This article is in continuation of the owasp web application security series and is intended to give insights into injection attack category. Check here for overview article.
Introduction to Injection vulnerability:
An application is vulnerable to attack when:
- Provided data is not validated by the application.
- User requested schema is not being analyzed before processing.
- Data is used within search parameters to extract additional and sensitive records.
- SQL commands are used in dynamic queries and commands.
- If user tries to use Cross-site Scripting to get some unauthorized data.
Some of the common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), Etc.
Step by step process:
Version: Cloud Console at the time of article: crt-20220510-1579
Step1:
Login to distributed cloud console and navigate to Load balancers menu, then expand “Security” section and then click on “App Firewall”
Step2:
Click “Add App Firewall” button and provide some name. Keep default options and save new firewall.
Step3:
Navigate to Manage section and select “HTTP Load Balancers” in load balancers drop-down option.
Step4:
Select 3 dots available in Action column besides your application load balancer and select “Manage Configuration”.
Step5:
In top right corner click on “Edit Configuration” button and navigate to “Security Configuration” section available on left menu.
Step6:
Disable service policies, Bot-Defense and Rate-Limiting features. In WAF config section enable App Firewall and select your firewall created in Step2. “Save and Exit” the load balancer dialog.
Step7:
Copy the load balancer domain, open a browser and open the copied domain. Validate you can access your application.
Step8:
Next in browser URL, click on Sign-in button, add SQL injection attack script “or '1'='1” in email field, some random password and click on “Confirm” button. Validate your application is still accessible and request is not blocked with message of invalid email address.
Step9:
In cloud console page navigate to “Virtual Hosts” section and then select HTTP Load Balancers. Select “Security Monitoring” link for your application load balancer.
In Dashboard validate new security events are generated with your IP and location. Navigate to the Security Events section and check the latest log request details.
Solution:
- To mitigate these injection attacks, navigate to Firewall section and in “App Firewall” configuration change “Enforcement Mode” to Blocking, keep default options in other fields and save firewall.
- Next in browser try to pass above same SQL injection attack in username field of Sign-in page, validate your request is blocked and support-id is displayed in response as below:
- In Distributed Cloud Console navigate to security events section, expand the latest requests, filter logs with your request-ID and validate you can see the request log as below:
Conclusion:
As shown above, OWASP Top 10: Injection attacks can be mitigated by configuring WAF firewall in Blocking mode thereby preventing data breaches and even application downtime.
Stay tuned for more exciting details on how F5 Distributed Cloud can protect your web applications against other OWASP top ten vulnerabilities.
