Home/ Questions/Q 8132207
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T09:17:19+00:00

The webserver i’m using is Apache 2.2. I’m trying to validate a domain that

  • 0

The webserver i’m using is Apache 2.2. I’m trying to validate a domain that is in a query string sent by an external party.

An example of a valid request:
https://something.example.com/aaa/bbb/ccc?returnurl=https://test.example.com/home

examples of invalid requests:

  1. scheme://something.example.com/aaa/bbb/ccc?returnurl=https://something.evil.com/home
  2. scheme://something.example.com/aaa/bbb/ccc?returnurl=http://www.google.com
  3. scheme://something.example.com/aaa/bbb/ccct?returnurl=https://something.evil.com/blah?url=https://test.example.com/home

So far in my httpd.conf file I have:

    RewriteEngine On

    RewriteCond %{REQUEST_URI} ^/aaa/bbb/ccc$
    RewriteCond %{QUERY_STRING} !(\.|https://|http://)example\.com(\.|/)|(\.|https://|http://)exampledev\.com(\.|/) [NC]
    RewriteRule ^(.*) / [R=403,L]

The above code basically looks at the query string and redirects the user to a forbidden page if example.com and exampledev.com is NOT in query_string.

This code is only doing part of the job as invalid request number 3 will be considered as containing example.com, which could be considered a phishing attack

Somehow I need to validate the domain that is returned in query_string returnurl.

The string between http:// or httpd:// a .com or .net or .org or any other top level domains.

Can someone please help or suggest how I would validate a domain that is returned as a returnurl query string?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use the following:

    RewriteEngine On

RewriteCond %{REQUEST_URI} ^/aaa/bbb/ccc$
RewriteCond %{QUERY_STRING} !(returnurl|[&]returnurl)=(http|https)://([a-zA-Z0-9]+[.]example[.]com|[a-zA-Z0-9]+[.]exampledev[.]com|example[.]com|exampledev[.]com)[&]{0,1}
RewriteRule ^(.*) / [R=403,L]
    • 0