SQL Injection


#1

I just started using Cloudflare last night and had thought that sql injection would be limited / caught but 99% of traffic was sql injection attacks. Not a worry as my code is good but I see none were stopped or show up in my analytics as a threat.

3100 request with variations like this and I’m assuming all from one IP at 2 to 3 requests per second

%27%29%29%29%20RLIKE%20%28SELECT%20%2A%20FROM%20%28SELECT%28SLEEP%285%29%29%29oYso%29%20AND%20%28%28%28%27beod%27%3D%27beod HTTP/1.1" 500 5114 “-” “Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; c .NET CLR 3.0.04506; .NET CLR 3.5.30707; InfoPath.1; el-GR)”


#2

Judging from advertised features, only the Pro and above plans provide SQL injection protection through the Web Application Firewall (WAF).

Pro plan is $20/month with no commitment, so you can enable it for a month and see if that helps and then decide if it’s worth the $20/month.


#3

Possibly but I read
At all levels - Block known malicious threats from accessing your site. Security levels are customizable site by site.

I would expect some sort of notification or blocking based on the number and pattern of request.


#4

What Security Level (in the Firewall tab) do you have set for your site? I run “High” for my LAMP sites and haven’t received user complaints regarding access.


#5

I did have it a low and will try higher but still think that the number of requests from a single ip for the time period should have shown up in my analytics as a possible threat


#6

There’s also Rate Limiting…also under Firewall settings.


#7

There is no reason to think that such things would be a threat in the general sense, anyone hosting anything with an API behind Cloudflare would have similar patterns of legitimate traffic which should not be blocked or interfered with in Low mode.


#8

Sorry I disagree with the patterns I saw. A brief glance by anyone who looks at log files would see an attack


#9

And as I said earlier I’m not surprised they didn’t block them but I would expect my threat report to show them as threats or possible threats in my analytics.


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.