Namitha Posted February 26, 2019 Share Posted February 26, 2019 Hi, I am looking for how to configure appfw XML SQL Injection relaxation rules for the following block message. default APPFW APPFW_XML_SQL 25562097 0 : 10.5.13.107 994063054-PPE1 - appfw_basic_profile https://x.ca/ws/UserManagementServiceSei SQL SQL check failed for field value="..and Joint Centre [WDFAGBOY](;)" <blocked> Link to comment
Vamsi Krishna1709162168 Posted March 2, 2019 Share Posted March 2, 2019 Just a thought, Can you check if the profile hits are correct? Do you have any global binding for AppFW? Can you paste us the HTTP request where it is getting blocked? Thanks, Vamsi Link to comment
Vamsi Krishna1709162168 Posted February 27, 2019 Share Posted February 27, 2019 You must be checking for the same in the learning rules and relax it. When the string is generic please use wild card. Thanks, Vamsi Link to comment
Namitha Posted March 1, 2019 Author Share Posted March 1, 2019 we can't enable learn feature for XML SQL INJECTION. This option is disabled. Hence the query. We alreday have following relaxation rules but none of them worked. bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection and -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "and Joint Clinic [WDFAG7ZJ];2~|Cross Cancer Institute [WDF(;)" -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "and.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "and Joint.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "And.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*and Joint.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*(and|And|AND|join|Join|JOIN).*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*join.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*Join.*" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*Joint.*?;" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "Joint.*?;" -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "and Joint Centre \\[WDFAGBOY\\]\\(\\;\\)" -isRegex REGEX -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "..and Joint Clinic [WDFAG7ZJ];2~|Cross Cancer Institute [WDF(;)" -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "..and Joint Centre [WDFAGBOY](;)" -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection "and Joint Centre [WDFAGBOY](;)" -location ATTRIBUTE bind appfw profile appfw_basic_webtestuatprofile -XMLSQLInjection ".*and.*" -location ATTRIBUTE Link to comment
Question
Namitha
Hi,
I am looking for how to configure appfw XML SQL Injection relaxation rules for the following block message.
default APPFW APPFW_XML_SQL 25562097 0 : 10.5.13.107 994063054-PPE1 - appfw_basic_profile https://x.ca/ws/UserManagementServiceSei SQL SQL check failed for field value="..and Joint Centre [WDFAGBOY](;)" <blocked>
Link to comment
3 answers to this question
Recommended Posts
Archived
This topic is now archived and is closed to further replies.