Marketo Measure JS creating 403 ModSecurity Error

IanAtAdobe
Level 2

Marketo Measure JS creating 403 ModSecurity Error

Recently I had a client who was using a tool to help manage cookies firing on their website. I foresee this becoming a more and more common scenario as we head into an era of privacy and security across all websites. I wanted to create this post in case anyone runs into this scenario. 

 

This blog will list what cookies are in the Marketo Measure JS, the challenge we faced, and proposed solutions. 

 

Tools like OneTrust, Osana, CookieYes and many others are growing in popularity to help manage the strict requirements of GDPR, CCPA, LGPD, and CNIL.  

 

As we know, Marketo Measure uses a JS that contains cookies to give marketers deeper insight into engagement and the buyer journey.  

 

Here is the support article that names those cookies and what their purpose are: https://experienceleague.adobe.com/docs/marketo-measure/using/marketo-measure-tracking/setting-up-tr... 

IanAtAdobe_0-1651862673508.png

 

The client was running into a challenge with the _biz_flagsA cookie as their cookie tracking software was not firing as they restricted any cookie that was designed for crossdomain.  The initial page would load but the moment a link was clicked the page would try to load, but ran into a 403 Modsecurity Error. 

 

A few notes about the biz_flagsA cookie: 

 

- The _biz_flagsA cookie is required for bizible.js to function properly 
- We've seen _biz_flagsA cookie can set off WAF (false positives) when using default OWASP rules. The reasoning is due to the cookie being a stringfield JSON object, triggering a false positive SQL injection rule in WAF. 
 
Here are the options proposed to the IT team. 
 
1) Whitelist the _biz_flagsA cookie 
OR 
2) Add _biz_flagsA to their WAF exclusion list 
 
NOTE: _biz_flagsD and bizible_co cookies are internal to Adobe Marketo Measure only so we do not expect these to appear on the customer site. So, it would not trigger any WAF rules. 
 
If this is an issue that you run into with your IT team, this should be enough for your IT team to proceed on their end.  

I hope that this was helpful. If you do have more questions about the Marketo Measure JavaScript please submit a support ticket.  

Ian at Adobe