Forum Discussion
Oscar77
Nimbostratus
NimbostratusF5 OWASP Top Ten Rules, no working NoSQL Injection properly
Hi there, if we do a postman POST request to our Api with the next one body in the request:
{
"link": {
"$ne": null
}
},
The request is passing using Mentioned rules.
How we can solve it?
Thanks and have a nice day.
Hi Oscar77,
OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result
Thanks
Hi,
The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.
Thanks
Oscar77is there another way to obtain "official" support?
We need to fix this, plz
- Oscar77
Nodoby help?
MohamedfaizurEmployee
Hi,
Please send us the full details of the attack test that was not blocked, including sample request. We will analyze the attack test against F5 rule sets to determine the root cause and proposed solution.
Thanks
- Oscar77
curl --location --request POST 'URL' \ --header 'token: TOKEN' \ --header 'Content-Type: application/json' \ --data-raw '{ "link": { "$gt": null } }'This is my Backend response running curl:
{"error":"NoSqlInjectionError","message":"Invalid request","code":0}But in AWS insights we can see the WAF cannot stop the request, see the >>>> ALLOW <<<<
Field Value @ingestionTime 1641197043827 @log AWSACCOUNT:LOG @logStream LOGSTREAM @message message @timestamp 1641196768228 action >>>> ALLOW <<<< formatVersion 1 httpRequest.clientIp XXX.XXX.XXX.XXX httpRequest.country ES httpRequest.headers.0.name host httpRequest.headers.0.value XXX.XXX.XX httpRequest.headers.1.name user-agent httpRequest.headers.1.value curl/7.77.0 httpRequest.headers.2.name accept httpRequest.headers.2.value */* httpRequest.headers.3.name HEADER httpRequest.headers.3.value TOKENVALUE httpRequest.headers.4.name content-type httpRequest.headers.4.value application/json httpRequest.headers.5.name content-length httpRequest.headers.5.value 51 httpRequest.httpMethod POST httpRequest.httpVersion HTTP/2.0 httpRequest.requestId REQUEST_ID httpRequest.uri URI httpSourceId ALB httpSourceName ALB ruleGroupList.0.ruleGroupId F5#OWASP_Managed ruleGroupList.1.ruleGroupId F5#Bots_Managed ruleGroupList.2.ruleGroupId AWS#AWSManagedRulesAmazonIpReputationList terminatingRuleId Default_Action terminatingRuleType REGULAR timestamp 1641196768228 webaclId WEBACLIf you need more info, just say to us please, tnx for your response, i wish you nice day.
- Oscar77
Any advance of this?
- Oscar77
Hi,
We are thinking about to stop using F5 rules in all of multiple environments, because we are worried about a poorly fast support from F5, is a pitty because we loved to use it, but is useless if we cannot obtain support if we need it.
- Mohamedfaizur
Hi Oscar77,
Sorry for late reply. I am working with backend team. I will update asap
Thanks
- Mohamedfaizur
Hi Oscar77,
OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result
Thanks
- Oscar77
Seems to be working. Really tnx.
Would be nice if we can know what type of attacks can recognize this new NoSQL rules please.
Awaiting your response, and tnx again for the help
- Mohamedfaizur
Hi,
The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.
Thanks