Configuring an SQL/XSS Injection Detection policy
SQL/XSS Injection Detection policies detect
SQL injection and
cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.
In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.
The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.
You can enable detection in the following scanpoints:
• SQL Injection: URI—Analyzes content in the URI.
• SQL Injection: Referer—Analyzes content in the HTTP Referer header.
• SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
• SQL Injection: Body—Analyzes content in the HTTP request body.
• XSS Injection: URI—Analyzes content in the URI.
• XSS Detection: Referer—Analyzes content in the HTTP Referer header.
• XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
• XSS Detection: Body—Analyzes content in the HTTP request body.
Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.
Table 59 describes the predefined policies.
Table 59: Predefined SQL injection and XSS detection policies
| SQL Injection | XSS |
Predefined Rules | Detection | Action | Severity | Detection | Action | Severity |
High-Level-Security | All except Body SQL Injection Detection | Deny | High | All except Body XSS Injection Detection | Deny | High |
Medium-Level-Security | Only SQL URI SQL Injection Detection | Deny | High | None | Alert | Low |
Alert-Only | Only SQL URI SQL Injection Detection | Alert | High | None | Alert | Low |
If desired, you can create user-defined policies.
Before you begin:
• You must have Read-Write permission for Security settings.
After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.
To configure an SQL/XSS Injection Detection policy:
1. Go to Security > Web Application Firewall.
2. Click the SQL/XSS Injection Detection tab.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in
Table 60.
5. Save the configuration.
Table 60: SQL/XSS Injection Detection configuration
Settings | Guidelines |
Name | Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. After you initially save the configuration, you cannot edit the name. |
SQL Injection Detection | Enable/disable SQL injection detection. |
Action | • Alert—Allow the traffic and log the event. • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert, but we recommend you deny SQL Injection. |
Severity | • High—Log as high severity events. • Medium—Log as a medium severity events. • Low—Log as low severity events. The default is low, but we recommend you rate this high or medium. |
URI Detection | Enable/disable detection in the HTTP request. |
Referer Detection | Enable/disable detection in the Referer header. |
Cookie Detection | Enable/disable detection in the Cookie header. |
Body Detection | Enable/disable detection in the HTTP Body message. |
XSS Injection Detection | Enable/disable XSS injection detection. |
Action | • Alert—Allow the traffic and log the event. • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert, but we recommend you deny XSS Injection. |
Severity | • High—Log matches as high severity events. • Medium—Log matches as a medium severity events. • Low—Log matches as low severity events. The default is low, but we recommend you rate this high or medium. |
URI Detection | Enable/disable detection in the HTTP request. |
Referer Detection | Enable/disable detection in the Referer header. |
Cookie Detection | Enable/disable detection in the Cookie header. |
Body Detection | Enable/disable detection in the HTTP Body message. |