Fix FP with Google Funding Choices cookies #2226

azurit · 2021-10-08T18:36:14Z

Google Funding Choices is using cookies which looks like these:

FCCDCF=[["AKsRol96Mxyk9FqhFojBc6fQqh-bo-s0VYkniISe0wOz3NRAr90HMsuZQ81FJitWrfPRF09u-aYlhT0PMzLHW-cwgE2c_bmkaerz5Ht3N2y-Tseg5C_ngXVXK2eHiHVfBdx8iAtcRpqNdws_RZwZarM8E0ONvOztHg=="],null,["[[],[],[],[],null,null,true]",1633715935146],["CPNaLZhPNaLZhEsABBSKBvCoAP_AAH_AACRQHQpD7T7FbSFCyP55fLsAMAhXRkCEAqQAAASABmABQAKQIAQCkkAQFASgBAACAAAgICZBAQIMCAgACUABQABAAAEEAAAABAAIIAAAgAEAAAAIAAACAIAAAAAIAAAAEAAAmwgAAIIACAAABAAAAAAAAAAAAAAAAgdCgPsLsVtIUJI_Gk8uwAgCFdGQIQCoAAAAIAGYAAAApAgBAKQQBAABKAAAAIAACAgJgEBAggACAABQAFAAEAAAAAAAAAAAAggAACAAQAAAAgAAAIAgAAAAAgAAAAAAACBCAAAggAIAAAAAAAAAAAAAAAAAAACAAA.dngACAAAAAA","1~2072.66.70.89.93.108.122.149.2202.162.167.196.2253.241.2299.253.259.2357.311.317.323.2373.338.358.415.440.449.2506.2526.482.486.494.495.2568.2571.2575.540.574.2677.817.864.981.1051.1095.1097.1127.1201.1205.1211.1276.1301.1365.1415.1449.1570.1577.1651.1716.1765.1870.1878.1889","D69AA49A-F82F-4B88-A047-1358464AD104"],null]

FCNEC=[["AKsRol96Mxyk9FqhFojBc6fQqh-bo-s0VYkniISe0wOz3NRAr90HMsu ZQ81FJitWrfPRF09u-aYlhT0PMzLHW-cwgE2c_bmkaerz5Ht3N2y-Tseg5C_ngXVXK2eHiHVfBdx8iAtcRpqNdws_RZwZarM8E0ONvOztHg=="]]

In this case, this part of the cookies is triggering rule 941120: 0ONvOztHg=. This PR is trying to fix such FPs by disallowing a second = character.

fzipi · 2021-10-09T16:17:43Z

This will handle base64 encoding properly, right? I'm just a bit confused by reading the change only...

azurit · 2021-10-09T18:19:51Z

I'm not sure what do you mean. If i understand this rule properly, it is supposed to catch strings like these:

...

There's no base64 data anywhere.

azurit · 2021-10-11T10:41:07Z

Another example of FP:

FCCDCF=[["AKsRol_KW-qL7wtWwLbRysBQPOUMO4VMTf6kc5QrckgI-titv2TY1WZSRoPgMg9nWVIfkEi0BW9zQ-cyaDwQ8-s-a069YL99vR32cAWVvgpmiLeNoeyEn_d_EZMKZWGxK2gvbEba2A97Yg28JE7SGgI0yr6onBJWVA=="],null,["[[],[],[],[],null,null,true]",1632136503899],["CPM0gg0PM0gg0EsABBSKBsCoAP_AAH_AACRQHQpD7T7FbSFCyP55fLsAMAhXRkCEAqQAAASABmABQAKQAAQCkkAQFASgBAACAAAgICZBAQIMCAgACUABQABAAAEEAAAABAAIIAAAgAEAAAAIAAACAIAAAAAIAAAAEAAAmwgAAIIACAAABAAAAAAAAAAAAAAAAgdCgPsLsVtIUJI_Gk8uwAgCFdGQIQCoAAAAIAGYAAAApAABAKQQBAABKAAAAIAACAgJgEBAggACAABQAFAAEAAAAAAAAAAAAggAACAAQAAAAgAAAIAgAAAAAgAAAAAAACBCAAAggAIAAAAAAAAAAAAAAAAAAACAAA.dngACAAAAAA","1~2072.66.70.89.93.108.122.149.2202.162.167.196.2253.241.2299.253.259.2357.311.317.323.2373.338.358.415.440.449.2506.2526.482.486.494.495.2568.2571.2575.540.574.2677.817.864.981.1051.1095.1097.1127.1201.1205.1211.1276.1301.1365.1415.1449.1570.1577.1651.1716.1765.1870.1878.1889","F602B500-B6FE-4430-978B-26DEC26A5460"],null]

FCNEC=[["AKsRol_KW-qL7wtWwLbRysBQPOUMO4VMTf6kc5QrckgI-titv2TY1WZSRoPgMg9nWVIfkEi0BW9zQ-cyaDwQ8-s-a069YL99vR32cAWVvgpmiLeNoeyEn_d_EZMKZWGxK2gvbEba2A97Yg28JE7SGgI0yr6onBJWVA=="]]

fzipi · 2021-10-11T15:29:43Z

Confirmed the pattern works as expected:

❯ pcretest
PCRE version 8.45 2021-06-15

  re> /[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=/i
data> FCCDCF=[["AKsRol96Mxyk9FqhFojBc6fQqh-bo-s0VYkniISe0wOz3NRAr90HMsuZQ81FJitWrfPRF09u-aYlhT0PMzLHW-cwgE2c_bmkaerz5Ht3N2y-Tseg5C_ngXVXK2eHiHVfBdx8iAtcRpqNdws_RZwZarM8E0ONvOztHg=="],null,["[[],[],[],[],null,null,true]",1633715935146],["CPNaLZhPNaLZhEsABBSKBvCoAP_AAH_AACRQHQpD7T7FbSFCyP55fLsAMAhXRkCEAqQAAASABmABQAKQIAQCkkAQFASgBAACAAAgICZBAQIMCAgACUABQABAAAEEAAAABAAIIAAAgAEAAAAIAAACAIAAAAAIAAAAEAAAmwgAAIIACAAABAAAAAAAAAAAAAAAAgdCgPsLsVtIUJI_Gk8uwAgCFdGQIQCoAAAAIAGYAAAApAgBAKQQBAABKAAAAIAACAgJgEBAggACAABQAFAAEAAAAAAAAAAAAggAACAAQAAAAgAAAIAgAAAAAgAAAAAAACBCAAAggAIAAAAAAAAAAAAAAAAAAACAAA.dngACAAAAAA","1~2072.66.70.89.93.108.122.149.2202.162.167.196.2253.241.2299.253.259.2357.311.317.323.2373.338.358.415.440.449.2506.2526.482.486.494.495.2568.2571.2575.540.574.2677.817.864.981.1051.1095.1097.1127.1201.1205.1211.1276.1301.1365.1415.1449.1570.1577.1651.1716.1765.1870.1878.1889","D69AA49A-F82F-4B88-A047-1358464AD104"],null]
 0: 0ONvOztHg=
data>
  re> /[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]/i
data> FCCDCF=[["AKsRol96Mxyk9FqhFojBc6fQqh-bo-s0VYkniISe0wOz3NRAr90HMsuZQ81FJitWrfPRF09u-aYlhT0PMzLHW-cwgE2c_bmkaerz5Ht3N2y-Tseg5C_ngXVXK2eHiHVfBdx8iAtcRpqNdws_RZwZarM8E0ONvOztHg=="],null,["[[],[],[],[],null,null,true]",1633715935146],["CPNaLZhPNaLZhEsABBSKBvCoAP_AAH_AACRQHQpD7T7FbSFCyP55fLsAMAhXRkCEAqQAAASABmABQAKQIAQCkkAQFASgBAACAAAgICZBAQIMCAgACUABQABAAAEEAAAABAAIIAAAgAEAAAAIAAACAIAAAAAIAAAAEAAAmwgAAIIACAAABAAAAAAAAAAAAAAAAgdCgPsLsVtIUJI_Gk8uwAgCFdGQIQCoAAAAIAGYAAAApAgBAKQQBAABKAAAAIAACAgJgEBAggACAABQAFAAEAAAAAAAAAAAAggAACAAQAAAAgAAAIAgAAAAAgAAAAAAACBCAAAggAIAAAAAAAAAAAAAAAAAAACAAA.dngACAAAAAA","1~2072.66.70.89.93.108.122.149.2202.162.167.196.2253.241.2299.253.259.2357.311.317.323.2373.338.358.415.440.449.2506.2526.482.486.494.495.2568.2571.2575.540.574.2677.817.864.981.1051.1095.1097.1127.1201.1205.1211.1276.1301.1365.1415.1449.1570.1577.1651.1716.1765.1870.1878.1889","D69AA49A-F82F-4B88-A047-1358464AD104"],null]
No match
data>

Merging!

azurit · 2021-10-11T19:31:38Z

@fzipi Thank you!

azurit added 2 commits October 8, 2021 20:27

Fix FP with Google Funding Choices coockies

2c97c63

Adding test

68ef16e

fzipi merged commit 62bf166 into coreruleset:v3.4/dev Oct 11, 2021

azurit deleted the v3.4/FP941120 branch October 11, 2021 19:31

dune73 mentioned this pull request Nov 1, 2021

Monthly Chat Agenda November 2021 (2021-11-01 and 2021-11-15) #2239

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Fix FP with Google Funding Choices cookies #2226

Fix FP with Google Funding Choices cookies #2226

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fix FP with Google Funding Choices cookies #2226

Fix FP with Google Funding Choices cookies #2226

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!