Developer forum

Forum » CMS - Standard features » SQL Injection - ignore characters

SQL Injection - ignore characters

E-mail notifications
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply
Posted on 21/05/2021 16:58:00

Hi guys,

I have a project based on DW 9.9.8 where I have an issue with security bans.

It seems that searching for something like this "It's my life" would trigger a ban on the IP.

This happens for both the back-end and the front-end.

It is clear to me that the character in question is " ' ". I can probably encode it in the front-end to solve the issue but how do I handle it in the back-end?

Is there any way I can set some exceptions for characters? 

Thank you,

Adrian


Replies

 
Nicolai Pedersen
Posted on 24/05/2021 21:10:53
Reply

Hi Adrian

Try searching this site for the same string... It works. It is probably something else. 

You cannot ignore characters, but you can ignore a specific parameter in the SQL settings. I.e. ignore "q"

 
Nicolai Pedersen
Posted on 24/05/2021 21:12:38
Reply

Refer to the SQL injection settings:

https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/web-and-http#3518

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Posted on 24/05/2021 21:58:17
Reply

Hi Nicolai,

Thank you for the answers.

I agree that it is working. Most probably the customer used a different character for the apostrophe (maybe the word one) and that one is invalid. Or maybe some other combination.

One thing is clear, the regular character would not trigger the ban. This is fine for me and I can go back to my customer to prove it.

Thank you very much,


Adrian

 
Nicolai Pedersen
Posted on 25/05/2021 08:07:22
Reply

Hi Adrian

It is not one character alone that triggers the ban. It is specific patterns that matches that resembles SQL injections or XSS or similar. This is also why you have to whitelist a parameter and not just a character. It would be interesting to see what triggered the ban and if it is because it is false positive...

There are more checks for querystring variables than post variables.

BR Nicolai

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Posted on 25/05/2021 09:04:44
Reply

Hi Nicolai,

Understood.

I will try to capture the error message from the ban next time it happens.

Thank you,

Adrian

 

You must be logged in to post in the forum