Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  JSON syntax hack allowed SQL injection payloads

    Posted 12-10-2022 01:18
    Hello everyone,
    Hope you're all doing good,
    We have recently read about "JSON syntax hack allowed SQL injection payloads". Does this attack has been covered by On-premise and cloud WAF.
    Thanks in advance,

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Rajesh Kanna
    Senior Associate Technical- Network Security
    Value Point Techsol Private Ltd.
    Bangalore
    ------------------------------


  • 2.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-12-2022 02:31
    Hi ,

    Please refer to the article: https://www.imperva.com/blog/abusing-json-based-sql/

    ------------------------------
    Henry Zhu
    Technical Engineer
    CipherTech Co., Ltd
    Taipei
    ------------------------------



  • 3.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-13-2022 10:12
    Hello and good day. Does anyone know what version of the on-prem WAF that JSON support was added? I would like to verify that the version we are running includes JSON support that would prevent the Json bypass recently disclosed. Thank you.

    Jonathan

    ------------------------------
    Jonathan Grant
    Sr. Staff IT Security Engineer
    Qualcomm Incorporated
    San Diego CA
    ------------------------------

    Original Message


  • 4.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-14-2022 08:58
    Hello All,


    ON-Prem customers that have "SecureSphere Emergency Feed" (THR feeds) are protected OOTB.

    In order to verify that the protection is implemented,

    Please verify that Below Signatures are exists.

     

    Signature 1:

    Signature Name:

    SQL Injection using json operator 1

    Signature Pattern

    part="array", rgxp="['\"`]\sor[\s\S]{1,50}(\{['\"][\s\S]{1,50}['\"]\:[\s\S]{1,50}\})[\s\S]{1,20}(\?\||\?\&)\sarray(\[(?:\'?[\s\S]{1,50}\'?)\]\s?)(?:;|--|\#|$)"

    Protocols

    http/s

    Search Signature in:

    Urls and Parameters

     

    Signature 2:

    Signature Name:

    SQL Injection using json operator 2

    Signature Pattern

    part="json",rgxp="['\"`]\sor[\s\S]{1,50}\'(\[(?:\'?[\s\S]{1,50}\'?)\]\s?)\'\:\:jsonb?[\s\S]{0,50}(?:->>)[\s\S]{1,50}(?:;|--|\#|$)"

    Protocols

    http/s

    Search Signature in:

    Urls and Parameters

     

    Signature 3:

    Signature Name:

    SQL Injection using json operator 3

    Signature Pattern

    part="array", part="json", rgxp="['\"`]\sor[\s\S]{1,50}\:\:jsonb?\s\|\|[\s\S]{1,50}\:\:jsonb?[\s\S]{1,50}(?:--|#|\$|;)"

    Protocols

    http/s

    Search Signature in:

    Urls and Parameters

     

    Signature 4:

    Signature Name:

    SQL Injection using json operator 4

    Signature Pattern

    part="\x7d\x27 ?", rgxp="^.{0,100}['\"`][\s\S]{1,50}(\{['\"][\s\S]{1,50}['\"]\:[\s\S]{1,50}\})[\s\S]{1,20}(\?)\s\'[\s\S]{1,50}\'\s(?:;|--|\#|$)"

    Protocols

    http/s

    Search Signature in:

    Urls and Parameters



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------

    Original Message


  • 5.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-14-2022 11:30
    Thank you everyone for the questions and the answers. This is helpful information.

    ------------------------------
    Sandra Palma
    Manager, Customer Success, Cala
    MO
    ------------------------------

    Original Message


  • 6.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-15-2022 01:13
    Hello Syed,

    Thanks for the update,

    How about, if we don't have threatradar license and still we covered by JSON based SQL attacks.

    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------

    Original Message


  • 7.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-15-2022 03:24

    Hi Jagadesh,

    ADC should be released later, until then you can create the policy manually.

    Steps similar to the following articles:
    https://community.imperva.com/blogs/sarah-lamont1/2022/08/08/manual-mitigation-for-cve-2022-27924-zimbra-collab?CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af



    ------------------------------
    Ciphertech Supports
    Security Manager
    CipherTech Co., Ltd
    Taipei
    ------------------------------

    Original Message


  • 8.  RE: JSON syntax hack allowed SQL injection payloads

    Posted 12-15-2022 03:42
    Hi,

    You can manually add the signature provided by Syed to the global object

    1. Create a new manual dictionary or use an existing one
    2. Create a signature (inside the dictionary from the previous step) with the following definition:
      • Signature name:
      • Signature pattern:
      • Protocols:
      • Search Signature in:
    3. Create a new "HTTP Protocol Signatures" policy that uses the dictionary from step 1 and apply it.


      ------------------------------
      Kun Min Kao
      Technical Support Engineer
      CipherTech Co., Ltd
      Taipei
      ------------------------------

      Original Message


    • 9.  RE: JSON syntax hack allowed SQL injection payloads

      Posted 12-16-2022 10:01
      Hi Syed

      Regarding this, is there a official anouncement that we can use with our customers. ? I found this but it's too generic about the mitigation. https://www.imperva.com/blog/abusing-json-based-sql/
      Im checked my Threatradar feeds and I have the signatures.



      Regards



      ------------------------------
      Freddy Brito
      Deploy, Support & Pre sales
      DAITEK S.A.
      Buenos Aires
      ------------------------------

      Original Message