1. Overview
SQL Injection is a major attack vector for websites and a common security threat in web applications. Most web application firewalls (WAFs) can detect and block SQL Injection attacks natively. However, many WAF vendors have been found to be unable to detect SQL Injection attacks that exploit JSON operators and functions, so we analyzed how to counteract them.
2. Attack Types
SQL Injection attack attempts using JSON operators and functions are allowed to bypass WAFs because the syntax within JSON is not properly validated by the DBMS. Major databases such as PostgreSQL, MySQL, SQLite, and Microsoft SQL Server support JSON, so attackers can exploit this feature to attempt SQL Injection attacks based on JSON operators and functions.
The following is sample syntax for SQL Injection attacks that exploit JSON operators and functions for each DBMS.
PostgreSQL
' or "[1,2,3]"::json ->> 2='3'
' or json_array_length({}) <= 3
...
MySQL
' or json_contains('{"a":1, "b":2}', '1', '$.a');
' or JSON_MERGE('[1, 2]', '[true, false]');
...
SQLite
' or '{"a":1,"b":2}'::jsonb ->> 'b'='2
' or json_extract('{"a":2,"c":[4,5,{"f":7}]}', '$.c[2].f');
...
MSSQL
' or ISJSON('{"a":"1"}') = '1
' or JSON_VALUE('{"info":{"address":[{"town":"Paris"},{"town":"London"}]}}', '$.info.address[0].town')='Paris
...
3. Countermeasures
Enable detection when the SQL Injection attack type includes SQL Injection attack syntax in JSON operator and function types.
In our AIWAF product, the <SQL Injection (JSON Operators of Functions) pattern detects attack syntax that exploits this vulnerability.
4. Conclusions
There are many vulnerabilities in SQL Injection based JSON, and updates are constantly being released, so it is necessary to check and update regularly.
Our AIWAF product has developed many patterns to respond to vulnerabilities in SQL Injection based JSON, and we will continue to quickly respond to SQL injection based JSON-related vulnerabilities as they are discovered.
5. references
https://www.picussecurity.com/resource/blog/waf-bypass-using-json-based-sql-injection-attacks
https://www.securityweek.com/wafs-several-major-vendors-bypassed-generic-attack-method/
https://docs.monitorapp.com/books/juseok/page/7646-json-syntax-sqli-202301