SQL Threat Detector rule

This rule protects APIs against SQL injection attacks by detecting SQL commands in headers, paths, queries, and payloads.

Protects against SQL commands injected in the header, path, query, and payload of incoming HTTP requests. Malicious requests can contain commands like CREATE TABLE and DROP TABLE that can trigger unwanted modifications or denial of service in backend databases. With this rule, you can specify regular expressions (regex) to identify SQL commands, elements, strings, and non-database conformant characters to prevent execution of potentially harmful requests.

Known limitations

Complex regular expressions with certain patterns don't work correctly, causing either false positives (all payloads flagged as threats) or false negatives (no payloads flagged as threats). For details about affected patterns and recommended workarounds, see Regular expression limitations below.

Rule execution order

This SQL Threat Detector rule executes after the request has been authenticated.

If the request includes one of the specified SQL commands in the query string, header, or path, the requestor receives a Validation failed error. If the request doesn't include one of the specified SQL commands, the system applies the next rule or starts processing the request.

Field/Field set Description
When this rule should be applied An expression that defines one or more conditions that must be true for the rule to execute.

Example: The expression request.method == "POST" causes the rule to execute only on POST requests.

Threat Detection Regex The SQL string to use to detect threats. The default expression works as is. You can append entries, re-order them, or replace the expression with your own.

Default value: .'.|.ALTER.|.ALTER TABLE.|.ALTER VIEW.|.CREATE DATABASE.|.CREATE PROCEDURE.|.CREATE SCHEMA.|.CREATE TABLE.|.CREATE VIEW.|.DELETE.|.DROP DATABASE.|.DROP PROCEDURE.|.DROP.|.SELECT.

Example: 
.*'.*|.*ALTER.*|.*ALTER TABLE.*|.*ALTER VIEW.*|.*CREATE DATABASE.*|.*CREATE PROCEDURE.*|1 and 1|[^A-Za-z0-9[:space:]]+
Description

Default value: Requests are checked for SQL injection attempts.

Regular expression limitations

Not all regular expressions are supported by the SQL Threat Detector regex engine. Use the | operator for alternation only (for example, SELECT|UPDATE or (?i)(select|update|delete)). To match literal pipe characters, use a character class such as [|] (for a single pipe) or [|]{2} (for two consecutive pipes). Backslash-escaped pipes such as \| or \|\| are not supported and must be rewritten using [|]-based patterns.

Prohibited

  • \b - Word boundaries
  • \s - Whitespace shorthand
  • \S - Non-whitespace shorthand
  • \w - Word characters shorthand
  • \d - Digits shorthand
  • \|, \|\| - Backslash-escaped pipes; use [|] or [|]{2} instead
  • (?=.*\S) - Lookaheads containing shorthand classes

Permitted

  • [|] - Character class for pipe literals (single pipe: [|], double pipe: [|]{2})
  • [[:space:]] - POSIX whitespace class
  • [[:alnum:]] - POSIX alphanumeric class
  • . - Any character except line breaks
  • + - One or more quantifier
  • * - Zero or more quantifier
  • | - Alternation operator without backslash escaping (for example, SELECT|UPDATE)
  • () - Capturing groups
  • (?i) - Case-insensitive flag