Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Recently, news and research about WAF bypass technique using JSON-based SQL syntax are making rounds in the interwebs.

Claroty have published their research on this topic.

https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf

The Claroty team reached out to the F5 SIRT and shared this research.

Promptly, F5 released attack signatures for these JSON-based SQL injections back in March 2022 and documented them at K22788490: F5 SIRT Security Researcher Acknowledgement – Attack Signature Improvement.

https://support.f5.com/csp/article/K22788490

The Attack Signature IDs and Attack Signature Update (ASU) filenames and recommendation are documented in K000129977: BIG-IP ASM / Advanced WAF Attack Signatures for JSON-based SQL Injection for customers looking for this information in MyF5/AskF5.

https://my.f5.com/manage/s/article/K000129977

Attack Signature ID	Name	Attack Type	Description
200102058	New SQL-INJ expressions like "AND 1=1" (Postgres JSON) (Parameter)	SQL-Injection	SQL-Injection using Postgres JSON operators
200102059	New SQL-INJ expressions like "AND 1=1" (Postgres JSON) (Header)	SQL-Injection	SQL-Injection using Postgres JSON operators
200102060	New SQL-INJ expressions like "AND 1=1" (Postgres JSON) (URI)	SQL-Injection	SQL-Injection using Postgres JSON operators
200102061	New SQL-INJ expressions like "OR 1=1" (Postgres JSON) (Parameter)	SQL-Injection	SQL-Injection using Postgres JSON operators
200102062	New SQL-INJ expressions like "OR 1=1" (Postgres JSON) (Header)	SQL-Injection	SQL-Injection using Postgres JSON operators
200102063	New SQL-INJ expressions like "OR 1=1" (Postgres JSON) (URI)	SQL-Injection	SQL-Injection using Postgres JSON operators

 

Attack Signature Update (ASU) filenames (released back in March 2022):

ASM-SignatureFile_20220315_113554.im

ASM-AttackSignatures_20220315_113554.im

These Attack Signatures for JSON-based SQL injection are part of the SQL Injection and Low Accuracy Attack Signature sets, so be sure to keep your Attack Signatures updated and include these signatures (through the Attack Signature Sets) in your BIG-IP ASM / Advanced WAF Security Policy.

In this sample BIG-IP ASM / Advanced WAF Security Policy, the SQL Injection Attack Signature Set is configured, and this will include the JSON-based SQL Injection attack signatures among others.

 

Testing the Attack Signatures

From the Claroty research, they shared a sample HTTP URL with the JSON-based SQL injection.

Here’s a simplified sample:

http://site/?a=" OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb union select ASCII(s.token) from unnest"

the [ OR '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb] is the WAF bypass technique that uses JSON-based syntax in the SQL statement.

When a web application protected with BIG-IP ASM / Advanced WAF Security Policy that includes the JSON-based SQL injection Attack Signatures receives a similar request, the request is rejected.

Here is a sample request done in a lab test.

 

 

Here is the detected and blocked violation:

 

SQL-INJ expressions like "OR 1=1" (Postgres JSON) (Parameter) attack signature detected the JSON-based SQL injection 

Notice in this exercise, the sample http request generated 3 occurrences of detected Attack Signatures. This means that other SQL injection techniques used can also be detected by the configured attack signatures and that there are multiple ways of detection.

In this example, the other attack signatures were:

SQL-INJ "UNION SELECT" (Parameter)

 

SQL-INJ select ascii

Conclusion

Use supported BIG-IP Software versions that have not yet reached End of Software Development (EoSD) as these versions receive attack signature updates.

From K5903: BIG-IP software support policy

BIG-IP ASM attack signature files are updated for major releases until the release reaches its EoSD milestone.

BIG-IP ASM attack signature files are updated for maintenance releases until the associated Long-Term Stability Release reaches its EoSD milestone.

Keep your Attack Signatures updated to receive new attack signatures.  Do take note of the Signature Staging behaviour.

From K82512024: Managing BIG-IP ASM Live Updates (14.1.x and later)

When attack signatures are updated, new signatures are placed in staging (non-blocking) while updated signatures are enforced according to the Updated Signature Enforcement setting. Unchanged attack signatures remain in the configured mode.

Review the Attack Signature sets configured on your BIG-IP ASM / Advanced WAF Security Policy. New Attack Signatures are assigned to Attack Signature sets; thus, it is important that the intended sets are configured on your security policy.

For example, the detected attack signature “SQL-INJ expressions like "OR 1=1" (Postgres JSON) (Parameter)” in the lab test is part of the SQL Injection and Low Accuracy Attack Signature Sets. Either attack signature sets need to be assigned to the security policy to have these JSON-based SQL injection signatures enabled and block matched requests.

 

Depending on the contents of the HTTP request, multiple attack signatures may be matched – as seen on the violations generated for the sample request.