Recently I had a task to delete number of set variables (listed parameters) from URL address on a Apache webserver serving as Reverse Proxy.
To make it more clear exact task was when customers call the URL https://companywebsite-url.com (all subdomains included) the following URL parameters should always be deleted by the reverse proxy:
– ebppMode
– ebppObjectKey
– ebppObjectType
– ebppSystem
– logSys
The paramets are part of SAP Biller Direct in a Portal (based on the famous SAP database) which is often deployed as a component of Internet Sales (ISA) / Supplier Relationship Management (SRM) / CRM
, if a user is logged in with his Credentials (KID (Key ID) / Admin KID) into the system. The EBPP part of most variables stands for (Electronic Bill Presentment and Payment).
By passing above parameters to Website, modes of use, user accounts switched with which user is logged into the system system logs read and other stuff which can turn to be a severe security hole.
As most of Big Companies, does pass there web traffic via a "transparent" Reverse Proxy,it is a good security practice for SAP Biller Direct (including CRM systems( to wipe out this variables
Here is the mod_rewrite working rules that I used to achieve the delete variable from URL address task:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(.*)bebppMode=(w*)b(.*)
RewriteRule (.*) $1?%1%3RewriteCond %{QUERY_STRING} ^(.*)bebppObjectKey=(w*)b(.*)
RewriteRule (.*) $1?%1%3RewriteCond %{QUERY_STRING} ^(.*)bebppObjectType=(w*)b(.*)
RewriteRule (.*) $1?%1%3RewriteCond %{QUERY_STRING} ^(.*)bebppSystem=(w*)b(.*)
RewriteRule (.*) $1?%1%3RewriteCond %{QUERY_STRING} ^(.*)logSys=(w*)b(.*)
RewriteRule (.*) $1?%1%3RewriteCond %{QUERY_STRING} ^(.*)&&(.*)
RewriteRule (.*) $1?%1%3
P.S. I've implemented above Rewrite rules into all Virtualhosts of Applications (in that case all living in the same httpd.conf on SuSE (SLES) 11 SP1 Enterprise Linux server).
To make changes affective, restarted HTTPD Webserver:
/etc/init.d/httpd restart
The sesult is:
https://companywebsite-url.com/start.html?page=start&ebppMode=A&ebppSystem=Test
leads to a internal URL redirection
https://companywebsite-url.com/start.html?page=start
without parameters ebppSystem, ebppMode, ebppObjectKey, ebppSystem, logSys .
Other mod_rewrite rule that works but is too ugly and when I tried it on Debian Linux host was behaving strange (including in the rewrited URL address the directory address of the PHP twice):
RewriteCond %{QUERY_STRING} (.*)(^|&|%26|%20)ebppMode(=|%3D)([^&]+)(.*)$ [OR]
RewriteCond %{QUERY_STRING} (.*)(^|&|%26|%20)ebppObjectKey(=|%3D)([^&]+)(.*)$ [OR]
RewriteCond %{QUERY_STRING} (.*)(^|&|%26|%20)ebppObjectType(=|%3D)([^&]+)(.*)$ [OR]
RewriteCond %{QUERY_STRING} (.*)(^|&|%26|%20)ebppSystem(=|%3D)([^&]+)(.*)$ [OR]
RewriteCond %{QUERY_STRING} (.*)(^|&|%26|%20)logSys(=|%3D)([^&]+)(.*)$RewriteRule (.*) /$1?%1%5 [R=307]
Well anyways, with the first bunch of mod_rewrite rule it works fine.
Thanks God Problem Solved 🙂
More helpful Articles
Tags: apache reverse proxy, Big Companies, delete parameter web url, delete string from url, good security, How to, make, page, SAP, sap database security, sap security, security practice, set variables, string, system, url
