Java Form to PostgreSql triggering firewall

Soldato
Joined
28 Sep 2008
Posts
14,135
Location
Britain
Possibly a bit too advanced for here, but has anyone any experience of HTML/JAVA forms that submit to a database (in this case PostgreSQL)? We're getting a lot of triggers on the WAF with OWASP policies applied. There's been some tuning, but still, simple free form text boxes get blocked, things like " UPDATE number to 07888554443"

It's clearly seeing it as SQLi but I mean come on, surely the WAF isn't that stupid?
 
Soldato
Joined
23 Feb 2009
Posts
4,978
Location
South Wirral
Not quite sure I understand your architecture, so sorry if these are stupid questions:

- Is your database port exposed to the internet and if so, are you using the out-of-box ports e.g. 3306 for mysql, 1521 for oracle ?
- Is the browser sending SQL commands to the server directly, or just form data ?
 
Soldato
Joined
24 Jun 2021
Posts
3,656
Location
UK
Too vague, some thoughts:
- forms should submit to a script, not directly to a database, the script sorts out the details and saves data to the databases in a secure way.
- are you guessing or do you know it is identifying the reason for block as sql injection? If so, the exact query matters, a simple example isn't sufficient to diagnose.
- in this example I would expect a parameterised query which updates one row only. I wouldn't expect "number" to be a column name because it's a non-reserved keyword.
 
Soldato
OP
Joined
28 Sep 2008
Posts
14,135
Location
Britain
Hi guys, thanks for responses. This is all Azure based, a static web front end webapp which fires off Java to client side check and submit to the PostgreSql dB in Azure. This is behind a private endpoint, and a web application firewall.

The example above:

07555555555 update in your records please

Will trigger the WAF policy and stop the field being updated.
 
Back
Top Bottom