AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY' rule is intermittently blocking about 10% of Custom JS update PUT requests for a user. This rule, designed to prevent SQL injection attacks, appears to be overly sensitive even at its default low setting. The issue was identified when a user's DevOps team discovered that the rule was obstructing requests involving a function named 'createSearchString', which constructs a SQL where clause.
Our initial analysis suggests that this behavior is unusual, as it does not affect similar query update requests and the problem has not been reported by other users. Since AWS managed rules cannot be edited, only disabled, we are considering options to modify our request payloads to avoid triggering the rule. However, this requires further investigation as we currently do not have a mechanism in place to obfuscate our payloads or implement alternative strategies to bypass the rule.
This ticket aims to start gathering data and exploring potential solutions, including but not limited to payload obfuscation or other techniques, to address this challenge. We need to ensure that our application's functionalities are not hindered by such WAF rules while maintaining security against SQL injection threats.
Is there an existing issue for this?
Description
AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY' rule is intermittently blocking about 10% of Custom JS update PUT requests for a user. This rule, designed to prevent SQL injection attacks, appears to be overly sensitive even at its default low setting. The issue was identified when a user's DevOps team discovered that the rule was obstructing requests involving a function named 'createSearchString', which constructs a SQL where clause.
Our initial analysis suggests that this behavior is unusual, as it does not affect similar query update requests and the problem has not been reported by other users. Since AWS managed rules cannot be edited, only disabled, we are considering options to modify our request payloads to avoid triggering the rule. However, this requires further investigation as we currently do not have a mechanism in place to obfuscate our payloads or implement alternative strategies to bypass the rule.
This ticket aims to start gathering data and exploring potential solutions, including but not limited to payload obfuscation or other techniques, to address this challenge. We need to ensure that our application's functionalities are not hindered by such WAF rules while maintaining security against SQL injection threats.
A-force thread : https://theappsmith.slack.com/archives/C0341RERY4R/p1697487010803149
Steps To Reproduce
Public Sample App
No response
Environment
Production
Issue video log
No response
Version
1.9.44