I have been playing around with ‘Cloudflare WAF’ configuration, (Currently I set sensitivity to high and challenge for the owasp rules) specifically to prevent SQL Injection attacks. Unfortunately I’m not seeing the bad data (eg. ghgh’, message=(SELECT TABLE_NAME FROM information_schema.
TABLES)–)being stopped by Cloudflare.
I am adding this data to various form fields and when I submit the form the data is submit successfully.
I would expect Cloudflare to recognise the data being submit is a form of SQL Injection and the submission should be blocked or challenged depending how I have Cloudflare configured.
Would anyone have experience of this type of configuration and have any ideas what else I need to do to get this working?