22-Dec-2021 03:22
Hi there, if we do a postman POST request to our Api with the next one body in the request:
{
"link": {
"$ne": null
}
},
The request is passing using Mentioned rules.
How we can solve it?
Thanks and have a nice day.
Solved! Go to Solution.
13-Jan-2022 16:44
Hi Oscar77,
OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result
Thanks
19-Jan-2022 23:54
Hi,
The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.
Thanks
23-Dec-2021 06:54
is there another way to obtain "official" support?
We need to fix this, plz
30-Dec-2021 23:35
Nodoby help?
01-Jan-2022 19:04
Hi,
Please send us the full details of the attack test that was not blocked, including sample request. We will analyze the attack test against F5 rule sets to determine the root cause and proposed solution.
Thanks
03-Jan-2022
00:42
- last edited on
21-Nov-2022
11:58
by
dcapiuser
curl --location --request POST 'URL' \
--header 'token: TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"link": {
"$gt": null
}
}'
This is my Backend response running curl:
{"error":"NoSqlInjectionError","message":"Invalid request","code":0}
But in AWS insights we can see the WAF cannot stop the request, see the >>>> ALLOW <<<<
Field Value
@ingestionTime
1641197043827
@log
AWSACCOUNT:LOG
@logStream
LOGSTREAM
@message
message
@timestamp
1641196768228
action
>>>> ALLOW <<<<
formatVersion
1
httpRequest.clientIp
XXX.XXX.XXX.XXX
httpRequest.country
ES
httpRequest.headers.0.name
host
httpRequest.headers.0.value
XXX.XXX.XX
httpRequest.headers.1.name
user-agent
httpRequest.headers.1.value
curl/7.77.0
httpRequest.headers.2.name
accept
httpRequest.headers.2.value
*/*
httpRequest.headers.3.name
HEADER
httpRequest.headers.3.value
TOKENVALUE
httpRequest.headers.4.name
content-type
httpRequest.headers.4.value
application/json
httpRequest.headers.5.name
content-length
httpRequest.headers.5.value
51
httpRequest.httpMethod
POST
httpRequest.httpVersion
HTTP/2.0
httpRequest.requestId
REQUEST_ID
httpRequest.uri
URI
httpSourceId
ALB
httpSourceName
ALB
ruleGroupList.0.ruleGroupId
F5#OWASP_Managed
ruleGroupList.1.ruleGroupId
F5#Bots_Managed
ruleGroupList.2.ruleGroupId
AWS#AWSManagedRulesAmazonIpReputationList
terminatingRuleId
Default_Action
terminatingRuleType
REGULAR
timestamp
1641196768228
webaclId
WEBACL
If you need more info, just say to us please, tnx for your response, i wish you nice day.
10-Jan-2022 00:27
Any advance of this?
12-Jan-2022 04:00
Hi,
We are thinking about to stop using F5 rules in all of multiple environments, because we are worried about a poorly fast support from F5, is a pitty because we loved to use it, but is useless if we cannot obtain support if we need it.
12-Jan-2022 04:40
Hi Oscar77,
Sorry for late reply. I am working with backend team. I will update asap
Thanks
13-Jan-2022 16:44
Hi Oscar77,
OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result
Thanks
17-Jan-2022 02:58
Seems to be working. Really tnx.
Would be nice if we can know what type of attacks can recognize this new NoSQL rules please.
Awaiting your response, and tnx again for the help
19-Jan-2022 23:54
Hi,
The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.
Thanks