Due to an issue with ModSecurity, even when the default SQL injection rules are applied under the Web Application Firewall (WAF) settings, the LoadMaster does not block against SQL injections. This guide explains the steps on how to manually install the additional rules needed from Open Web Application Security Project (OWASP) to prevent such an attack. Additionally, this guide explains how to test if the rule is working using Damn Vulnerable Web App (DVWA) as your Real Server.
EMEA VMware test lab for Metasploitable/DVWA:
1. Download the OWASP rules
You can download the required rules as part of the OWASP ModSecurity Core Rule Set (CRS) Project:
Extract the files.
- Install rules to the LoadMaster
Navigate to Virtual Services > WAF Settings.
Add Custom Rule Data > Choose File > Rules > sql-functions-names.data > Add Data File.
Add Custom Rules > Choose File > Rules > REQUEST-942-APPLICATION-ATTACK-SQLI.
3. Apply rule to the Virtual Service
Navigate to WAF Options > Enable > Custom Rules > Apply > REQUEST-942-APPLICATION-ATTACK-SQLI.
4. Test if the rule is being triggered
To test if the rule is triggered and blocks the SQL injection, you can use DVWA as part of MetaSploitable as your backend real server.
Log in to DVWA. Enter admin in the Username field and password in the Password field.
Once logged in, set the security to low – DVWA Security > Set to LOW > Submit.
Click SQL Injection and in the User ID field enter
User ID - %' or '0'='0
(This mimics an SQL injection against the LoadMaster)
Click Submit. Depending on the AUDIT or BLOCK modes set on the LoadMaster you will see either the injection and the outputted user data (for AUDIT) or Access Denied for (BLOCK).
If you have WAF Debug Logging enabled (System Configuration > Logging Options > System Log Files > Enable WAF Debug Logging), you should see a similar message in your WAF logs for a BLOCK.