Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Is F5 WAF support JSON syntax in their SQL injection inspection process.

Go to solution
pravinmeshram
Nimbostratus
Nimbostratus

‎08-Dec-2022 22:29

Is F5 WAF support JSON syntax in their SQL injection inspection process.

Labels:
1 ACCEPTED SOLUTION

Go to solution
Amine_Kadimi
MVP
MVP

‎09-Dec-2022 01:24 - edited ‎09-Dec-2022 02:44

Json is just a way to represent data using a specific string formatting standard. In short any json is a string.

In the other hand, F5 checks string inputs against signature matches, so sql injection can be detected in any string input.

Putting this together, F5 waf can detect malicious data in json inputs.

If this is not what you are asking for, could you provide further details? 

View solution in original post

8 REPLIES 8

Go to solution
Amine_Kadimi
MVP
MVP

‎09-Dec-2022 01:24 - edited ‎09-Dec-2022 02:44

Json is just a way to represent data using a specific string formatting standard. In short any json is a string.

In the other hand, F5 checks string inputs against signature matches, so sql injection can be detected in any string input.

Putting this together, F5 waf can detect malicious data in json inputs.

If this is not what you are asking for, could you provide further details? 

Go to solution
MACTEP
Altocumulus
Altocumulus

‎11-Dec-2022 16:41

I guess, the question was related to this article
https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
which implies that F5 can't detect sql injection in any string.

Go to solution
pravinmeshram
Nimbostratus
Nimbostratus
In response to MACTEP

‎12-Dec-2022 04:32

Yes it is

0 Kudos

Go to solution
Cyber_JCCP
Nimbostratus
Nimbostratus

‎12-Dec-2022 06:08

So, Im not clear. Does F5 already provided an update to mitigate this or it is not affected by the new technique, or what?

0 Kudos

Go to solution
HPJCarlson
Nimbostratus
Nimbostratus

‎12-Dec-2022 10:43

The accepted answer does not really answer the poster was looking for, see below link, is the F5 currently susceptable to this JSON syntax attack?  

https://securityaffairs.co/wordpress/139445/hacking/web-application-firewalls-waf-bypass.html

0 Kudos

Go to solution
Amine_Kadimi
MVP
MVP
In response to HPJCarlson

‎12-Dec-2022 12:45 - edited ‎12-Dec-2022 13:53

The original question was general, so was the answer.

Attackers or researchers crafting specific attack patterns that could bypass the WAF is something not uncommon. This is why signatures updates are there for. And this is not specific to json inputs. 

 

Go to solution
chrissaint
Nimbostratus
Nimbostratus
In response to Amine_Kadimi

‎14-Dec-2022 08:36

Are you an actual support representative? Or just being combative for fun?

0 Kudos

Go to solution
Cyber_JCCP
Nimbostratus
Nimbostratus

‎14-Dec-2022 09:23

Hey guys, this might help clarify the issue on topic.

link: Original Claroty Security research post by Noam Moshe - The articule by Claroty that all news outlets refer to. At the end of the articule there is a small bit where it says that AWS and F5 already have created/updated their product to block the technique.

link: F5 SIRT acknowledgement to Noam Moshe of Claroty Research - Here are the Signature IDs created to block the technique. You can check them on the link: F5 Attack sigs Security Details page. Just copy paste the Sig IDs and you will see a bit more detail on them.

 

Hope this helps.

Copyright © 2023 Khoros, LLC