule>