WAF 301011

From Atomicorp Wiki
Jump to: navigation, search

[edit] Description

This rule is part of an extra ruleset for advanced users. It applies extra inspection to the URL collection for SQL and XSS attacks beyond what a valid SQLi or XSS attack would require. It is included for some WAF testing tools that incorrectly report SQL and XSS vulnerabilities from incomplete attack payloads. This ignores the structure of the URL and may generate false positives. Disable this ruleset if you have false positives.

This rule detects Possible SQL injection attacks. It does this by looking for either SQL commands, or strange combinations of metacharacters that SQL servers will interperate as comments, delimiters that attackers may use to obfuscate SQL injection attacks.

[edit] finger prints

This rule looks for fingerprints in the input that may be SQL, and presents the fingerprint as a series of letters and symbols that describe the fingerprints found. The algorith will report possible SQL injection attacks based on a series of fingerprints, or in some very specific cases on a single fingerprint depending on the degree to which that fingerprint demonstrates a possible SQL injection or a set of finger prints is necessary to arrive at this conclusion. In general the algortim is combining fingerprints to determine if a type may be a SQLi attack.


The following is a list of the fingerprints types. Each fingerprint may have hundreds of sub-types to capture all the possible permutations, for example the keyword type has hundreds of known SQL commands as part of its type:


  • U = UNION
  • G = GROUP
  • E = EXPRESSION
  • t = sql type statement
  • f = function (input looks like a possible function, for example execute(some command))
  • n = bare word (a bare word was detected, when combined with other signatures this may identify a series of SQL commands)
  • 1 = numbers
  • v = variable
  • s = string
  • o = operator (AND, OR, NOT, etc.)
  • & = logic operator
  • c = comment (comment characters such as /*, -- and others)
  • A = COLLATE
  • ( = left parenthesis
  • ) = right parenthesis
  • { = left brace
  • } = right brace
  • . = dot
  • , = comma
  •  : = colon
  •  ; = semicolon
  • T = TSQL START
  • X = could not parse and aborted
  • \ = backslash
  • k = keyword (known SQL statements, such as SMALLDATETIMEFROMPARTS, SQL_BUFFER_RESULT, IS_SRVROLEMEMBER, etc)

There are effectively an infinite number of combinations of fingerprints, which is the intent of this algorithm to analyze the content and find possible patterns in an infinite set of potential SQL injection attacks.

[edit] Examples

The alert may look like this:

[Mon Oct 28 9:14:37.033376 2024] [:error] [client 1.3.3.4] [client 1.2.3.4] ModSecurity: [file "/etc/httpd/modsecurity.d/51_asl_paranoid_extra.conf"] [line "37"] [id "301011"] [rev "2"] [msg "Atomicorp.com WAF Rules: (Paranoid Extra Ruleset) Possible SQL injection attack in URL"] [data "n)on),REQUEST_URI"] [severity "CRITICAL"] [tag "SQLi"] Access denied with code 403 (phase 2). detected SQLi using libinjection with fingerprint 'n)on)' [hostname "example.com"] [uri "/exam/ple"] [unique_id "WKJmPApYHEUAAAti9GAAAAAN"], referer: https://example.com

In this example, the finger print is "n)on)". Which represents a series of fingerprints that when combined are flagged as possible SQL commands or other potentially hazardous or malicious content. Using the table above, this signature contains 5 fingerprints:

  • n = bare word
  • ) = right parenthesis
  • o = operator
  • n = bare word
  • ) = right parenthesis

Which means:

A bareword, combined with a function followed by a bareword inside parathesis was found in the argument "somevariable". Heres an example of an input that would generate this fingerprint:

somevariable=column)or(column)

The actual content will vary, this is just an example of one type of content that would generate this series of fingerprints.

Personal tools