AWS F5 Managed WAF rules not blocking simple SQL injection

Altocumulus

Sep 30, 2019

AWS support advised us to contact the F5 Support. According to them the issue is coming fromt F5's rules. To be honest, it makes a lot of sense.

Can we have any support please ?

-------------------------------------------------

Here is the response from AWS:

"I am really surprised that both these F5 Rules are not blocking a basic SQLi attack. However, I am glad that you have conducted this vulnerability assessment before deploying the managed rules in production. If the managed rules have not passed the vulnerability assessment, I would recommend not using them in production.

Just as an additional check of the SQLi query string, I conducted a simulation of the SQLi attack using the AWS WAF Security Automations template [1][2]. This is a solution that automatically deploys a WAF solution with preconfigured rules for the most common attacks.

Using the same query string that you provided me, the SQLi attack was also blocked by the automatically generated AWS WAF rules. This collaborates your observation that the Fortinet Managed Rules for AWS WAF - API Gateway is also able to block the SQLi attack.

Given that the other two solution are able to block the same attack while the F5 Rules are not able to block the attack, I can only conclude that there is a something wrong with the F5 Rules, and I would recommend contacting F5 support with this information and request that they investigate both of these rules. If I had some visibility into the F5 rules, I would have done some further investigation, however, the rules are protected and only F5 can see what each rule in the rulegroup is doing.

I hope that this information has been helpful and I wish I could investigate the F5 rules further, however, these are 3rd party managed rules that I do not have access to investigate.

If you have any queries or require further information, please do not hesitate to contact me and I will be very happy to assist you.

Have a pleasant day.

References:

[1] AWS WAF Security Automations - https://aws.amazon.com/solutions/aws-waf-security-automations/

[2] Automated Deployment - https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html "

Forum Discussion

AWS F5 Managed WAF rules not blocking simple SQL injection

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

iRules

Is there a way to export BigIP Analytics http captured transactions?

F5 is not providing any console/Web Access.Software is corrupted. How to clean install its firmware?

About perpetual license expiry In WAF

How to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value

Related Content

Automating Certificate Management on F5 BIG-IP

Mitigating OWASP Web Application Risk: Injection exploits using F5 BIG-IP

WAF evasion techniques for Command Injection

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS