Prisma Cloud Compute: SQLi detection for certain text combinations

1. Detected SQL Injection attack in request body parameter "value" in value ivyPublish/*,ivyRetrieve/*,ivyFingerprint/**
   
   
2. Detected SQL Injection attack in path in value /display/IBD/Cautions+while+investing+time+on+Microsoft+AI+tools

• Prisma Cloud Self Hosted
• Prisma Cloud Enterprise Edition

1. Regarding the payload

ivyPublish/*,ivyRetrieve/*,ivyFingerprint/**

This works as intended. WAAS alerts on this payload because it fits the pattern of an SQLi attack. If we look at the beginning of the payload, we can see that it starts with ivyPublish (a word) and them /* (which is a comment operator in SQL). You can use comments to truncate a query and remove the portion of the original query that follows your input. More info could be found in the links provided below.

2. Regarding the payload

/display/IBD/Cautions+while+investing+time+on+Microsoft+AI+tools

This is a vaild sqli pattern. “while” and “time” are reserved sql words. separated by the spaces in the pattern.

You have to create an exception rule once it is confirmed that the SQLi event detected is false positive. Create an exception for SQL Injection by following the below steps.

1. Goto Defend>>WAAS
2. Select the app you want to configure.
3. Select the firewall app tab.
4. Select SQL Injection under projection column.
5. Add Exception
6. Location will be path and path value would be ^/display/IBD/Cautions\+while\+investing\+time\+on\+Microsoft\+AI\+toolsl?$ under App firewall settings.

View our documentation here for App Firewall Settings.