1

We have security in our firewall to prevent SQL-Injection from destroying any of our content:

Name
 Type
 Context
 Severity
 Pattern
 Configure

CS:select_into
 signature
 http-url
 critical
 .*\[select\].*\[into\].*
 Edit
 Remove

CS:select_from
 signature
 http-url
 critical
 .*\[select\].*\[from\].*
 Edit
 Remove

CS:insert_into
 signature
 http-url
 critical
 .*\[insert\].*\[into\].*
 Edit
 Remove

CS:drop_database
 signature
 http-url
 critical
 .*\[drop\].*\[database\].*
 Edit
 Remove

CS:drop_table
 signature
 http-url
 critical
 .*\[drop\].*\[table\].*
 Edit
 Remove

CS:delete_from
 signature
 http-url
 critical
 .*\[delete\].*\[from\].*
 Edit
 Remove

CS:drop_view
 signature
 http-url
 critical
 .*\[drop\].*\[view\].*
 Edit
 Remove

CS:exec
 signature
 http-url
 critical
 .*\[exec\].*(%28|\().*(%29|\)).*
 Edit
 Remove

CS:update_set
 signature
 http-url
 critical
 .*\[update\](%20|\+)(%20|\+|.)*\[set\].*
 Edit
 Remove

How can we adjust this so that from one of our own URL's it is possible to load the following files?

  • FileDropAreaIconsAndDescriptionsView.css

  • FileDropAreaIconsHorizontalView.css

  • FileDropAreaIconsView.css

  • FileDropAreaTableView.css

De files contain the words 'drop' and 'view' and this makes the url to comply with the rules to be blocked. How can we chenge the regular expression in a way that in this case with the filenames stated above will pass this regex and therefore will not be blocked?

Younes
  • 135
  • 5

1 Answers1

2

This is almost certainly the wrong approach to protecting yourselves from SQL Injection attacks. If you just look at your application code, and write protection mechanisms into the database access routines, or better yet, use a Database Abstraction Layer (one that already has injection protection), and you won't have to worry about this crappy hack.

Seriously, you're doing it wrong.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148