SQL grammar-based protection for HTML and JSON payload

Citrix Web App Firewall uses a pattern match approach for detecting SQL injection attacks inHTTPandJSONpayloads. The approach uses a set of pre-defined key-words and (or) special characters to detect an attack and flag it as a violation. Although this approach is effective, it can result in many false positives resulting in adding one or more relaxation rules. Especially when commonly used words such as “Select” and “From” are used in an HTTP or JSON request. We can reduce false positives by implementing the SQL grammar protection check forHTMLandJSONpayload.

In the existing pattern match approach, an SQL injection attack is identified if a pre-defined keyword and or a special character is present in an HTTP request. In this case, the statement need not be a valid SQL statement. But in the grammar-based approach, an SQL injection attack is detected only if a keyword or a special character is present in a SQL statement or is part of a SQL statement thereby reducing false positive scenarios.

SQL使用场景基于语法的保护

Consider a statement, “Select my tickets and let’s meet at union station” present in an HTTP request. Although, the statement is not a valid SQL statement, the existing pattern match approach detects the request as an SQL injection attack because the statement uses keywords such as “Select”, “and” and “Union”. But, in the case of the SQL grammar approach, the statement is not detected as a violation attack because the keywords are not present in a valid SQL statement or not part of a valid SQL statement.

The grammar-based approach can also be configured for detecting SQL injection attacks inJSONpayloads. For adding a relaxation rule, you can reuse the existing relaxation rules. Fine grained relaxation rules are also applicable for SQL grammar, for rules with “valueType” “keyword”. InJSONSQL grammar, the existing URL-based method can be reused.

Configure SQL grammar-based protection by using the CLI

实现基于SQL语法的检测,必须configure the “SQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and it must be explicitly enabled.

At the command prompt, type:

add appfw profile  –SQLInjectionAction  -SQLInjectionGrammar ON/OFF 

Example:

add appfw profile profile1 –SQLInjectionAction Block –SQLInjectionGrammar ON

Configure SQL pattern-match protection and grammar-based protection by using the CLI

If you have enabled both grammar-based and pattern-match approaches, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).

At the command prompt, type:

add appfw profile  –SQLInjectionAction  -SQLInjectionGrammar ON –SQLInjectionType  

Example:

add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType SQLSplChar

Configure SQL Injection check only with grammar-based protection by using the CLI

At the command prompt, type:

add appfw profile  –SQLInjectionAction  -SQLInjectionGrammar ON –SQLInjectionType None 

Example:

add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType None

Bind relaxation rules for SQL grammar-based protection by using the CLI

If your application requires you to bypass theSQLinjection check for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you must configure a relaxation rule.

Note:

Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection usingSQLgrammar.

TheSQLcommand Injection inspection relaxation rules have the following syntax. At the command prompt, type:

绑定appfw profile  -SQLInjection  [isRegex(REGEX| NOTREGE)]  [-location ] [-valueType (Keywor|SpecialString|Wildchar) [][-isValueRegex (REGEX | NOTREGEX) ]] 

Example:

绑定appfw profile p1 -sqlinjection abc http://10.10.10.10/绑定appfw profile p1 –sqlinjection 'abc[0-9]+' http://10.10.10.10/ -isregex regEX绑定appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX

Configure SQL grammar-based protection for JSON payload by using the CLI

To implement SQL grammar-based detection for the JSON payload, you must configure the “JSONSQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and you must explicitly enable it.

At the command prompt, type:

add appfw profile  -type JSON –JSONSQLInjectionAction  -JSONSQLInjectionGrammar ON/OFF 

Example:

add appfw profile profile1 –type JSON –JSONSQLInjectionAction Block –JSONSQLInjectionGrammar ON

Configure SQL pattern match protection and grammar-based protection by using the CLI

If you have enabled both grammar-based and pattern-match checks, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).

Note:

Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection using SQL grammar.

At the command prompt, type:

add appfw profile  -type JSON –JSONSQLInjectionAction  -JSONSQLInjectionGrammar ON –JSONSQLInjectionType  

Example:

add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType SQLSplChar

Configure SQL grammar-based protection for JSON payload by using the CLI

At the command prompt, type:

add appfw profile  -type JSON –JSONSQLInjectionAction  -JSONSQLInjectionGrammar ON –JSONSQLInjectionType None`\ 

Example:

add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType None

Bind url-based relaxation rules for JSON SQL grammar-based protection by using the CLI

If your application requires you to bypass theJSONcommand injection inspection for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you can configure a relaxation rule. TheJSONcommand Injection inspection relaxation rules have the following syntax. At the command prompt, type:

绑定appfw profile  –JSONCMDURL  -comment  -isAutoDeployed ( AUTODEPLOYED | NOTAUTODEPLOYED ) -state ( ENABLED | DISABLED ) 

Example:

绑定appfw profile p1 -sqlinjection abc http://10.10.10.10/绑定appfw profile p1 –sqlinjection 'abc[0-9]+' http:// 10.10.10.10/ -isregex regEX绑定appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX

Configure SQL grammar based protection by using the GUI

Complete the GUI procedure to configure grammar based HTML SQL Injection detection.

1. On the navigation pane, navigate toSecurity > Profiles.
2. In theProfilespage, clickAdd.
3. In theCitrix Web App Firewall Profilepage, clickSecurity ChecksunderAdvanced Settings.
4. In theSecurity Checkssection, go toHTML SQL Injectionsettings.
5. Click the executable icon near the check box.

6. ClickAction Settingsto access theHMTL SQL Injection Settingspage.

   

7. Select theCheck using SQL Grammarcheck box.
8. ClickOK.

Configure SQL grammar based protection for JSON payload by using the GUI

Complete the GUI procedure to configure grammar based JSON SQL Injection detection.

1. On the navigation pane, navigate toSecurity > Profiles.
2. In theProfilespage, clickAdd.
3. In theCitrix Web App Firewall Profilepage, clickSecurity ChecksunderAdvanced Settings.
4. In theSecurity Checkssection, go toJSON SQL Injectionsettings.
5. Click the executable icon near the check box.
6. ClickAction Settingsto access theJSON SQL Injection Settingspage.
7. Select theCheck using SQL Grammarcheck box.

8. ClickOK.