0

I currently set up Load Balancing w/ Cloud Armor. Here's my rule set (basically from the docs):

evaluatePreconfiguredExpr('xss-v33-stable',
['owasp-crs-v030301-id941101-xss',
  'owasp-crs-v030301-id941150-xss',
  'owasp-crs-v030301-id941320-xss',
  'owasp-crs-v030301-id941330-xss',
  'owasp-crs-v030301-id941340-xss',
  'owasp-crs-v030301-id941380-xss'
]) || evaluatePreconfiguredExpr('sqli-v33-stable',
['owasp-crs-v030301-id942110-sqli',
  'owasp-crs-v030301-id942120-sqli',
  'owasp-crs-v030301-id942130-sqli',
  'owasp-crs-v030301-id942150-sqli',
  'owasp-crs-v030301-id942180-sqli',
  'owasp-crs-v030301-id942200-sqli',
  'owasp-crs-v030301-id942210-sqli',
  'owasp-crs-v030301-id942260-sqli',
  'owasp-crs-v030301-id942300-sqli',
  'owasp-crs-v030301-id942310-sqli',
  'owasp-crs-v030301-id942330-sqli',
  'owasp-crs-v030301-id942340-sqli',
  'owasp-crs-v030301-id942361-sqli',
  'owasp-crs-v030301-id942370-sqli',
  'owasp-crs-v030301-id942380-sqli',
  'owasp-crs-v030301-id942390-sqli',
  'owasp-crs-v030301-id942400-sqli',
  'owasp-crs-v030301-id942410-sqli',
  'owasp-crs-v030301-id942470-sqli',
  'owasp-crs-v030301-id942480-sqli',
  'owasp-crs-v030301-id942430-sqli',
  'owasp-crs-v030301-id942440-sqli',
  'owasp-crs-v030301-id942450-sqli',
  'owasp-crs-v030301-id942510-sqli',
  'owasp-crs-v030301-id942251-sqli',
  'owasp-crs-v030301-id942490-sqli',
  'owasp-crs-v030301-id942420-sqli',
  'owasp-crs-v030301-id942431-sqli',
  'owasp-crs-v030301-id942460-sqli',
  'owasp-crs-v030301-id942101-sqli',
  'owasp-crs-v030301-id942511-sqli',
  'owasp-crs-v030301-id942421-sqli',
  'owasp-crs-v030301-id942432-sqli',
  'owasp-crs-v030001-id942260-sqli'
  ]
)

I'm trying to do some testing by intentionally sending sql injection queries. The goal was to capture some logs from Cloud Armor regarding the set sqli rule. My logging explorer query is set to: resource.type:(http_load_balancer) AND jsonPayload.enforcedSecurityPolicy.name:(MY_POLICY_NAME)

However, I can't find any logs related to my sqli query (in fact it just gets registered into the database without actually running the injected sql).

I was curious: Where does Cloud Armor start watching for SQL injection? I assumed it would be as soon as it receives some traffic.

funtkungus
  • 238
  • 1
  • 2
  • 12

1 Answers1

2

If you run a simple SQLi injection attempt like:

https://www.example.com/?category=Gifts%27+OR+1=1--"

This should trigger the "owasp-crs-v030001-id942180-sqli" rule.

A couple of thoughts as to why it isn't working for you:

  1. Is the backend Security Policy not enabled against your backend service on the load balancer?
  2. Do you have logs enabled on the load balancer backend service?
  3. Is the WAF rule in preview mode (so you wouldn't see the result in your jsonPayload.enforcedSecurityPolicy.name:(MY_POLICY_NAME) query)?

Cloud Armor rules start to take effect about 2 minutes after deployment (p90). It can take upwards of 10m to be fully deployed (p99).

Dave
  • 434
  • 5
  • entering the url parameters works and I can see the logs now, thanks. I'm curious as to why I couldn't do the same w/ using say an input from the client it self? – funtkungus Mar 13 '23 at 22:42