JSON SQL Injection protection check

An incoming JSON request can have SQL injection in the form of partial SQL query strings or unauthorized commands in the code. This leads to stealing of data from the JSON database of your web servers. On receiving such request, the appliance blocks such request to protection your data.

Consider a scenario, where a client sends a JSON SQL request to a Citrix ADC appliance, the JSON parser parses the request payload and if an SQL Injection is observed, the appliance enforces constraints on the JSON SQL content. The constraint enforces a size limit on the JSON SQL request. As a result, if any JSON SQL Injection is observed, the appliance applies an action and responds with the JSON SQL error page.

Configure JSON SQL Injection protection

For configure JSON SQL protection, you must complete the following steps:

  1. Add application firewall profile as JSON.
  2. Set application firewall profile for JSON SQL Injection settings
  3. Configure JSON SQL action by binding the application firewall profile.

Add application firewall profile of type JSON

You must first create a profile that specifies how the application firewall must protect your JSON web content from JSON SQL Injection attack. At the command prompt, type:

add appfw profile <name> -type (HTML | XML | JSON)

Note:

When you set the profile type as JSON, other checks such as HTML or XML will not applicable.

Example

add appfw profile profile1 –type JSON

Configure JSON SQL Injection action

You must configure one or more JSON SQL Injection actions to protection your application from JSON SQL injection attacks. At the command prompt, type:

set appfw profile <name> - JSONSQLInjectionAction [block] [log] [stats] [none]

SQL Injection actions are: Block - Block connections that violate this security check. Log - Log violations of this security check. Stats - Generate statistics for this security check. None - Disable all actions for this security check.

Configure JSON SQL Injection type

To configure the JSON SQL Injection type on an application firewall profile, at the command prompt, type:

set appfw profile <name> - JSONSQLInjectionType <JSONSQLInjectionType>

Example

set appfw profile profile1 -JSONSQLInjectionType SQLKeyword

Where the available SQL Injection types are: Available SQL injection types. SQLSplChar. Checks for SQL Special Characters, SQLKeyword. Checks for SQL Keywords. SQLSplCharANDKeyword. Checks for both and blocks if found. SQLSplCharORKeyword. . Blocks if SQL special character or spl keyword is found. Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword.

Note: To enable one or more actions, type “set appfw profile - JSONSQLInjectionAction” followed by the actions to be enabled.

Example

set appfw profile profile1 -JSONSQLInjectionAction block log stat

The following example shows a sample payload, its corresponding log message and statistics counters:

Payload:
=======
{
  "test": "data",
  "username": "waf",
  "password": "select * from t1;",
  "details": {
    "surname": "test",
    "age": "23"
  }
}

Log Message:
===========
08/19/2019:08:49:46 GMT pegasus121 Informational 0-PPE-0 : default APPFW APPFW_JSON_SQL 6656 0 :  10.217.32.165 18402-PPE0 - profjson http://10.217.32.147/test.html SQL Keyword check failed for object value(with violation="select(;)") starting at offset(52) <blocked>
Counters:
========
   1  441083             1 as_viol_json_sql
   3       0             1 as_log_json_sql
   5       0             1 as_viol_json_sql_profile appfw__(profjson)
   7       0             1 as_log_json_sql_profile appfw__(profjson)

Configure JSON SQL Injection protection by using Citrix GUI

Follow the procedure below to set the JSON SQL Injection protection settings.

  1. On the navigation pane, navigate to Security > Profiles.
  2. In the Profiles page, click Add.
  3. In the Citrix Web App Firewall Profile page, click Security Checks under Advanced Settings.
  4. In the Security Checks section, go to JSON SQL Injection settings.
  5. Click the executable icon near the check box.

    JSON SQL Injection Security Check

  6. Click Action Settings to access the JSON SQL Injection Settings page.
  7. Select the JSON SQL Injection actions.
  8. Click OK.

    JSON SQL Injection Security Check

  9. In the Citrix Web App Firewall Profile page, click Relaxation Rules under Advanced Settings.
  10. In Relaxation Rules section, select JSON SQL Injection settings and click Edit.

    JSON SQL Injection Security Check

  11. In the JSON SQL Injection Relaxation Rule page, enter the URL to which the request has to be sent. All requests sent to this URL will not be blocked.
  12. Click Create.

    JSON SQL Injection Security Check