5

Should WAF or any protecting method, block SQLi done on URLs?(eg GET /test/url'or 1=1--)

AviD
  • 72,138
  • 22
  • 136
  • 218
Ihab
  • 51
  • 1

1 Answers1

6

Yes. The latest version of ModSecurity, 2.6.0, allows specific arguments to be disabled on a per-rule basis. This will allow easier tuning to the app for removal of false positives (and since it's not just the whole URI per rule there will be less, albeit still some, false negatives).

You'll notice that some MVC/MVP apps lean on the controller-action-id paradigm, which doesn't use parameters (except on the URI like you describe).

atdre
  • 18,885
  • 6
  • 58
  • 107