How does Web App Firewall protect from SQL Injection?

Question

I heard that Azure App Gateway's Web App Firewall is able to protect apps from SQL injection attacks. How does it actually achieve that?

Does it inspect all the incoming payload (both body and URL params)? If it does, I assume TLS termination has to be set up on the Application Gateway level, otherwise it wouldn't be able to read anything. Does it just look for some suspicious strings in the payload (like ";DROP TABLE....")? How does it know if the content in the payload is safe or not? I mean, I could be sending some payload to my web app that could look like SQL injection - how does the WAF know which request is an attack and which isn't?

Answer 1

Here is a list of reference material that OWASP used to create the rules for SQL injections. Essentially it is looking at the query to see if there is anything suspect in it (comments trying to obfuscate commands, backticks in the wrong place, trying to gain server/host information, etc). It is a long list, too long to describe here but the reference sites might be easier to understand than the raw rules.

References (from rule code):

• SQL Injection Knowledgebase (via @LightOS)
  • http://websec.ca/kb/sql_injection
• SQLi Filter Evasion Cheat Sheet -
  • http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
• SQL Injection Cheat Sheet -
  • http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ (Link no longer valid) https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ has background info
• SQLMap's Tamper Scripts (for evasions)
  • https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/(Link no longer valid) https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3 has details on the process.