ModSecurity Rules for SQL Injection

1 min read Application Security

ModSecurity Rules for SQL Injection

Open-source WAF implementation with ModSecurity:

# ModSecurity Core Rule Set (CRS) configuration
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# SQL Injection Protection Rules
# Generic SQL injection attacks
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \
    "@detectSQLi" \
    "id:1001,\
    phase:2,\
    block,\
    msg:'SQL Injection Attack Detected',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    severity:'CRITICAL',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# SQL injection via libinjection
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \
    "@detectSQLi" \
    "id:1002,\
    phase:2,\
    block,\
    capture,\
    msg:'SQL Injection libinjection',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    severity:'CRITICAL',\
    multiMatch,\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# Custom rule for specific application patterns
SecRule ARGS:search|ARGS:filter|ARGS:query \
    "@rx (?i)(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\s.{0,40}(?:substring|ascii|user))|m(?:sys(?:(?:\.all_|ac)users|_schema)|aster\.\.sysdatabases)|c(?:onnection_id|urrent_user)|database\s?\()|table_name\b)" \
    "id:1003,\
    phase:2,\
    block,\
    msg:'SQL Injection - Database enumeration attempt',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

# Outbound SQL error detection
SecRule RESPONSE_BODY \
    "@rx (?i)(?:(?:s(?:qlserver|yntax)|(?:oracl|mysq)e)|ORA-|SQL syntax|Microsoft SQL|PostgreSQL)" \
    "id:1004,\
    phase:4,\
    block,\
    msg:'SQL Information Leakage',\
    logdata:'Matched Data: %{MATCHED_VAR}',\
    severity:'ERROR',\
    tag:'attack-disclosure',\
    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"