feat: prevent defaults from Google's GS2 cookie #4136

theseion · 2025-05-17T06:33:29Z

github-actions · 2025-05-17T06:34:00Z

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

fzipi

LGTM

azurit · 2025-05-17T16:42:34Z

According to the documentation, regex may be more tight, for example:
^GS2\.\d\.s\d+(?:\$[a-z]\d+){6,6}$

Also, i know it's going to be lots of work but it would be cool to have a test for every affected rule.

Anyway, i'm approving it.

azurit · 2025-05-17T16:46:24Z

I rethinked it and, if we are really going to globally whitelist this cookie, let's make regex more tight.

azurit · 2025-05-17T17:10:12Z

Few possible versions:

^GS2\.\d\.s\d+(?:\$[a-z]\d+){6,6}$
^GS2\.\d\.s\d+\$o\d+\$g\d+\$t\d+\$j\d+\$l\d+\$h\d+$

fzipi · 2025-05-17T20:53:04Z

One thing is that "Parameters can appear in any order".

azurit · 2025-05-17T21:30:55Z

One thing is that "Parameters can appear in any order".

Ok, so:
^GS2\.\d\.[a-z]\d+(?:\$[a-z]\d+){6,6}$

theseion · 2025-05-18T05:50:19Z

Which documentation @azurit? The format is supposed to be extendable, so there might be more than 6 entries in the future. Also, in theory, entries are optional, so I'd say we need to match at least one and maybe 10 at most ({1,10})

theseion · 2025-05-18T05:56:39Z

I've fixed the regex (the dollar sign is a separator and doesn't appear after the last entry).

Fixes: coreruleset#4134

theseion · 2025-05-18T05:59:55Z

ModSecurity v2 (httpd) can't handle regex ranges in the targets list. Had to revert to + instead of {1,9}.

azurit · 2025-05-18T17:03:50Z

I just realized that we are doing this wrong - format REQUEST_COOKIES:<something> is matching against cookies names, not values. We don't need such complex regex here, just this:
REQUEST_COOKIES:/^_ga_/

theseion · 2025-05-19T05:57:01Z

That works too. I hadn't considered it, because it seemed too broad. It would make it very easy to bypass rules, by simply using that prefix for the cookie name.

azurit · 2025-05-19T12:51:22Z

But you cannot match a cookie value the way you are trying to do now.

azurit · 2025-05-19T12:52:40Z

Also, the previous version of Google Analytics is made very similar - just look at whitelisted __utm cookies (and it's even worse at it's missing ^ at the beginning - should be added).

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml

- change cookie regex from `__utm` to `^__utm` - correctly match the cookie name with `^_ga` instead of the cookie value (which isn't possible) - match both GAx and GSx cookie formats with `^_ga`

theseion · 2025-05-20T05:18:12Z

Thanks @azurit. I've fixed the test and added two more; updated the regular expressions.

fzipi

Very good discussion and outcome :)

azurit · 2025-05-20T10:24:05Z

I would go with ^_ga_ instead of ^_ga.

azurit · 2025-05-20T10:54:07Z

Pattern ^_ga looks too general for me. I know that ^_ga_ isn't much better but still better.

azurit · 2025-05-20T10:56:25Z

Anyway, we have no reports about problems with previous version using _ga cookie name.

azurit · 2025-05-20T11:38:06Z

..so maybe we don't need to whitelist it.

TimDiam0nd · 2025-05-20T22:32:00Z

Are the __utm.* cookies still in use itw?
From what i can see, they are part of Universal Analytics, which was deprecated as of July last year.

theseion · 2025-05-21T04:51:13Z

Are the __utm.* cookies still in use itw? From what i can see, they are part of Universal Analytics, which was deprecated as of July last year.

Probably not, but I'd wait a bit longer, just to be safe.

EsadCetiner

I don't like how we're excluding Google cookies by modifying the targets directly, this is cumbersome and your applying these exclusions for everybody.

I don't think we should create a plugin for something like this either, but maybe we can create an google-cookies.conf.optional file?

imo a simple file like this would be easier to maintain:

#
# [ Google GS2 Cookie ]
#

SecRuleUpdateTargetByTag OWASP_CRS/PROTOCOL-ATTACK "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-LFI "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-RCE "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-PHP "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-GENERIC "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-XSS "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-SQLI "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-SESSION-FIXATION "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-JAVA "!REQUEST_COOKIES:/^_ga_/"

#
# [ Legacy Google Cookie ]
#

SecRuleUpdateTargetByTag OWASP_CRS/PROTOCOL-ATTACK "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-LFI "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-RCE "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-PHP "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-GENERIC "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-XSS "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-SQLI "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-SESSION-FIXATION "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetByTag OWASP_CRS/ATTACK-JAVA "!REQUEST_COOKIES:/^__utm/"

or if you want to exclude per rule id (afaict google cookies are being excluded for specific catagories)

#
# [ Legacy Google cookies ]
#

SecRuleUpdateTargetById 921120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 921130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 921200 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 930120 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 932120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932125 "!REQUEST_COOKIES:/^__utm/"
SecRuleRemoveTargetById 932130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932140 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932160 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932175 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932200 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932210 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932220 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932230 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932231 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932232 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932235 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932236 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932238 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932240 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932250 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932260 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932270 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932271 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932300 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932301 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932310 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932311 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932320 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932321 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932330 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932331 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932370 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 932380 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 933100 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933131 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933135 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933140 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933150 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933151 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933160 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933161 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933170 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933180 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933190 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933200 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933210 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 933211 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 934100 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934101 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934110 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934140 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934150 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934160 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 934170 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941110 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941150 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941140 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941160 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941170 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941180 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941181 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941190 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941200 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941210 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941220 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941230 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941240 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941250 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941260 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941270 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941280 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941290 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941300 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941310 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941320 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941330 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941340 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941350 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941360 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941370 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941380 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941390 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 941400 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942140 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942150 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942151 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942160 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942170 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942180 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942190 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942200 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942210 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942220 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942230 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942240 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942250 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942251 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942260 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942270 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942280 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942300 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942310 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942320 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942330 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942350 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942360 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942361 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942362 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942380 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942390 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942400 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942410 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942440 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942450 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942470 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942480 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942500 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942510 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942511 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942520 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942530 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942540 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 942560 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 943100 "!REQUEST_COOKIES:/^__utm/"

SecRuleUpdateTargetById 944100 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944110 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944120 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944130 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944200 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944210 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944240 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944250 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944260 "!REQUEST_COOKIES:/^__utm/"
SecRuleUpdateTargetById 944300 "!REQUEST_COOKIES:/^__utm/"

#
# [ Google GS2 Cookie ]
#

SecRuleUpdateTargetById 921120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 921130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 921200 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 930120 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 932120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932125 "!REQUEST_COOKIES:/^_ga_/"
SecRuleRemoveTargetById 932130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932140 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932160 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932175 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932200 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932210 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932220 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932230 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932231 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932232 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932235 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932236 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932238 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932240 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932250 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932260 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932270 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932271 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932300 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932301 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932310 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932311 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932320 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932321 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932330 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932331 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932370 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 932380 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 933100 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933131 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933135 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933140 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933150 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933151 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933160 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933161 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933170 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933180 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933190 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933200 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933210 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 933211 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 934100 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934101 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934110 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934140 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934150 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934160 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 934170 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 941100 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941110 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941150 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941140 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941160 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941170 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941180 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941181 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941190 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941200 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941210 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941220 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941230 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941240 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941250 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941260 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941270 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941280 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941290 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941300 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941310 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941320 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941330 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941340 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941350 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941360 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941370 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941380 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941390 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 941400 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 942100 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942140 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942150 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942151 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942160 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942170 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942180 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942190 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942200 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942210 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942220 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942230 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942240 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942250 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942251 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942260 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942270 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942280 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942290 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942300 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942310 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942320 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942330 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942340 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942350 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942360 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942361 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942362 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942370 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942380 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942390 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942400 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942410 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942421 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942440 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942450 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942470 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942480 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942490 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942500 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942510 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942511 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942520 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942530 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942540 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942550 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 942560 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 943100 "!REQUEST_COOKIES:/^_ga_/"

SecRuleUpdateTargetById 944100 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944110 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944120 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944130 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944200 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944210 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944240 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944250 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944260 "!REQUEST_COOKIES:/^_ga_/"
SecRuleUpdateTargetById 944300 "!REQUEST_COOKIES:/^_ga_/"

azurit · 2025-05-22T11:48:20Z

I don't like this either. If is was up to me, i would move it into the plugin.

theseion · 2025-05-24T07:11:35Z

I also don't like how general this is. I've looked again at the deprecation notice for the __utm cookies, and their data is no longer being processed since Summer 2024. If we dropped __utm from the targets we could handle exclusion of _ga* cookies in a different way.

Now, the reason it was applied so broadly was that many clients used those cookies and we must assume that the same will be true for the new cookies. This probably means we need to exclude them by default, potentially with an opt-out option, rather the the other way around.

@EsadCetiner I like your idea but I would prefer that CRS rules are shipped without modifying actions. As for a plugin, that would mean that exclusion is opt-in, which, I think, isn't a good idea, as explained above.

I could see us adding a new rule like the following:

SecRule REQUEST_COOKIE:/^_ga/ "@rx ^GS2\.\d\.[a-z]\d+(?:\$[a-z]\d+){1,10}$" \
    "id:999999,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIE:/^ga/,\
    ver:'OWASP_CRS/4.15.0-dev'"

We already have a couple of these rules and it let's us be much stricter, i.e., we can check the cookie format with a regex (otherwise, the cookie name can just be used to bypass cookie checks).

In conclusion:

drop __utm (thanks for the pointers @TimDiam0nd)
add a rule to exclude the cookies by tag

What do you think?

fzipi · 2025-05-24T07:16:42Z

Way cleaner. By a lot.

EsadCetiner · 2025-05-24T07:38:04Z

@theseion

I could see us adding a new rule like the following:

That rule isn't supported by libModSecurity3.

in that case it looks like this is the only option outside of keeping things as they are:
SecRuleUpdateTargetByTag OWASP_CRS "!REQUEST_COOKIES:/^__utm/"

azurit · 2025-05-24T10:07:10Z

That rule isn't supported by libModSecurity3.

Why?

EsadCetiner · 2025-05-24T10:09:39Z

@azurit it's outright rejected:

Expecting an action, got: ^ga/,\

azurit · 2025-05-24T10:09:48Z

ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIE:/^ga/,\

@theseion Using regexes here is not supported by all versions of modsecurity. There are patches but currently this is not supported.

azurit · 2025-05-24T10:10:51Z

@azurit it's outright rejected:

Expecting an action, got: ^ga/,\

@EsadCetiner I just noticed this and it's not related only to v3.

theseion · 2025-05-25T08:12:15Z

Macro expansion isn't supported either, so my idea is out, because there's a random suffix after _ga_. It's also not possible to chain SecUpdateTargetByTag.

I also tried the following, but unfortunately, SecUpdateTargetByTag is executed before the rule:

SecRule REQUEST_COOKIES:/^_ga/ "!@rx ^GS2\.\d\.[a-z]\d+(?:\$[a-z]\d+){1,10}$" \
    "id:999998,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    tag:'OWASP_CRS',\
    ver:'OWASP_CRS/4.15.0-dev',\
    skipAfter:END-COOKIE-EXCEPTIONS,\

SecRuleUpdateTargetByTag OWASP_CRS "!REQUEST_COOKIES:/^_ga_/"
SecMarker "END-COOKIE-EXCEPTIONS"

With that, I'm leaning towards @EsadCetiner's idea to use SecUpdateTargetByTag. If we put those into a separate file, we can include them by default, users can opt out by not including the file, and the logic is at least centralised and commented.

azurit · 2025-05-25T09:02:45Z

With that, I'm leaning towards @EsadCetiner's idea to use SecUpdateTargetByTag. If we put those into a separate file, we can include them by default, users can opt out by not including the file, and the logic is at least centralised and commented.

In this case, it would be cleaner to move it into a plugin.

theseion · 2025-05-25T13:15:43Z

In this case, it would be cleaner to move it into a plugin.

Yes, except that I believe we should make the exclusion the default. If we put it in a plugin, users must explicitly include it. If these cookies affect a majority of our user base, don't you think it should be the default?

azurit · 2025-05-25T17:13:46Z

How do we know how many users it affects? Old cookie was dropped an year ago and we had only one report since then.

theseion · 2025-05-25T19:00:50Z

We don't, it's an assumption. We could also decide to drop __utm and not do anything about the GS2 cookie and wait for more reports. 🤷. @dune73 @RedXanadu, any opinions?

azurit · 2025-05-25T19:01:47Z

As __utm is not used anymore, it should have no effect.

theseion · 2025-05-30T14:55:14Z

As we didn't reach a resolution, I will close this PR and open another to remove __utm. We will wait for additional FP reports before doing anything about Google Analytics cookies.

Google has deprecated and phased out the use of `__utm` Google Analytics cookies. As discussed in coreruleset#4136, we will not add a new exclusion for the newer Google Analytics cookies until we have received evidence that they are causing false positives for a significant number of users. Closes coreruleset#4134

Google has deprecated and phased out the use of `__utm` Google Analytics cookies. As discussed in #4136, we will not add a new exclusion for the newer Google Analytics cookies until we have received evidence that they are causing false positives for a significant number of users. Closes #4134

theseion requested review from EsadCetiner and azurit May 17, 2025 06:33

theseion added release:fix release:important release:new-feature This PR introduces a new feature and removed release:fix labels May 17, 2025

fzipi previously approved these changes May 17, 2025

View reviewed changes

theseion dismissed fzipi’s stale review via da3b669 May 18, 2025 05:55

theseion force-pushed the support-gs2-cookie-format branch from 9592389 to da3b669 Compare May 18, 2025 05:55

theseion force-pushed the support-gs2-cookie-format branch from da3b669 to 4ad6b6e Compare May 18, 2025 05:57

feat: prevent defaults from Google's GS2 cookie

9b98834

Fixes: coreruleset#4134

theseion force-pushed the support-gs2-cookie-format branch from 4ad6b6e to 9b98834 Compare May 18, 2025 05:59

azurit reviewed May 19, 2025

View reviewed changes

tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932240.yaml Outdated Show resolved Hide resolved

chore: apply review suggestions

b5b5713

- change cookie regex from `__utm` to `^__utm` - correctly match the cookie name with `^_ga` instead of the cookie value (which isn't possible) - match both GAx and GSx cookie formats with `^_ga`

fzipi previously approved these changes May 20, 2025

View reviewed changes

chore: apply review suggestions

893667c

theseion dismissed fzipi’s stale review via 893667c May 21, 2025 04:54

theseion requested a review from azurit May 21, 2025 04:55

EsadCetiner reviewed May 22, 2025

View reviewed changes

theseion closed this May 30, 2025

This was referenced May 30, 2025

feat: remove exclusion of deprecated __utm cookies #4151

Merged

Rule 932240 google analytics GS2 false positive #4134

Closed

Uh oh!

feat: prevent defaults from Google's GS2 cookie #4136

feat: prevent defaults from Google's GS2 cookie #4136

Uh oh!

Conversation

theseion commented May 17, 2025

Uh oh!

github-actions bot commented May 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fzipi left a comment

Choose a reason for hiding this comment

Uh oh!

azurit commented May 17, 2025

Uh oh!

azurit commented May 17, 2025

Uh oh!

azurit commented May 17, 2025

Uh oh!

fzipi commented May 17, 2025

Uh oh!

azurit commented May 17, 2025

Uh oh!

theseion commented May 18, 2025

Uh oh!

theseion commented May 18, 2025

Uh oh!

theseion commented May 18, 2025

Uh oh!

azurit commented May 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

theseion commented May 19, 2025

Uh oh!

azurit commented May 19, 2025

Uh oh!

azurit commented May 19, 2025

Uh oh!

Uh oh!

theseion commented May 20, 2025

Uh oh!

fzipi left a comment

Choose a reason for hiding this comment

Uh oh!

azurit commented May 20, 2025

Uh oh!

azurit commented May 20, 2025

Uh oh!

azurit commented May 20, 2025

Uh oh!

azurit commented May 20, 2025

Uh oh!

TimDiam0nd commented May 20, 2025

Uh oh!

theseion commented May 21, 2025

Uh oh!

EsadCetiner left a comment

Choose a reason for hiding this comment

Uh oh!

azurit commented May 22, 2025

Uh oh!

theseion commented May 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fzipi commented May 24, 2025

Uh oh!

EsadCetiner commented May 24, 2025

Uh oh!

azurit commented May 24, 2025

Uh oh!

EsadCetiner commented May 24, 2025

Uh oh!

azurit commented May 24, 2025

Uh oh!

azurit commented May 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

theseion commented May 25, 2025

Uh oh!

azurit commented May 25, 2025

github-actions bot commented May 17, 2025 •

edited

Loading

azurit commented May 18, 2025 •

edited

Loading

theseion commented May 24, 2025 •

edited

Loading

azurit commented May 24, 2025 •

edited

Loading