Securi firewall preventing certain text strings

Discussion in 'Forum Operations Center' started by Marc, Apr 15, 2021.

  1. Marc

    Marc Well-Known Member TCF Club

    22,065
    4,911
    Jun 26, 1999
    McMurray, PA

    Advertisements

    I'm sure this is part of their filtering, but it took me a while to find out that my post was being rejected because I had this text in it: (think "Premiere" in YouTube terms where streaming availability merely starts at a particular time)

    This was from this post. Removing the parentheses seemed to allow me to use those words.

    I wanted to mention this in case it was worthwhile to pass along to Securi.

    Screen Shot 2021-04-15 at 8.19.28 AM.png

    Screen Shot 2021-04-15 at 8.19.37 AM.png
     
  2. kdmorse

    kdmorse Well-Known Member TCF Club

    8,625
    2,372
    Jan 29, 2001
    Germantown, MD
    Block ID: SQLi71
    Block reason: SQL injection was detected and blocked.

    So, something in that text is triggering a pattern match to a known SQL injection. I'll play around with it to see if I can boil it down to a smaller test case, but that's purely out of curiosity. The only real answer is to adjust the post (as you did) so it doesn't trigger that block.
     
  3. kdmorse

    kdmorse Well-Known Member TCF Club

    8,625
    2,372
    Jan 29, 2001
    Germantown, MD
    upload_2021-4-15_11-52-47.png

    The above is enough to trigger it. The word broadcast and the opening parenthesis is required to trigger it, so clearly there's a commonly abused broadcast function, that takes parameters in SQL land. I was narrowing it down further when I apparently irritated the firewall and am now sitting out a temp ban.

    (At least I hope it's just a temp ban for that IP ;) )
     
    ClearToLand likes this.
  4. kdmorse

    kdmorse Well-Known Member TCF Club

    8,625
    2,372
    Jan 29, 2001
    Germantown, MD
    upload_2021-4-15_12-10-45.png

    Appears to be the bare minimum to make it complain.
     
  5. Marc

    Marc Well-Known Member TCF Club

    22,065
    4,911
    Jun 26, 1999
    McMurray, PA

    Advertisements

    Thanks for figuring that out, @kdmorse!

    I also encountered the problem with this text below (changing the brackets to parentheses). There's no "where" inside that phrase, but "broadcast" is clearly a trigger.

     
  6. Rob Helmerichs

    Rob Helmerichs I am Groot! TCF Club

    58,833
    15,418
    Oct 17, 2000
    Minneapolis
    Looks like "from" is another SQL term...
     
  7. kdmorse

    kdmorse Well-Known Member TCF Club

    8,625
    2,372
    Jan 29, 2001
    Germantown, MD
    "broadcast" being a trigger has been bugging me - as it's not a sql clause or function. Seeing it pop up again, the lightbulb went on, it's really only triggering on the word cast(. And that makes a lot more sense. casting a subquery to a particular datatype, or just using cast( as obfuscation seems perfectly plausible.

    (And yes, select, delete, update, where, and from, are pretty much the backbones of a SQL statement)
     

Share This Page

spam firewall

Advertisements