DEV Community

Carrie
Carrie

Posted on

2 1 1 1 1

How to Prevent SQL Injection with SafeLine WAF

#opensource #cybersecurity #webdev

Many readers have heard that SafeLine has excellent protection capabilities, but they do not usually know the exact effectiveness of the protection. So in this article, we're going to do a test for its protection capabilities.

Here, I prepared a demo of SQL attack requests. The attack commands involved are only for learning purpose.

About SQL Attacks

They mainly target applications that use Structured Query Language (SQL) for database operations. By exploiting improper handling of user input data by the application, attackers can inject malicious code into SQL queries to achieve malicious purposes.

Steps

  1. To test this attack, we set up a test environment, DVWA. You can search for it if needed.

Image description

  1. Input 1: First Test the Output

Image description

Based on the output, it can be inferred that the backend code for this query might be something like, “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’;”
If this were a real business scenario and the business side did not do proper secure coding, a hacker could exploit this point for injection, potentially causing significant harm.

  1. Malicious Attack Example For instance, to get the current database: As shown in the figure, input: 1’ UNION SELECT 1, database() # for injection, and you can get the current database information. This proves that the injection was successful, and we will not delve further into subsequent injection operations.

Image description

  1. Using SafeLine WAF What happens when using SafeLine? Can it block in the case where the business itself has vulnerabilities? First, configure the site and connect the test environment.

Image description

  1. Input Again

Image description
It is directly blocked by SafeLine, making it impossible to obtain valid information, send the attack to the server, or exploit the SQL attack vulnerability.

Image description

  1. Check Logs

Image description

Conclusion

This example is very simple and only for your reference.
It aims to illustrate that when the business system itself cannot guarantee whether there are vulnerabilities and injection points, using a WAF product first is a cost-effective measure. It adds an extra layer of request testing protection to the business. SafeLine WAF is a good option, as it is easy to deploy and manage.

Website:https://waf.chaitin.com/
Github:https://github.com/chaitin/SafeLine
Discord:https://discord.gg/dy3JT7dkmY

profile
Datadog
 Promoted

Image of Datadog

Master Mobile Monitoring for iOS Apps

Monitor your app’s health with real-time insights into crash-free rates, start times, and more. Optimize performance and prevent user churn by addressing critical issues like app hangs, and ANRs. Learn how to keep your iOS app running smoothly across all devices by downloading this eBook.

Get The eBook

Top comments (0)

👋 Kindness is contagious

If this article connected with you, consider tapping ❤️ or leaving a brief comment to share your thoughts!

Okay