SQL grammar-based protection for HTML and JSON payload
Citrix Web App Firewall uses a pattern match approach for detecting SQL injection attacks inHTTP
andJSON
payloads. The approach uses a set of pre-defined key-words and (or) special characters to detect an attack and flag it as a violation. Although this approach is effective, it can result in many false positives resulting in adding one or more relaxation rules. Especially when commonly used words such as “Select” and “From” are used in an HTTP or JSON request. We can reduce false positives by implementing the SQL grammar protection check forHTML
andJSON
payload.
In the existing pattern match approach, an SQL injection attack is identified if a pre-defined keyword and or a special character is present in an HTTP request. In this case, the statement need not be a valid SQL statement. But in the grammar-based approach, an SQL injection attack is detected only if a keyword or a special character is present in a SQL statement or is part of a SQL statement thereby reducing false positive scenarios.
SQL使用场景基于语法的保护
Consider a statement, “Select my tickets and let’s meet at union station” present in an HTTP request. Although, the statement is not a valid SQL statement, the existing pattern match approach detects the request as an SQL injection attack because the statement uses keywords such as “Select”, “and” and “Union”. But, in the case of the SQL grammar approach, the statement is not detected as a violation attack because the keywords are not present in a valid SQL statement or not part of a valid SQL statement.
The grammar-based approach can also be configured for detecting SQL injection attacks inJSON
payloads. For adding a relaxation rule, you can reuse the existing relaxation rules. Fine grained relaxation rules are also applicable for SQL grammar, for rules with “valueType” “keyword”. InJSON
SQL grammar, the existing URL-based method can be reused.
Configure SQL grammar-based protection by using the CLI
实现基于SQL语法的检测,必须configure the “SQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and it must be explicitly enabled.
At the command prompt, type:
add appfw profile –SQLInjectionAction -SQLInjectionGrammar ON/OFF
Example:
add appfw profile profile1 –SQLInjectionAction Block –SQLInjectionGrammar ON
Configure SQL pattern-match protection and grammar-based protection by using the CLI
If you have enabled both grammar-based and pattern-match approaches, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).
At the command prompt, type:
add appfw profile –SQLInjectionAction -SQLInjectionGrammar ON –SQLInjectionType
Example:
add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType SQLSplChar
Configure SQL Injection check only with grammar-based protection by using the CLI
At the command prompt, type:
add appfw profile –SQLInjectionAction -SQLInjectionGrammar ON –SQLInjectionType None
Example:
add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType None
Bind relaxation rules for SQL grammar-based protection by using the CLI
If your application requires you to bypass theSQL
injection check for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you must configure a relaxation rule.
Note:
Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection using
SQL
grammar.
TheSQL
command Injection inspection relaxation rules have the following syntax. At the command prompt, type:
绑定appfw profile -SQLInjection [isRegex(REGEX| NOTREGE)] [-location ] [-valueType (Keywor|SpecialString|Wildchar) [][-isValueRegex (REGEX | NOTREGEX) ]]
Example:
绑定appfw profile p1 -sqlinjection abc http://10.10.10.10/
绑定appfw profile p1 –sqlinjection 'abc[0-9]+' http://10.10.10.10/ -isregex regEX
绑定appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX
Configure SQL grammar-based protection for JSON payload by using the CLI
To implement SQL grammar-based detection for the JSON payload, you must configure the “JSONSQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and you must explicitly enable it.
At the command prompt, type:
add appfw profile -type JSON –JSONSQLInjectionAction -JSONSQLInjectionGrammar ON/OFF
Example:
add appfw profile profile1 –type JSON –JSONSQLInjectionAction Block –JSONSQLInjectionGrammar ON
Configure SQL pattern match protection and grammar-based protection by using the CLI
If you have enabled both grammar-based and pattern-match checks, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).
Note:
Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection using SQL grammar.
At the command prompt, type:
add appfw profile -type JSON –JSONSQLInjectionAction -JSONSQLInjectionGrammar ON –JSONSQLInjectionType
Example:
add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType SQLSplChar
Configure SQL grammar-based protection for JSON payload by using the CLI
At the command prompt, type:
add appfw profile -type JSON –JSONSQLInjectionAction -JSONSQLInjectionGrammar ON –JSONSQLInjectionType None`\
Example:
add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType None
Bind url-based relaxation rules for JSON SQL grammar-based protection by using the CLI
If your application requires you to bypass theJSON
command injection inspection for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you can configure a relaxation rule. TheJSON
command Injection inspection relaxation rules have the following syntax. At the command prompt, type:
绑定appfw profile –JSONCMDURL -comment -isAutoDeployed ( AUTODEPLOYED | NOTAUTODEPLOYED ) -state ( ENABLED | DISABLED )
Example:
绑定appfw profile p1 -sqlinjection abc http://10.10.10.10/
绑定appfw profile p1 –sqlinjection 'abc[0-9]+' http:// 10.10.10.10/ -isregex regEX
绑定appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX
Configure SQL grammar based protection by using the GUI
Complete the GUI procedure to configure grammar based HTML SQL Injection detection.
- On the navigation pane, navigate toSecurity > Profiles.
- In theProfilespage, clickAdd.
- In theCitrix Web App Firewall Profilepage, clickSecurity ChecksunderAdvanced Settings.
- In theSecurity Checkssection, go toHTML SQL Injectionsettings.
- Click the executable icon near the check box.
ClickAction Settingsto access theHMTL SQL Injection Settingspage.
- Select theCheck using SQL Grammarcheck box.
- ClickOK.
Configure SQL grammar based protection for JSON payload by using the GUI
Complete the GUI procedure to configure grammar based JSON SQL Injection detection.
- On the navigation pane, navigate toSecurity > Profiles.
- In theProfilespage, clickAdd.
- In theCitrix Web App Firewall Profilepage, clickSecurity ChecksunderAdvanced Settings.
- In theSecurity Checkssection, go toJSON SQL Injectionsettings.
- Click the executable icon near the check box.
- ClickAction Settingsto access theJSON SQL Injection Settingspage.
- Select theCheck using SQL Grammarcheck box.
ClickOK.
In this article
- SQL使用场景基于语法的保护
- Configure SQL grammar-based protection by using the CLI
- Configure SQL pattern-match protection and grammar-based protection by using the CLI
- Configure SQL Injection check only with grammar-based protection by using the CLI
- Bind relaxation rules for SQL grammar-based protection by using the CLI
- Configure SQL grammar-based protection for JSON payload by using the CLI
- Configure SQL pattern match protection and grammar-based protection by using the CLI
- Configure SQL grammar-based protection for JSON payload by using the CLI
- Bind url-based relaxation rules for JSON SQL grammar-based protection by using the CLI
- Configure SQL grammar based protection by using the GUI
- Configure SQL grammar based protection for JSON payload by using the GUI