False Positive Mitigation for SQL Injection signatures
The signatures that FortiWeb uses to detect SQL injection attacks are classified into three classes: SQL injection, SQL injection (Extended) and SQL injection (Syntax Based Detection). You can see them being listed in a signature policy. For details, see Blocking known attacks & data leaks.
When SQL injection or SQL injection (Extended) is enabled, FortiWeb scans the requests and matches them with the signatures based on pattern recognition (multi-pattern keyword and regular expression patterns). However, such an approach may cause false positives; one normal request might be mistakenly marked as a SQL injection attack. For example, the below requests will match the signature and trigger a false positive because the second request has the key words
user in the parameter value:
GET /test.asp?id=1 and 0<>(select count(*) from user_table where user like 'admin') HTTP/1.1
GET /test.asp?text= please select a user from the group to test our new product HTTP/1.1
When False Positive Mitigation is enabled, a triggered signature request is processed further to validate whether it contains valid SQL content.
To verify whether the request is an SQL injection, FortiWeb uses lexical analysis which converts the statement characters in the request into a sequence of tokens. It then runs the tokens through different built-in SQL templates and using a SQL parser it validates whether this is a true SQL structure. If it is then this event is not a false positive and FortiWeb triggers the signature violation action
Syntax-based SQL injection detection uses a new approach based on lexical and syntax analysis to detect SQL injection attacks without false positives and false negatives. Therefore, it does not require False Positive Mitigation.
Syntax-Based SQL Injection detection is configured with signatures for your convenience; these are not technically signatures and do not use regex and pattern matching.
Enable False Positive Mitigation for SQL Injection and SQL Injection (Extended)
When you enable SQL Injection and/or SQL Injection (Extended) in a signature policy, you can also enable False Positive Mitigation for those signatures.
- Go to Web Protection > Known Attacks > Signatures.
- Select the signature policy to open the edit panel.
- Click the buttons for SQL Injection and/or SQL Injection (Extended) in the False Positive Mitigation field on the table.
- Optionally, define specific signatures to which you would not like to apply False Positive Mitigation. By default, when you enable False Positive Mitigation, it applies to all supported signatures. You can select specific signatures and disable False Positive Mitigation.
Alternatively, you can apply False Positive Mitigation to SQL Injection and/or SQL Injection (Extended) when editing the signatures. From Web Protection > Known Attacks > Signatures view or edit a signature policy and click Signature Details. Select the SQL Injection and/or SQL Injection (Extended) folder and enable False Positive Mitigation.