Forum Discussion

Oscar77's avatar
Oscar77
Icon for Nimbostratus rankNimbostratus
Dec 22, 2021

F5 OWASP Top Ten Rules, no working NoSQL Injection properly

Hi there, if we do a postman POST request to our Api with the next one body in the request:

 

{

"link": {

"$ne": null

}

},

 

The request is passing using Mentioned rules.

 

How we can solve it?

 

Thanks and have a nice day.

 

  • Hi Oscar77,

    OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result

    Thanks

    Mohamedfaizur

  • Hi,

    The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.

    Thanks

    Mohamedfaizur

     

  • is there another way to obtain "official" support?

     

    We need to fix this, plz

  • Hi,

    Please send us the full details of the attack test that was not blocked, including sample request. We will analyze the attack test against F5 rule sets to determine the root cause and proposed solution.

    Thanks

    • Oscar77's avatar
      Oscar77
      Icon for Nimbostratus rankNimbostratus
      curl --location --request POST 'URL' \
      --header 'token: TOKEN' \
      --header 'Content-Type: application/json' \
      --data-raw '{
            "link": {
              "$gt": null
            }
          }'

      This is my Backend response running curl:

       

      {"error":"NoSqlInjectionError","message":"Invalid request","code":0}

      But in AWS insights we can see the WAF cannot stop the request, see the >>>> ALLOW <<<<

       

      Field	Value
      @ingestionTime	
      1641197043827
      @log	
      AWSACCOUNT:LOG
      @logStream	
      LOGSTREAM
      @message	
      message
      @timestamp	
      1641196768228
      action	
      >>>> ALLOW <<<<
      formatVersion	
      1
      httpRequest.clientIp	
      XXX.XXX.XXX.XXX
      httpRequest.country	
      ES
      httpRequest.headers.0.name	
      host
      httpRequest.headers.0.value	
      XXX.XXX.XX
      httpRequest.headers.1.name	
      user-agent
      httpRequest.headers.1.value	
      curl/7.77.0
      httpRequest.headers.2.name	
      accept
      httpRequest.headers.2.value	
      */*
      httpRequest.headers.3.name	
      HEADER
      httpRequest.headers.3.value	
      TOKENVALUE
      httpRequest.headers.4.name	
      content-type
      httpRequest.headers.4.value	
      application/json
      httpRequest.headers.5.name	
      content-length
      httpRequest.headers.5.value	
      51
      httpRequest.httpMethod	
      POST
      httpRequest.httpVersion	
      HTTP/2.0
      httpRequest.requestId	
      REQUEST_ID
      httpRequest.uri	
      URI
      httpSourceId	
      ALB
      httpSourceName	
      ALB
      ruleGroupList.0.ruleGroupId	
      F5#OWASP_Managed
      ruleGroupList.1.ruleGroupId	
      F5#Bots_Managed
      ruleGroupList.2.ruleGroupId	
      AWS#AWSManagedRulesAmazonIpReputationList
      terminatingRuleId	
      Default_Action
      terminatingRuleType	
      REGULAR
      timestamp	
      1641196768228
      webaclId	
      WEBACL

      If you need more info, just say to us please, tnx for your response, i wish you nice day.

  • Hi,

     

    We are thinking about to stop using F5 rules in all of multiple environments, because we are worried about a poorly fast support from F5, is a pitty because we loved to use it, but is useless if we cannot obtain support if we need it.

  • Hi Oscar77,

    OWASP ruleset has been updated with all our recent NoSQL signatures, covering the example mentioned above and more. Please test again with latest ruleset and let us know the result

    Thanks

    Mohamedfaizur

  • Seems to be working. Really tnx.

     

    Would be nice if we can know what type of attacks can recognize this new NoSQL rules please.

     

    Awaiting your response, and tnx again for the help

    • Mohamedfaizur's avatar
      Mohamedfaizur
      Icon for Employee rankEmployee

      Hi,

      The types of NoSQL injection signatures we have are all the popular operands, similar to $gt which stands for "greater than" and $lt for "less than". We cannot list all the different operands we're searching for due to security concerns.

      Thanks

      Mohamedfaizur