Hello All,
ON-Prem customers that have "SecureSphere Emergency Feed" (THR feeds) are protected OOTB.
In order to verify that the protection is implemented,
Please verify that Below Signatures are exists.
Signature 1:
Signature Name:
SQL Injection using json operator 1
Signature Pattern
part="array", rgxp="['\"`]\sor[\s\S]{1,50}(\{['\"][\s\S]{1,50}['\"]\:[\s\S]{1,50}\})[\s\S]{1,20}(\?\||\?\&)\sarray(\[(?:\'?[\s\S]{1,50}\'?)\]\s?)(?:;|--|\#|$)"
Protocols
http/s
Search Signature in:
Urls and Parameters
Signature 2:
Signature Name:
SQL Injection using json operator 2
Signature Pattern
part="json",rgxp="['\"`]\sor[\s\S]{1,50}\'(\[(?:\'?[\s\S]{1,50}\'?)\]\s?)\'\:\:jsonb?[\s\S]{0,50}(?:->>)[\s\S]{1,50}(?:;|--|\#|$)"
Protocols
http/s
Search Signature in:
Urls and Parameters
Signature 3:
Signature Name:
SQL Injection using json operator 3
Signature Pattern
part="array", part="json", rgxp="['\"`]\sor[\s\S]{1,50}\:\:jsonb?\s\|\|[\s\S]{1,50}\:\:jsonb?[\s\S]{1,50}(?:--|#|\$|;)"
Protocols
http/s
Search Signature in:
Urls and Parameters
Signature 4:
Signature Name:
SQL Injection using json operator 4
Signature Pattern
part="\x7d\x27 ?", rgxp="^.{0,100}['\"`][\s\S]{1,50}(\{['\"][\s\S]{1,50}['\"]\:[\s\S]{1,50}\})[\s\S]{1,20}(\?)\s\'[\s\S]{1,50}\'\s(?:;|--|\#|$)"
Protocols
http/s
Search Signature in:
Urls and Parameters
------------------------------
Syed Noor Fazal
Product Support Engineer
------------------------------
Original Message:
Sent: 12-13-2022 10:02
From: Jonathan Grant
Subject: JSON syntax hack allowed SQL injection payloads
Hello and good day. Does anyone know what version of the on-prem WAF that JSON support was added? I would like to verify that the version we are running includes JSON support that would prevent the Json bypass recently disclosed. Thank you.
Jonathan
------------------------------
Jonathan Grant
Sr. Staff IT Security Engineer
Qualcomm Incorporated
San Diego CA
Original Message:
Sent: 12-12-2022 02:30
From: Henry Zhu
Subject: JSON syntax hack allowed SQL injection payloads
Hi ,
Please refer to the article: https://www.imperva.com/blog/abusing-json-based-sql/
------------------------------
Henry Zhu
Technical Engineer
CipherTech Co., Ltd
Taipei
Original Message:
Sent: 12-10-2022 01:18
From: Rajesh Kanna
Subject: JSON syntax hack allowed SQL injection payloads
Hello everyone,
Hope you're all doing good,
We have recently read about "JSON syntax hack allowed SQL injection payloads". Does this attack has been covered by On-premise and cloud WAF.
Thanks in advance,
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Rajesh Kanna
Senior Associate Technical- Network Security
Value Point Techsol Private Ltd.
Bangalore
------------------------------