Block URLs with specific string (Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution)

johannesherwig · ‎01-24-2017

Hi there,

any quick fix on how to block all URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"`?

See: https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

Cheers and thanks,

Johannes

Tao Yang · ‎01-25-2017

You should be able to create a custom URL category based on that pattern.

hamirza · ‎02-01-2017

If you are using Cisco Cloud Web Security(CWS) , you can follow the steps below to block the magic pattern iframe content.

If they would like to block the above content, they can block it by creating and AND filter Policy in scancenter.

STEP-1
-           Create Filter-1 and select add all webex urls to domains section
-           Create Filter-2 and add the following in domain section

cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
.cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
/cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

STEP-2
-           Create a new policy and add the above 2 created filters(Filter-1 and Filter-2) together in same policy
-           Save submit and activate the policy and apply settings.

IMPACT:
-           Any web request HTTP matching webex.com + any of the following content the request will be blocked by CWS web filters.

cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
.cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html
/cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html

-           Accessing only webex.com not matching above iframe content will not block normal webex requests.

NOTE: You need to enable HTTPS inspection for HTTPS traffic for above policy to work.