Why did WAF SQL Injection rule block this?

1

We're trying to work out why the WAF (classic) SQL Injection Rule caused this to be blocked:

"terminatingRuleMatchDetails": [
    {
      "conditionType": "SQL_INJECTION",
      "location": "HEADER",
      "matchedData": ["prospect_status", "=", "unknown", ";", "_gcl_au"],
      "sensitivityLevel": "LOW"
    }
  ],
  "httpRequest": {
    "headers": [
      {
        "name": "Cookie",
        "value": "prospect_status=unknown; _gcl_au=123;
      }
    ]
  }
JaredE
demandé il y a un an522 vues
2 réponses
1

The equal sign (=) and the semicolon (;) are both common components of SQL queries. In this case, the equal sign is being used to assign a value to a variable, and the semicolon is being used to separate commands. This could be interpreted as an attempt to inject SQL code.

The string "prospect_status" and "unknown" might be interpreted as SQL commands or parameters. Depending on the context, these could be part of a SQL query.

"_gcl_au" is a first-party cookie used by Google AdSense for experimenting with advertisement efficiency across websites using their services. By itself, it's not harmful, but in combination with the other elements mentioned, the WAF might have flagged it as potentially malicious.

It's important to note that WAFs can sometimes generate false positives. That means they can block requests that look suspicious but are actually harmless. The sensitivity level of "LOW" in your terminatingRuleMatchDetails suggests that your WAF is configured to be relatively aggressive in blocking potentially harmful requests.

If you believe this request was blocked in error, you may need to adjust your WAF's rules or configuration. You could, for example, modify the SQL Injection rule to be less sensitive, or you could create an exception for this specific type of request. However, be aware that doing so could potentially leave your application more vulnerable to actual SQL Injection attacks.

https://aws.amazon.com/about-aws/whats-new/2022/07/aws-waf-sensitivity-levels-sql-injection-rule-statements/

profile picture
EXPERT
répondu il y a un an
-1

I think the WAF thinks this is an SQL_INJECTION condition as stated in the "terminatingRuleMatchDetails" section. It also indicates that the rule matched in the HEADER location and provides the matched data that it thinks is suspicious.

I suspect that the SQL Injection Rule triggered because the value of the "Cookie" header contains the string "prospect_status=unknown" and "_gcl_au=123". This pattern might resemble a potential SQL injection attempt, as it includes multiple statements and/or unusual characters that could be used for malicious purposes.

répondu il y a un an
profile picture
EXPERT
vérifié il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions