Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 7851 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tracking down the source of a SQL Injection Alert error

JoeStern

I have a web site under development that threw this error: "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=3, XSS=): Last Matched Message: Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"

I can disable the SQL injection attack test in WAF, and then the page in question works, but I don't like leaving the metaphorical fire door propped open. The developer doesn't know why this particular page triggered the error and asked for more information, but I don't see anything in my UTM logs, unless it's the semicolons in the cookie generated by ASP.net. 

Is there a way to capture this information? Some logging that I didn't enable yet?

Thanks,

- Joe



This thread was automatically locked due to age.
  • 0
    Hi,

    right before the error message you mentioned there must be other errors by ModSecurity.

    Could you please post the complete log lines?

    Sabine
  • 0

    I've identified the source of the SQL Injection pattern match. (it was a pair of chevrons in button text, i.e. "Forward >>").

    The trick was looking at the archived log files, which I had not before. That view contained much more detailed information than I was seeing in the live log files. That's where I'll be going from now on to troubleshoot issues like this.

Unfiltered HTML