.svg)
.svg)
SQL injection (SQLi) is a major attack vector for websites and the third most common security risk for web applications, according to OWASP Top Ten 2021. Most web application firewalls (WAFs) can detect and block SQLi attacks fairly easily. However, recent research showed that many WAF vendors could not block SQLi attacks that abuse JSON for delivery [1]. Picus Labs added this new WAF bypass method for SQL injection to Picus Threat Library.
In this blog post, we explain how WAFs block SQLi attacks and how JSON-based SQLi attacks bypass WAFs in detail.
Simulate Web Application Attacks with 14-Day Free Trial of Picus Platform
What is SQL Injection Attack?
SQL is a query language designed to manage data stored in relational databases. Many web applications and websites use SQL to interact with the relational database in the backend. In some cases, the SQL statements are created using the parameters received from their users. For example, when a user logs in, the service checks the credentials with the following SQL query.
|
SELECT * FROM users WHERE username = 'Alice' AND password = 'pass123' |
SQL injection (SQLi) is a type of injection vulnerability that allows adversaries to execute malicious SQL commands in the database. Here are some common exploitation examples for SQLi:
- Harvesting credentials from the database
- Reading and modifying data stored in the database
- Executing operating system commands
Example 1: SQL injection example [2]
How WAFs Prevent SQL Injection Attacks
Security professionals recommend developers use the following approaches to protect against SQLi attacks:
- prepared statements
- input sanitization
- whitelisting/typed processing of user inputs
- proper escaping
Although these approaches are valid ways of mitigating SQLi attacks, they are highly prone to human error. That's why many organizations are also using Web Application Firewalls (WAFs) to detect and block SQLi attacks along with other attack types, such as cross-site scripting (XSS) and file inclusion.
WAFs filter, monitor, and block HTTP traffic to and from a web application. To block SQLi attacks, WAF vendors maintain a signature library so that WAFs can detect and match SQL keywords and patterns.
Example 2: SQLi attempt blocked by WAF [3]
Bypassing WAF: SQL Injection via JSON-based Requests
Even though WAFs are great tools against SQLi attacks, they have their limitations, and adversaries use various methods to bypass WAFs. Recently, Team82 of Claroty published a method for bypassing WAF for SQL injection attacks using JSON-based SQL commands [1]. In their research, Team82 discovered that many major WAF vendors, such as Palo Alto Network, Amazon Web Services (AWS), Cloudflare, F5, and Imperva, do not support JSON syntax in their products. As a result, SQL injection attempts that use JSON syntax are not inspected properly and allowed to pass their WAFs. Since major databases such as PostgreSQL, MySQL, SQLite, and Microsoft SQL Server support JSON, adversaries may abuse this functionality to deliver their malicious SQL commands using JSON.
|
' or JSON_LENGTH("{}") <= 8896 union distinctrow select @@version# |
Example 3: Bypassing WAF using JSON-based SQL Statement
After discovering the bypass method, Team82 disclosed their findings to leading WAF vendors, and they added JSON syntax support to their WAF products.
How Picus Helps Simulate JSON-Based SQL Injection Attacks?
We also strongly suggest simulating JSON-Based SQL Injection attacks to test the effectiveness of your security controls against web application attacks using the Picus Complete Security Validation Platform. You can test your defenses against other critical severity web application attacks, such as ProxyShell and Log4Shell, within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Action Name |
Attack Module |
|
79258 |
SQL Injection Evasion With JSON-Based SQL Web Attack Campaign |
Web Application |
|
69811 |
MySQL Web Attack Campaign |
Web Application |
|
81404 |
Postgresql Web Attack Campaign |
Web Application |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_SQLI_SQLMAP |
Sqlmap Automated SQL Injection Tool |
|
Cisco Firepower NGFW |
1.13990.27 |
SQL union select - possible sql injection attempt - GET parameter |
|
Cisco Firepower NGFW |
1.24172.2 |
SQL use of concat function with select - likely SQL injection |
|
Cisco Firepower NGFW |
1.19437.6 |
INDICATOR-OBFUSCATION select concat statement - possible sql injection |
|
Citrix Web App Firewall |
Blocked by 'HTML SQL Injection' Security Check |
|
|
F5 BIG-IP ASM |
200002149 |
SQL-INJ expressions like "and 1"="1" (5) |
|
F5 BIG-IP ASM |
200002420 |
SQL-INJ expressions like "' and 1 --" |
|
F5 BIG-IP ASM |
200102064 |
SQL-INJ JSON functions (Parameter) |
|
F5 BIG-IP ASM |
200002550 |
SQL-INJ "end-quote UNION" (Parameter) |
|
F5 BIG-IP ASM |
200000073 |
SQL-INJ "UNION SELECT" (Parameter) |
|
F5 BIG-IP ASM |
200002736 |
SQL-INJ ' UNION SELECT (Parameter) |
|
F5 BIG-IP ASM |
200002885 |
SQL-INJ "UNION SELECT" (2) (Parameter) |
|
F5 BIG-IP ASM |
200002229 |
SQL-INJ "SELECT CONCAT()" |
|
F5 BIG-IP ASM |
200002951 |
SQL-INJ CONCAT(0x) (Parameter) |
|
F5 BIG-IP ASM |
200002310 |
SQL-INJ "select 0x" (Parameter) |
|
FortiGate NGFW |
15621 |
web_misc: HTTP.URI.SQL.Injection |
|
FortiWeb Web Application Security |
30000194 |
SQL Injection |
|
Imperva Web Application Firewall |
SQL Injection UNION SELECT Attack |
|
|
McAfee |
0x40283400 |
HTTP: SQL Injection - union Oracle |
|
McAfee |
0x40281c00 |
HTTP: SQL Injection - Detection MySQL |
|
ModSecurity |
942180 |
Detects basic SQL authentication bypass attempts 1/3 |
|
ModSecurity |
942200 |
Detects MySQL comment-/space-obfuscated injections and backtick termination |
|
ModSecurity |
942260 |
Detects basic SQL authentication bypass attempts 2/3 |
|
ModSecurity |
942300 |
Detects MySQL comments |
|
ModSecurity |
942410 942480 942150 |
SQL Injection Attack |
|
ModSecurity |
942450 |
SQL Hex Encoding Identified |
|
ModSecurity |
942260 |
Detects basic SQL authentication bypass attempts 2/3 |
|
ModSecurity |
942440 |
SQL Comment Sequence Detected |
|
Palo Alto Networks NGFW |
30514 |
HTTP SQL Injection Attempt |
|
Snort IPS |
1.13990.27 |
SQL union select - possible sql injection attempt - GET parameter |
|
Snort IPS |
1.2006446.11 |
ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT |
|
Snort IPS |
1.2011042.3 |
ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt |
|
Snort IPS |
1.24172.2 |
SQL use of concat function with select - likely SQL injection |
|
TippingPoint TPS |
3593 |
HTTP: SQL Injection in URL Parameters (UNION) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Validation Platform.
References
[1] “{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF,” Claroty. https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf. [Accessed: Dec. 13, 2022]
[2] “Exploits of a Mom,” xkcd. https://xkcd.com/327/. [Accessed: Dec. 13, 2022]
[3] “Bypassing WAF by Playing with Parameters,” Sep. 06, 2020. https://www.notsoshant.io/blog/bypassing-waf-by-playing-with-parameters/. [Accessed: Dec. 13, 2022]
