We are using Azure ASE v3 to host our web app with Azure Application Gateway and WAF V2. We have been getting quite a lot of false positives on data our users enter into a form in the app.
For example
- "Matched Data": in ( found within ARGS:medicationsList: Aspirin ( 81mg )
- "Matched Data": t like t found within ARGS:supportPersonsAnswer: Support person felt like they take more aspirin.
Are there any standard approaches to addressing this problem apart from creating exclusions for medications? I understand those phrases were flagged due to combinations of SQL keywords but at the same time those are legitimate sentences a user would enter.
I am not familiar with Azure ASE or WAF, so this might not be helpful at all. The principle of SQL injection is that the user is able to pass a string which will then be executed by the server as a command i.e., through a query. If you manage to get that input to never be executable, such as using prepared statements, sanitising dangerous characters or character sequences etc, you might be able to get away with not including that specific field/textbox in the WAF. Have a look at OWASP's guidance on SQL injection, as well as best practices from organisations such as NIST to get you started.