Jump to content


Photo

SQL Injection False Positive for SharePoint

sharepoint

This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 Chong

Chong
  • Members
  • 1 posts

Posted 29 January 2018 - 03:58 AM

We have Barracuda WAF deployed in front of a new SharePoint 2016 server.

 

We've been experiencing WAF denies for the following request:
 
URL: /_layouts/15/CalendarService.ashx
Attack Name: SQL Injection in Parameter
Attack Detail: type="sql-injection-medium" pattern="sql-comments" token=";#" value="0;#0"
 
As far as i know, SharePoint runs on Microsoft SQL Server; whilst the detected attack seems to be detecting a potential SQL comment pattern for My SQL. Hence this WAF denial looks like a false positive.
  1. Are there WAF best practices, templates, or manual exception configurations to avoid SharePoint false positives?
  2. Are there WAF best practices, templates, or manual exception configurations for different database platforms Microsoft SQL vs My SQL, and to avoid Microsoft SQL false positives?

Any clarification or sharings from past experiences would be great. Thanks.



#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 87 posts

Posted 01 March 2018 - 05:49 AM

Sorry for the delay. Barracuda WAF does provide a sharepoint specific security policy that can be used with the service that you have setup. However, this particular instance of a request may still be blocked as its part of a generic SQL Injection pattern group. You can however, create an exception by either excluding the pattern for the entire service (in the security policies->parameter protection) https://campus.barra...ter-protection/or for a specific parameter by creating a parameter profile under websites->website profiles https://campus.barracuda.com/product/webapplicationfirewall/doc/4259971/configuring-website-profiles/?sl=AWHhLbB82E_97iy_kHIe&so=2