Citrix ADC

SQL grammar-based protection for HTML and JSON payload

Citrix Web App Firewall uses a pattern match approach for detecting SQL injection attacks in HTTP and JSON payloads. The approach uses a set of pre-defined key-words and (or) special characters to detect an attack and flag it as a violation. Although this approach is effective, it can result in many false positives resulting in adding one or more relaxation rules. Especially when commonly used words such as “Select” and “From” are used in an HTTP or JSON request. We can reduce false positives by implementing the SQL grammar protection check for HTML and JSON payload.

In the existing pattern match approach, an SQL injection attack is identified if a pre-defined keyword and or a special character is present in an HTTP request. In this case, the statement need not be a valid SQL statement. But in the grammar-based approach, an SQL injection attack is detected only if a keyword or a special character is present in a SQL statement or is part of a SQL statement thereby reducing false positive scenarios.

SQL grammar-based protection usage scenario

Consider a statement, “Select my tickets and let’s meet at union station” present in an HTTP request. Although, the statement is not a valid SQL statement, the existing pattern match approach detects the request as an SQL injection attack because the statement uses keywords such as “Select”, “and” and “Union”. But, in the case of the SQL grammar approach, the statement is not detected as a violation attack because the keywords are not present in a valid SQL statement or not part of a valid SQL statement.

The grammar-based approach can also be configured for detecting SQL injection attacks in JSON payloads. For adding a relaxation rule, you can reuse the existing relaxation rules. Fine grained relaxation rules are also applicable for SQL grammar, for rules with “valueType” “keyword”. In JSON SQL grammar, the existing URL-based method can be reused.

Configure SQL grammar-based protection by using the CLI

To implement SQL grammar based detection, you must configure the “SQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and it must be explicitly enabled.

At the command prompt, type:

add appfw profile <profile-name> –SQLInjectionAction <action-name> -SQLInjectionGrammar ON/OFF
<!--NeedCopy-->

Example:

add appfw profile profile1 –SQLInjectionAction Block –SQLInjectionGrammar ON

Configure SQL pattern-match protection and grammar-based protection by using the CLI

If you have enabled both grammar-based and pattern-match approaches, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).

At the command prompt, type:

add appfw profile <profile-name> –SQLInjectionAction <action-name> -SQLInjectionGrammar ON –SQLInjectionType <Any action other than ‘None’: SQLSplCharANDKeyword/ SQLSplCharORKeyword/ SQLSplChar/ SQLKeyword>
<!--NeedCopy-->

Example:

add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType SQLSplChar

Configure SQL Injection check only with grammar-based protection by using the CLI

At the command prompt, type:

add appfw profile <profile-name> –SQLInjectionAction <action-name> -SQLInjectionGrammar ON –SQLInjectionType None
<!--NeedCopy-->

Example:

add appfw profile p1 –SQLInjectionAction block – SQLInjectionGrammar ON –SQLInjectionType None

Bind relaxation rules for SQL grammar-based protection by using the CLI

If your application requires you to bypass the SQL injection check for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you must configure a relaxation rule.

Note:

Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection using SQL grammar.

The SQL command Injection inspection relaxation rules have the following syntax. At the command prompt, type:

bind appfw profile <name> -SQLInjection <String> [isRegex(REGEX| NOTREGE)] <formActionURL> [-location <location>] [-valueType (Keywor|SpecialString|Wildchar) [<valueExpression>][-isValueRegex (REGEX | NOTREGEX) ]]
<!--NeedCopy-->

Example:

bind appfw profile p1 -sqlinjection abc http://10.10.10.10/ bind appfw profile p1 –sqlinjection 'abc[0-9]+' http://10.10.10.10/ -isregex regEX bind appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX

Configure SQL grammar-based protection for JSON payload by using the CLI

To implement SQL grammar-based detection for the JSON payload, you must configure the “JSONSQLInjectionGrammar” parameter in the Web App Firewall profile. By default, the parameter is disabled. All existing SQL Injection actions are supported except learning. Any new profile created after an upgrade supports SQL injection grammar and it continues to have default type as “special character or keyword” and you must explicitly enable it.

At the command prompt, type:

add appfw profile <profile-name> -type JSON –JSONSQLInjectionAction <action-name> -JSONSQLInjectionGrammar ON/OFF
<!--NeedCopy-->

Example:

add appfw profile profile1 –type JSON –JSONSQLInjectionAction Block –JSONSQLInjectionGrammar ON

Configure SQL pattern match protection and grammar-based protection by using the CLI

If you have enabled both grammar-based and pattern-match checks, then the appliance performs grammar-based detection first and if there is SQL injection detection with the action type set to block, the request is blocked (without verifying detection using pattern-match).

Note:

Relaxation rules with valueType “keyword” are evaluated only when the appliance performs detection using SQL grammar.

At the command prompt, type:

add appfw profile <profile-name> -type JSON –JSONSQLInjectionAction <action-name> -JSONSQLInjectionGrammar ON –JSONSQLInjectionType <Any action other than ‘None’: SQLSplCharANDKeyword/ SQLSplCharORKeyword/ SQLSplChar/ SQLKeyword>
<!--NeedCopy-->

Example:

add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType SQLSplChar

Configure SQL grammar-based protection for JSON payload by using the CLI

At the command prompt, type:

add appfw profile <profile-name> -type JSON –JSONSQLInjectionAction <action-name> -JSONSQLInjectionGrammar ON –JSONSQLInjectionType None`\
<!--NeedCopy-->

Example:

add appfw profile p1 –type JSON –JSONSQLInjectionAction block – JSONSQLInjectionGrammar ON –JSONSQLInjectionType None

Bind url-based relaxation rules for JSON SQL grammar-based protection by using the CLI

If your application requires you to bypass the JSON command injection inspection for a specific “ELEMENT” or “ATTRIBUTE” in the payload, you can configure a relaxation rule. The JSON command Injection inspection relaxation rules have the following syntax. At the command prompt, type:

bind appfw profile <profile name> –JSONCMDURL <expression> -comment <string> -isAutoDeployed ( AUTODEPLOYED | NOTAUTODEPLOYED ) -state ( ENABLED | DISABLED )
<!--NeedCopy-->

Example:

bind appfw profile p1 -sqlinjection abc http://10.10.10.10/ bind appfw profile p1 –sqlinjection 'abc[0-9]+' http:// 10.10.10.10/ -isregex regEX bind appfw profile p1 –sqlinjection 'name' http://10.10.10.10/ -valueType Keyword 'selec[a-z]+' -isvalueRegex regEX

Configure SQL grammar based protection by using the GUI

Complete the GUI procedure to configure grammar based HTML SQL Injection detection.

  1. On the navigation pane, navigate to Security > Profiles.
  2. In the Profiles page, click Add.
  3. In the Citrix Web App Firewall Profile page, click Security Checks under Advanced Settings.
  4. In the Security Checks section, go to HTML SQL Injection settings.
  5. Click the executable icon near the check box.
  6. Click Action Settings to access the HMTL SQL Injection Settings page.

    GUI configuration for SQL grammar-based protection HTML payload

  7. Select the Check using SQL Grammar check box.
  8. Click OK.

Configure SQL grammar based protection for JSON payload by using the GUI

Complete the GUI procedure to configure grammar based JSON SQL Injection detection.

  1. On the navigation pane, navigate to Security > Profiles.
  2. In the Profiles page, click Add.
  3. In the Citrix Web App Firewall Profile page, click Security Checks under Advanced Settings.
  4. In the Security Checks section, go to JSON SQL Injection settings.
  5. Click the executable icon near the check box.
  6. Click Action Settings to access the JSON SQL Injection Settings page.
  7. Select the Check using SQL Grammar check box.
  8. Click OK.

    GUI configuration for SQL grammar-based protection JSON payload