By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why did WAF SQL Injection rule block this?

1

We're trying to work out why the WAF (classic) SQL Injection Rule caused this to be blocked:

"terminatingRuleMatchDetails": [
    {
      "conditionType": "SQL_INJECTION",
      "location": "HEADER",
      "matchedData": ["prospect_status", "=", "unknown", ";", "_gcl_au"],
      "sensitivityLevel": "LOW"
    }
  ],
  "httpRequest": {
    "headers": [
      {
        "name": "Cookie",
        "value": "prospect_status=unknown; _gcl_au=123;
      }
    ]
  }
Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS WAFSecurity
Language
English
JaredE
asked 10 months ago492 views
2 Answers
1

The equal sign (=) and the semicolon (;) are both common components of SQL queries. In this case, the equal sign is being used to assign a value to a variable, and the semicolon is being used to separate commands. This could be interpreted as an attempt to inject SQL code.

The string "prospect_status" and "unknown" might be interpreted as SQL commands or parameters. Depending on the context, these could be part of a SQL query.

"_gcl_au" is a first-party cookie used by Google AdSense for experimenting with advertisement efficiency across websites using their services. By itself, it's not harmful, but in combination with the other elements mentioned, the WAF might have flagged it as potentially malicious.

It's important to note that WAFs can sometimes generate false positives. That means they can block requests that look suspicious but are actually harmless. The sensitivity level of "LOW" in your terminatingRuleMatchDetails suggests that your WAF is configured to be relatively aggressive in blocking potentially harmful requests.

If you believe this request was blocked in error, you may need to adjust your WAF's rules or configuration. You could, for example, modify the SQL Injection rule to be less sensitive, or you could create an exception for this specific type of request. However, be aware that doing so could potentially leave your application more vulnerable to actual SQL Injection attacks.

https://aws.amazon.com/about-aws/whats-new/2022/07/aws-waf-sensitivity-levels-sql-injection-rule-statements/

profile picture
EXPERT
Sedat Salman
answered 10 months ago
-1

I think the WAF thinks this is an SQL_INJECTION condition as stated in the "terminatingRuleMatchDetails" section. It also indicates that the rule matched in the HEADER location and provides the matched data that it thinks is suspicious.

I suspect that the SQL Injection Rule triggered because the value of the "Cookie" header contains the string "prospect_status=unknown" and "_gcl_au=123". This pattern might resemble a potential SQL injection attempt, as it includes multiple statements and/or unusual characters that could be used for malicious purposes.

rePost-User-3576347
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content