How does Web App Firewall protect from SQL Injection?

Question

I heard that Azure App Gateway's Web App Firewall is able to protect apps from SQL injection attacks. How does it actually achieve that?

Does it inspect all the incoming payload (both body and URL params)? If it does, I assume TLS termination has to be set up on the Application Gateway level, otherwise it wouldn't be able to read anything. Does it just look for some suspicious strings in the payload (like ";DROP TABLE....")? How does it know if the content in the payload is safe or not? I mean, I could be sending some payload to my web app that could look like SQL injection - how does the WAF know which request is an attack and which isn't?

Does it **really** "protects" from SQL injections? I don't think it really does, or not in all but the most basic cases. SQL injection is something the program building the SQL needs to prevent, not someone else filtering out bad inputs. — Alejandro, Jun 09 '21 at 18:15
The documentation explains this. It implements OWASP CRS 2.2.9, 3.0, and 3.1. From there, if you want to understand the *how*, look into OWASP. — Daniel Mann, Jun 09 '21 at 18:36
@Alejandro Yes, MSDN (https://learn.microsoft.com/en-us/azure/web-application-firewall/overview) states that it does protect from common attacks, including SQL injection. "Web Application Firewall (WAF) PROVIDES centralized PROTECTION of your web applications FROM COMMON EXPLOITS and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks." — mnj, Jun 09 '21 at 19:01
@DanielMann OWASP docs are not the easiest to understand, this is why I posted this question. I don't really need to know details, I was just reading through MSDN, and I got curious how it works on high-level. If I ever use WAF on Azure, I'd like to know how it protects me. — mnj, Jun 09 '21 at 19:08

Ken W - Zero Networks · Accepted Answer · 2021-06-10T15:14:34.377

Here is a list of reference material that OWASP used to create the rules for SQL injections. Essentially it is looking at the query to see if there is anything suspect in it (comments trying to obfuscate commands, backticks in the wrong place, trying to gain server/host information, etc). It is a long list, too long to describe here but the reference sites might be easier to understand than the raw rules.

References (from rule code):

SQL Injection Knowledgebase (via @LightOS)
- http://websec.ca/kb/sql_injection
SQLi Filter Evasion Cheat Sheet -
- http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
SQL Injection Cheat Sheet -
- http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ (Link no longer valid) https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/ has background info
SQLMap's Tamper Scripts (for evasions)
- https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/(Link no longer valid) https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3 has details on the process.

@Loreno, I pulled these links from the comments section of some of the rules and you are correct, some are no longer valid. I added some links with background information. — Ken W - Zero Networks, Jun 10 '21 at 15:15

How does Web App Firewall protect from SQL Injection?

1 Answers1