0

I'm working on script that would show potentially dangerous HTTP requests, but I don't know how to filter URI in HTTP request correctly. The idea is to look if any URL is contained in GET parameters, but ignore the URLs which are added to GET parameter with specified word (for example - GET parameter with name goto can contain any URL. So if there is starting line of request like this ...

GET /check/request?first=1&second=http://domain.tld/something&third=3 HTTP/1.1

... there must be match. In case we have other request's starting line like ...

GET /check/request?goto=http://domain.tld/something HTTP/1.1

... this one should be ignored.

Base regex which matches any line with URL is:

^(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$

I was trying to modify it correctly, but my version only matches lines which contains word goto in URL itself, not as parameter:

^(GET|POST).*\?.*(?!.*goto)\=http\:\/\/.* HTTP\/.*$

Any help would be appreciated.

Improve this question

2 Answers 2

Reset to default
1

UPDATE

^(GET|POST).*\?.*(?<!goto)\=http\:\/\/.* HTTP\/.*$

Check here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It's working in case that goto parameter is first in GET query or only one ... Example I provided is maybe a bit wrong, because goto parameter could be anywhere in GET query ...
1

You probably meant lookbehind to http://.* rather than lookahead to .*:

^(GET|POST).*\?.*(?<!goto)\=http\:\/\/

Please see an example on regex101.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.