Web Application Firewall Configuration
Web Application Firewall Configuration
Modern WAFs provide sophisticated SQL injection detection and prevention:
// AWS WAF configuration using CDK
import * as waf from '@aws-cdk/aws-wafv2';
export class WAFStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// SQL injection rule set
const sqlInjectionRuleSet = new waf.CfnWebACL.RuleProperty({
name: 'SQLInjectionProtection',
priority: 1,
statement: {
orStatement: {
statements: [
// AWS Managed SQL injection rule
{
managedRuleGroupStatement: {
vendorName: 'AWS',
name: 'AWSManagedRulesSQLiRuleSet'
}
},
// Custom SQL injection patterns
{
regexMatchStatement: {
regexString: String.raw`(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE)\b[\s\S]*?(FROM|INTO|WHERE|TABLE|DATABASE))|(--|#|\/\*|\*\/|@@|@)`,
fieldToMatch: { body: {} },
textTransformations: [{
priority: 0,
type: 'URL_DECODE'
}, {
priority: 1,
type: 'HTML_ENTITY_DECODE'
}, {
priority: 2,
type: 'LOWERCASE'
}]
}
}
]
}
},
action: { block: {} },
visibilityConfig: {
sampledRequestsEnabled: true,
cloudWatchMetricsEnabled: true,
metricName: 'SQLInjectionRule'
}
});
// Rate limiting to prevent automated attacks
const rateLimitRule = new waf.CfnWebACL.RuleProperty({
name: 'RateLimitRule',
priority: 2,
statement: {
rateBasedStatement: {
limit: 2000,
aggregateKeyType: 'IP'
}
},
action: { block: {} },
visibilityConfig: {
sampledRequestsEnabled: true,
cloudWatchMetricsEnabled: true,
metricName: 'RateLimitRule'
}
});
// Create Web ACL
new waf.CfnWebACL(this, 'WebACL', {
scope: 'CLOUDFRONT',
defaultAction: { allow: {} },
rules: [sqlInjectionRuleSet, rateLimitRule],
visibilityConfig: {
sampledRequestsEnabled: true,
cloudWatchMetricsEnabled: true,
metricName: 'WebACL'
}
});
}
}