View Full Version : IPS SQL injection protection oversight ?

2011-08-21, 10:47
We use IPS on 71.30. Has anyone else noticed that if you enable SQL injection protection (yes I know it should really be done from within the application, long story), that IPS appears to block requests containing the tag <SCRIPT> but not <ScRiPt> - notice upper and lower case differences.

During a recent pen test I noticed that CP still let requests through to a web server in our DMZ where the tags were multi-case. CP appeared to block single case (all lower at least) tags. Surely it is possible to correct this, no ? It seems a glaring oversight to me.

Presumably the programming logic scans for keywords in the URL to block before passing it to the destination address. This problem could be fixed if before a tag is parsed, it could be run through a function like TOUPPER(tag).

Anyone else sees this ?

2011-08-22, 05:48

The protection that searches for <script> tag is "Cross Site Scripting" and not "SQL Injection".
For both of these protections the search for patterns is case insensitive.
A request with the tag <ScRiPt> is rejected by "Cross Site Scripting" protection.
If you have an example of a request with this tag, which is not rejected properly, please let us know.


Masha Gutkhen
Team Leader - IPS Group

2011-08-22, 09:00
Hi Masha

Do you want to take this offline ? I reviewed the audit trail and it appears that I enabled XSS protection against web server in question several days before seeing the tags in the website logs. I can send you both the CP audit trail and web logs so you can see the web request string.

2011-08-22, 11:58
Please send me the request string. Thanks.

2011-08-23, 10:09
Just to close out this thread, this turned out to be a configuration error on my part. The Cross Site Scripting defence is configurable (I was not aware of this). By default the protection level is set to low, which will only filter POST requests - sufficient for most situations (thanks Masha for your assistance).