DeleteSqlInjectionMatchSet

​

Event Information

• The DeleteSqlInjectionMatchSet event in AWS WAF refers to the action of deleting a SQL injection match set.
• A SQL injection match set is a collection of rules that AWS WAF uses to identify and block SQL injection attacks on web applications.
• When the DeleteSqlInjectionMatchSet event occurs, it means that a SQL injection match set has been removed from the AWS WAF configuration, and any associated rules and conditions are no longer active.

​

Examples

1. Inadequate input validation: If the DeleteSqlInjectionMatchSet operation is not properly implemented, it may allow for inadequate input validation. This can result in the deletion of valid SQL injection match sets, potentially leaving the application vulnerable to SQL injection attacks.

2. Insufficient access controls: If the necessary access controls are not in place, unauthorized users may be able to execute the DeleteSqlInjectionMatchSet operation. This can lead to the accidental or malicious deletion of SQL injection match sets, compromising the security of the application.

3. Lack of monitoring and auditing: Without proper monitoring and auditing, it may be difficult to detect and investigate any unauthorized or unintended deletions of SQL injection match sets. This can hinder incident response efforts and make it challenging to identify the root cause of security incidents.

​

Remediation

​

Using Console

1. Identify the specific AWS WAF rule that needs to be remediated based on the examples provided.

   • Log in to the AWS Management Console and navigate to the AWS WAF service.
   • Select the appropriate web ACL that contains the rule that needs to be remediated.

2. Modify the AWS WAF rule to address the identified issue.

   • Within the selected web ACL, locate the rule that needs to be remediated.
   • Click on the rule to access its configuration settings.
   • Adjust the rule’s parameters or conditions to align with the desired remediation action.
   • Save the changes made to the rule.

3. Test and monitor the remediated AWS WAF rule.

   • Deploy the updated web ACL to the appropriate AWS resources (e.g., Amazon CloudFront distribution, Application Load Balancer).
   • Monitor the traffic and behavior of the protected resources to ensure that the remediated rule is functioning as expected.
   • Continuously monitor and analyze the AWS WAF logs and metrics to identify any potential issues or anomalies that may require further remediation.

Note: The specific steps may vary depending on the AWS WAF console interface and the nature of the rule being remediated. It is important to refer to the AWS documentation for detailed instructions and best practices.

​

Using CLI

1. To remediate a specific rule in AWS WAF using AWS CLI, you can use the update-rule command. For example, if you want to update the rule with the rule ID “12345678-1234-1234-1234-123456789012” in a WebACL named “MyWebACL”, you can use the following command:

aws wafv2 update-rule --name MyWebACL --scope REGIONAL --id 12345678-1234-1234-1234-123456789012 --action ALLOW --override-action NONE

This command updates the specified rule to allow the traffic and removes any overriding actions.

2. To remediate a rate-based rule in AWS WAF using AWS CLI, you can use the update-rate-based-rule command. For example, if you want to update the rate-based rule with the rule ID “12345678-1234-1234-1234-123456789012” in a WebACL named “MyWebACL”, you can use the following command:

aws wafv2 update-rate-based-rule --name MyWebACL --scope REGIONAL --id 12345678-1234-1234-1234-123456789012 --rate-key IP --rate-limit 1000

This command updates the specified rate-based rule to limit the requests per IP to 1000.

3. To remediate a managed rule group in AWS WAF using AWS CLI, you can use the update-managed-rule-set-version command. For example, if you want to update the managed rule group with the ARN “arn:aws:wafv2:us-west-2:123456789012:managed-rule-set/aws-managed/gbqj2j5k5k-owasp-top-10” to the latest available version, you can use the following command:

aws wafv2 update-managed-rule-set-version --name gbqj2j5k5k-owasp-top-10 --scope REGIONAL --vendor-name aws-managed --managed-rule-set-id gbqj2j5k5k-owasp-top-10

This command updates the specified managed rule group to the latest available version.

​

Using Python

1. Example 1: Blocking IP addresses with AWS WAF using Python:
   • Use the AWS SDK for Python (Boto3) to interact with AWS WAF.
   • Write a Python script to retrieve the IP addresses that need to be blocked.
   • Use the create_ip_set method to create an IP set in AWS WAF.
   • Use the update_ip_set method to add the IP addresses to the IP set.
   • Use the update_web_acl method to associate the IP set with the desired web ACL.

import boto3

# Create AWS WAF client
waf_client = boto3.client('waf')

# Retrieve IP addresses to block
ip_addresses = ['192.0.2.1', '203.0.113.2']

# Create IP set
response = waf_client.create_ip_set(
    Name='BlockedIPSet',
    ChangeToken='CHANGE_TOKEN'
)

# Add IP addresses to IP set
response = waf_client.update_ip_set(
    IPSetId='IP_SET_ID',
    ChangeToken='CHANGE_TOKEN',
    Updates=[
        {
            'Action': 'INSERT',
            'IPSetDescriptor': {
                'Type': 'IPV4',
                'Value': ip_address
            }
        }
        for ip_address in ip_addresses
    ]
)

# Associate IP set with web ACL
response = waf_client.update_web_acl(
    WebACLId='WEB_ACL_ID',
    ChangeToken='CHANGE_TOKEN',
    Updates=[
        {
            'Action': 'INSERT',
            'ActivatedRule': {
                'Priority': 1,
                'RuleId': 'BLOCK_RULE_ID',
                'Action': {
                    'Type': 'BLOCK'
                }
            }
        }
    ]
)

2. Example 2: Enabling AWS WAF rate-based rules using Python:
   • Use the AWS SDK for Python (Boto3) to interact with AWS WAF.
   • Write a Python script to enable rate-based rules for a specific web ACL.
   • Use the create_rate_based_rule method to create a rate-based rule.
   • Use the update_web_acl method to associate the rate-based rule with the desired web ACL.

import boto3

# Create AWS WAF client
waf_client = boto3.client('waf')

# Create rate-based rule
response = waf_client.create_rate_based_rule(
    Name='RateBasedRule',
    MetricName='RateBasedRule',
    RateKey='IP',
    RateLimit=1000,
    ChangeToken='CHANGE_TOKEN'
)

# Associate rate-based rule with web ACL
response = waf_client.update_web_acl(
    WebACLId='WEB_ACL_ID',
    ChangeToken='CHANGE_TOKEN',
    Updates=[
        {
            'Action': 'INSERT',
            'ActivatedRule': {
                'Priority': 1,
                'RuleId': 'RATE_BASED_RULE_ID',
                'Action': {
                    'Type': 'COUNT'
                }
            }
        }
    ]
)

3. Example 3: Creating AWS WAF rules to block SQL injection using Python:
   • Use the AWS SDK for Python (Boto3) to interact with AWS WAF.
   • Write a Python script to create AWS WAF rules to block SQL injection attacks.
   • Use the create_rule method to create a rule for SQL injection.
   • Use the update_web_acl method to associate the rule with the desired web ACL.

import boto3

# Create AWS WAF client
waf_client = boto3.client('waf')

# Create rule for SQL injection
response = waf_client.create_rule(
    Name='SQLInjectionRule',
    MetricName='SQLInjectionRule',
    ChangeToken='CHANGE_TOKEN',
    Predicates=[
        {
            'DataId': 'SQL_INJECTION_DATA_ID',
            'Negated': False,
            'Type': 'SQLi'
        }
    ]
)

# Associate rule with web ACL
response = waf_client.update_web_acl(
    WebACLId='WEB_ACL_ID',
    ChangeToken='CHANGE_TOKEN',
    Updates=[
        {
            'Action': 'INSERT',
            'ActivatedRule': {
                'Priority': 1,
                'RuleId': 'SQL_INJECTION_RULE_ID',
                'Action': {
                    'Type': 'BLOCK'
                }
            }
        }
    ]
)