Jump to content
Welcome to our new Citrix community!
  • 0

SQL Injection blocks, but why is it detected?


Question

Hello, our WAF is detecting sql injection in a field where a customers is typing some text.

For example this text is affected:

The customer isn't happy with the pattern repeat on these doors.  If you look at the image they are identical and it looks like two 4's in the pattern.  Is there any chance we could change one of the doors? Thanks

As sql injection the and is reported.

Link to comment

4 answers to this question

Recommended Posts

  • 0

yes, special character and keywords is configured. 
 

this is a free text Form Field where the User can enter any long text. 

My problem is, that the website has many free text fields and some simple text fields. 
 

What’s the best to manage so many fields ? Should I configure ten or more app fw profiles for the same vServer?

 

with relaxation rules I can only disable checking completely for that form field. 

Link to comment
  • 0

Confirm your firmware version for differences in behavior or in case there are version specific bugs.

 

Just adding to Carl's note so yo have some more context:

Typically, sql injection on form fields should only be a violation for both keywords and special characters present (' single quote, ; semicolon, \ backslash).

Keywords are statements used to make sql statements and do in fact include whole words: and, or, drop, join, select etc...

 

If the strictness is flagging on either keywords OR special characters you  may see a lot more false positives.

If the strictness is catching when both keywords AND special characters are both present than you may need exemptions (or think about what user content has both keywords and special characters).  So an open "text/comment" field like you show is more likely to hit a false positive because of the apostrophes (singe quotes) and overlap with keywords.  If you exempt the field, the ADC won't flag this content but it is now the job of the backend server to prevent the attack if present.

 

As Carl mentioned, learning can help you deploy exemptions for fields for which violations are seen but protection is not needed (meaning legitimate users doing legitimate things).  Or if newer protection behavior can be tweaked like the "grammar" check may make things more accurate, depending on your firmware version.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...