- Published on
SQL Injection
- Authors
- Name
- Bowen Y
What is the difference between different options in field_to_match in the statement block?
When setting up a rule in AWS WAF to protect against SQL injections, choosing the right field to match is crucial. Among the options provided (all_query_arguments, body, cookies, header_order, headers, ja3_fingerprint, json_body, method, query_string, single_header, single_query_argument, uri_path), the most effective choice can depend on the specifics of your application and where you expect SQL injection attempts to occur. However, there are common fields that are typically targeted by SQL injection attacks:
all_query_arguments: This is a comprehensive choice as it inspects all parameters passed in the query string of the URL. SQL injections often occur through URL parameters, making this a very effective option for a general SQL injection rule.body: If your application receives SQL commands through POST requests, where data is sent in the body of the request (especially in forms or API payloads), inspecting thebodycan be crucial.single_query_argumentorsingle_header: These can be used if you know that SQL injection attacks are only likely through specific query parameters or headers.
For the most common and broad protection against SQL injections, focusing on all_query_arguments and body will cover many of the bases:
all_query_argumentscovers all the data sent in the query strings, which is a common attack vector for SQL injections.bodycovers data sent in the body of POST requests, which can include form submissions and JSON payloads that might also be susceptible to injection.
Example Terraform Configuration
Here’s how you can set up SQL injection rules in AWS WAF using Terraform to monitor both the query arguments and the body of requests:
resource "aws_wafv2_web_acl" "example" {
name = "example-waf"
scope = "CLOUDFRONT" # Use "REGIONAL" for resources in AWS regions or "CLOUDFRONT" for CloudFront distributions
description = "WAF for protecting from SQL injection"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "exampleWaf"
sampled_requests_enabled = true
}
rule {
name = "SQLInjectionRuleQueryArgs"
priority = 1
action {
block {}
}
statement {
sqli_match_statement {
field_to_match {
all_query_arguments {}
}
text_transformation {
priority = 0
type = "URL_DECODE"
}
text_transformation {
priority = 1
type = "HTML_ENTITY_DECODE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "SQLInjectionRuleQueryArgs"
sampled_requests_enabled = true
}
}
rule {
name = "SQLInjectionRuleBody"
priority = 2
action {
block {}
}
statement {
sqli_match_statement {
field_to_match {
body {}
}
text_transformation {
priority = 0
type = "URL_DECODE"
}
text_transformation {
priority = 1
type = "HTML_ENTITY_DECODE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "SQLInjectionRuleBody"
sampled_requests_enabled = true
}
}
}
what is text_transformation?
In the context of AWS WAF (Web Application Firewall), text_transformation is a rule setting used to normalize or sanitize incoming web requests before inspecting them for malicious content, such as SQL injection or cross-site scripting (XSS) attacks. The main purpose of text transformations is to eliminate any obfuscations that attackers might use to hide their payloads, making it easier for AWS WAF to detect and mitigate potential threats.
Purpose of Text Transformations
Text transformations are crucial because attackers often use various encoding methods to disguise their attacks. For instance, an attacker might encode characters or use HTML entities to bypass simple pattern-matching rules that are designed to detect straightforward malicious inputs. By applying text transformations, AWS WAF can decode these inputs into a format that is easier to inspect.
Types of Text Transformations
AWS WAF supports several types of text transformations, each designed to address specific obfuscation techniques:
URL Decode: Converts encoded characters back to their original form. For example, "%20" would be transformed to a space character. This is particularly useful for inspecting parts of requests that might be URL-encoded.
HTML Entity Decode: Converts HTML entities back to their respective characters. For example,
<becomes<. This is essential for inspecting web requests that include HTML content.Lowercase: Converts all characters to lowercase. This helps in creating case-insensitive matches for rule conditions.
CMD Line: Simplifies command line inputs by trimming spaces, converting sequences of more than one space into a single space, and removing certain quoting styles commonly used in system command lines. This can help in detecting command injection attempts.
Base64 Decode: Decodes Base64 encoded strings. This is useful if attackers are encoding malicious scripts or payloads in Base64 to evade detection.
Hex Decode: Converts hexadecimal encoded data into its binary representation, which can be necessary for further inspections in binary or script-based attack vectors.
None: Applies no transformation. This can be used when the raw input needs to be inspected without any modifications.
Example in Terraform Configuration
Here’s how a text transformation might be specified in a Terraform configuration for AWS WAF:
resource "aws_wafv2_web_acl" "example" {
// Other configurations
rule {
name = "SQLInjectionRule"
priority = 1
action {
block {}
}
statement {
sqli_match_statement {
field_to_match {
body {}
}
text_transformation {
priority = 0
type = "URL_DECODE"
}
text_transformation {
priority = 1
type = "HTML_ENTITY_DECODE"
}
}
}
// Other configurations
}
}
Reference: https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html