SQL Injection in HTML Form POST


I have been playing around with ‘Cloudflare WAF’ configuration, (Currently I set sensitivity to high and challenge for the owasp rules) specifically to prevent SQL Injection attacks. Unfortunately I’m not seeing the bad data (eg. ghgh’, message=(SELECT TABLE_NAME FROM information_schema.TABLES)–)being stopped by Cloudflare.

I am adding this data to various form fields and when I submit the form the data is submit successfully.

I would expect Cloudflare to recognise the data being submit is a form of SQL Injection and the submission should be blocked or challenged depending how I have Cloudflare configured.

Would anyone have experience of this type of configuration and have any ideas what else I need to do to get this working?


This topic was automatically closed after 30 days. New replies are no longer allowed.