Reputation: 791
SQL Tautologies pattern is not clear
I have a question about rule id 942130 (https://github.com/fastly/waf_testbed/blob/master/templates/default/REQUEST-942-APPLICATION-ATTACK-SQLI.conf.erb). Why check this rule "only" x = x in this pattern (x can be any character). The attack can only be successful if there is an "or" in the query "or x=x". For this reason, the pattern should be expanded so that "or x = x" is checked. Have I overlooked something?
Example is: "FooH=HA", which is deteced as a sql injection, but don't understand why. The issue is the "H=H".
Shouldn't the pattern compare the whole string before and after = instead of just single characters?
Upvotes: 0
Views: 432
Answers (1)
Reputation: 15580
It would be a lot more complicated to describe the rule in a regex (which is already quite complicated). A lot of things could happen between OR and x=x that would still be syntactically valid.
Also OR is not actually needed. Consider for example sql injection where the parameter is meant to be something like "ORDER BY x", and the attacker passing "WHERE x=x". Or HAVING. Or a lot of other potential attacks.
It's just a lot simpler to define a tautology as x=x, which would not normally happen most of the time.
Upvotes: 1
Related Questions
- OWSP SQL Injection
- Acumatica: Sql view based on Row Level Security
- Properly securing SQL statement with parameters
- sql design prevent dual procceesing
- Need to verify I am understanding SQL Logic
- SQL Design Patterns
- Typical normalization security issue in web applications
- Explanation of particular sql injection
- Can you explain this SQL injection?
- SQL statement merging/simplifying