How to block SQL Injections with WAF

Due to an issue with ModSecurity, even when the default SQL injection rules are applied under the Web Application Firewall (WAF) settings, the LoadMaster does not block against SQL injections. This guide explains the steps on how to manually install the additional rules needed from Open Web Application Security Project (OWASP) to prevent such an attack. Additionally, this guide explains how to test if the rule is working using Damn Vulnerable Web App (DVWA) as your Real Server.

 

 

EMEA VMware test lab for Metasploitable/DVWA:

http://10.179.0.42/dvwa

Username: admin

Password: password

 

1. Download the OWASP rules

You can download the required rules as part of the OWASP ModSecurity Core Rule Set (CRS) Project:

 

image_1_-_github.png

Extract the files.

 

  1. Install rules to the LoadMaster

Navigate to Virtual Services > WAF Settings.

Add Custom Rule Data > Choose File > Rules > sql-functions-names.data > Add Data File.

Add Custom Rules > Choose File > Rules > REQUEST-942-APPLICATION-ATTACK-SQLI.

Image_2_-_custom_rules.png

 

3. Apply rule to the Virtual Service

Navigate to WAF Options > Enable > Custom Rules > Apply > REQUEST-942-APPLICATION-ATTACK-SQLI.

image_3_-_Apply_to_Virtual_Service.png

 

4. Test if the rule is being triggered

To test if the rule is triggered and blocks the SQL injection, you can use DVWA as part of MetaSploitable as your backend real server.

 

Log in to DVWA. Enter admin in the Username field and password in the Password field.

image_4_-_DVWA_login.png

Once logged in, set the security to low – DVWA Security > Set to LOW > Submit.

image_5_-_DVWA_seurity.png

 

Click SQL Injection and in the User ID field enter

User ID - %' or '0'='0

(This mimics an SQL injection against the LoadMaster)

Click Submit. Depending on the AUDIT or BLOCK modes set on the LoadMaster you will see either  the injection and the outputted user data (for AUDIT) or Access Denied for (BLOCK).

image_5_-_SQL_injection.png

If you have WAF Debug Logging enabled (System Configuration > Logging Options > System Log Files > Enable WAF Debug Logging), you should see a similar message in your WAF logs for a BLOCK.

 image_7_-_triggered_rule.png

Was this article helpful?

0 out of 0 found this helpful

Comments