Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive Triggering SQL Injection Rule on Simple HTML Page #36

Closed
milanve-afk opened this issue Jan 22, 2025 · 1 comment
Closed

False Positive Triggering SQL Injection Rule on Simple HTML Page #36

milanve-afk opened this issue Jan 22, 2025 · 1 comment

Comments

@milanve-afk
Copy link

Describe the bug
The SQL Injection detection rule (sql-injection-attacks) is being triggered erroneously when accessing a simple HTML page containing only a few lines of plain HTML. No SQL keywords, suspicious patterns, or malicious inputs are present in the request or response. This results in a 403 Forbidden response from the WAF, despite the request being entirely benign.

To Reproduce
Steps to reproduce the behavior:
Code sample used was this:

`

<title>Test Page</title>

Welcome to the Test Page

This is a simple page for testing.

`

and rules were default one from rules.json.

Expected behavior
The WAF should not trigger the sql-injection-attacks rule for harmless HTML pages with no SQL-related patterns or suspicious content. The page should load successfully with a 200 OK response.

Screenshots
{ "level": "warn", "ts": 1737119537.976, "msg": "Request blocked", "source_ip": "myip:55393", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", "request_method": "GET", "request_path": "/favicon.ico", "query_params": "", "status_code": 403, "timestamp": "2025/01/22 08:22:17.079", "reason": "Anomaly threshold exceeded", "rule_id": "sql-injection-attacks", "matched_value": "Connection: keep-alive; User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8; Accept-Encoding: gzip, deflate; Accept-Language: en-GB,en-US;q=0.9,en;q=0.8", "total_score": 10, "anomaly_threshold": 5, "log_id": "d0906951-d242-4194-af9c-d18756bb9981" }

Desktop (please complete the following information):

  • OS: MacOS
  • Browser: Chrome

Additional context
Once sql-injection-attacks rule is deleted, XSS rules is triggered and so on.
@fabriziosalmi
Copy link
Owner

At the moment the best apporach I found quickly is to consolidate sql injection rules fixing that false positive, I already pushed the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fabriziosalmi @milanve-afk