Pull Request #3142
Add WAF rule: detect SQL injection in request body
Adds a Lua-based WAF inspection rule covering keyword injection, comment injection, and tautology-style SQL attacks in HTTP request bodies.
Ready to merge
waf/rules/sqli_body.lua+24 additions
Viewed1
+ local _M = {}
2
+ local re_find = ngx.re.find
3
+
4
+ -- Pattern 1: detect SQL keywords near clause markers
5
+ local SQLI_KEYWORDS = [[(?i)\b(?:select|union|insert|update|delete|drop)\b\s+\w]]
6
+
7
+ -- Pattern 2: SQL comment injection (-- # /**/)
8
+ local SQLI_COMMENT = [[(?i)(?:--|#|\/\*[\s\S]*?\*\/)]]
9
+
10
+ -- Pattern 3: tautology injection (e.g. ' OR 1=1 --)
11
+ local SQLI_TAUTOLOGY = [[(?i)(?:.*(?:or|and)\s+(?:[\w\s]*=[\w\s]*)+(?:--|#|\/\*)?)+]]
12
+
13
+ function _M.inspect(ctx)
14
+ local body = ctx.request_body
15
+ if not body or #body == 0 then return false end
16
+
17
+ if re_find(body, SQLI_KEYWORDS, "jo") then return true end
18
+ if re_find(body, SQLI_COMMENT, "jo") then return true end
19
+ if re_find(body, SQLI_TAUTOLOGY, "jo") then return true end
20
+
21
+ return false
22
+ end
23
+
24
+ return _M
SL
sam_sec_lead
Approved review
Pattern 3 is the one we've been waiting for. The tautology detection should catch the whole OR/AND injection family. All three patterns look correct. LGTM.