Configuring an SQL/XSS Injection Detection policy
SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.
In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.
The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.
You can enable detection in the following scanpoints:
- SQL Injection: URI—Analyzes content in the URI.
- SQL Injection: Referer—Analyzes content in the HTTP Referer header.
- SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
- SQL Injection: Body—Analyzes content in the HTTP request body.
- XSS Injection: URI—Analyzes content in the URI.
- XSS Detection: Referer—Analyzes content in the HTTP Referer header.
- XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
- XSS Detection: Body—Analyzes content in the HTTP request body.
Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.
Predefined SQL injection and XSS detection policies describes the predefined policies.
SQL Injection | XSS | |||||
---|---|---|---|---|---|---|
Predefined Rules | Detection | Action | Severity | Detection | Action | Severity |
High-Level-Security |
All except Body SQL Injection Detection |
Deny |
High |
All except Body XSS Injection Detection |
Deny |
High |
Medium-Level-Security |
Only SQL URI SQL Injection Detection |
Deny |
High |
None |
Alert |
Low |
Alert-Only |
Only SQL URI SQL Injection Detection |
Alert |
High |
None |
Alert |
Low |
If desired, you can create user-defined policies.
Before you begin:
- You must have Read-Write permission for Security settings.
After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.
To configure an SQL/XSS Injection Detection policy:
- Go to Web Application Firewall > Common Attacks Detection.
- Click the SQL/XSS Injection Detection tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in SQL/XSS Injection Detection configuration.
- Save the configuration.
Settings | Guidelines |
---|---|
Name |
Configuration name. Valid characters are After you initially save the configuration, you cannot edit the name. |
SQL | |
SQL Injection Detection |
Enable/disable SQL injection detection. |
URI Detection |
Enable/disable detection in the HTTP request. |
Referer Detection |
Enable/disable detection in the Referer header. |
Cookie Detection |
Enable/disable detection in the Cookie header. |
Body Detection |
Enable/disable detection in the HTTP Body message. |
Action |
Select the action profile that you want to apply. See Configuring WAF Action objects The default is Alert, but recommend using Deny SQL Injection. |
Severity |
The default is low, but we recommend you rate this high or medium. |
SQL Exception Name | Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule. |
XSS | |
XSS Injection Detection |
Enable/disable XSS injection detection. |
URI Detection |
Enable/disable detection in the HTTP request. |
Referer Detection |
Enable/disable detection in the Referer header. |
Cookie Detection |
Enable/disable detection in the Cookie header. |
Body Detection |
Enable/disable detection in the HTTP Body message. |
Action |
Select the action profile that you want to apply. See Configuring WAF Action objects The default is Alert, but we recommend you use Deny XSS Injection. |
Severity |
The default is low, but we recommend you rate this high or medium. |
XSS Exception Name | Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule. |