I recently switched on a WAF on our public facing website. This has caused a number of false positives and I believe legitimate users are occasionally getting blocked.
Many of these false positives are being caused by values in cookies which are triggering rules but upon inspection it looks like these cookies don't belong to us or our domain...
The most baffling one I've seen is
"matchVariableName": "CookieValue:handl_url",
"matchVariableValue": "https://xxxxxxx.com/competition-terms?utm_source=hs_email&utm_medium=email&_hsenc=[removed--hash]"
A quick search on google for "handl_url" suggests that the cookie is used to store the URL that the cookie was created on, but the domain in the cookie is not our domain...
So my questions are...
- what could cause a browser to post cookies across domains like this?
- could this be a bugged browser or attack on the website?
- does this happen commonly on public facing websites?
For reference, we use Google Tag Manager (gtm) on our site so their may be links to other sites embedded on our website but I'm pretty sure the domain in my example isn't one of them.
Thanks,
Daniel
It seems like the cookie in question contains a URL and might be related to tracking parameters, possibly from an email campaign using HubSpot (as indicated by the _hsenc parameter). The fact that the domain in the cookie doesn't match yours could be due to the way tracking cookies work.
Here are some possible explanations for this behavior: