Category | Techniques / Indicators |
---|---|
Union-based Attacks | UNION SELECT statementsStacked queries Comment-based injections |
Error-based Attacks | Type conversion attacks XPATH errors Syntax errors |
Time-based Attacks | SLEEP() functionsBENCHMARK() callsHeavy queries |
;
)|
)`
)Technique | Description |
---|---|
Parent directory references | Usage of ../ or ..\\ to move up in the file system hierarchy |
Absolute paths | Direct access to system paths like /etc/passwd or C:\\Windows\\System32 |
Symbolic links | Use of symlinks to bypass file access restrictions |
Technique | Description |
---|---|
URL encoding | Obfuscation using %2e%2e%2f (../ ) or similar |
Double encoding | Nested encoding such as %252e%252e%252f |
Unicode variants | Alternate character representations like ■■/ |
Technique | Description |
---|---|
File protocol | Attempts to access local files using file:// |
HTTP/HTTPS | Redirection or access to potentially unsafe endpoints |
Data URIs | Embedding data payloads using data: scheme |
Technique | Description |
---|---|
Localhost references | Targets like 127.0.0.1 , ::1 , or localhost |
Private IP ranges | Access to internal network IPs (e.g., 192.168.x.x , 10.x.x.x ) |
DNS rebinding | Manipulating DNS resolution to redirect to internal services |
Step | Description |
---|---|
Header extraction | Collect and normalize request headers |
Query parameter parsing | Extract and decode query string values |
Body deserialization | Parse request body (e.g., JSON, form-data) |
Content type handling | Determine how to interpret the body based on Content-Type |
Step | Description |
---|---|
Regular expression evaluation | Match request content against known attack patterns |
Custom pattern checking | Apply user-defined rules and patterns |
Threshold validation | Evaluate if pattern matches exceed configured limits |
Attack categorization | Classify the type of detected threat |
Step | Description |
---|---|
Threat scoring | Assign severity score based on matches and context |
Action determination | Decide whether to block, log, or allow the request |
Response generation | Prepare appropriate HTTP response |
Error handling | Capture and respond to internal processing issues |
Step | Description |
---|---|
Status code selection | Return appropriate HTTP status (e.g., 403, 422) |
Error message formatting | Include meaningful messages for blocked requests |
Header modification | Add or modify headers (e.g., for CORS, security) |
Logging and metrics | Record processing outcomes for observability |
Type | Description |
---|---|
Predefined Patterns | - Built-in security rules - Common attack signatures - Updated regularly - Performance optimized |
Custom Patterns | - User-defined rules - Regular expressions - Pattern descriptions - Priority settings |
Part | Checks |
---|---|
Header Analysis | Key-value pair checking Size validation Encoding verification Protocol compliance |
Query Analysis | Parameter inspection Value validation Encoding checks Length limits |
Body Analysis | Content parsing Deep object inspection Array handling Size validation |
Feature |
---|
Multiple attack type detection (SQL, NoSQL, Command, Path Traversal, etc.) |
Configurable blocking actions |
Pattern-based detection with regular expressions |
Support for custom patterns |
Request content analysis (headers, path, query, body) |
Attack Type | Description | Example Pattern | |
---|---|---|---|
SQL | SQL injection attempts | UNION SELECT , DROP TABLE | |
NoSQL | MongoDB injection patterns | $where , $regex | |
Command | Shell command injection | system() , exec() | |
Path Traversal | Directory traversal attempts | ../ , ..\\ | |
LDAP | LDAP injection patterns | (cn=*) , `( | (cn=*))` |
XML | XML injection and XXE | <!ENTITY , SYSTEM | |
SSRF | Server-side request forgery | file:// , dict:// | |
File Inclusion | Local/Remote file inclusion | include() , require() | |
Template | Template injection attempts | {{.}} , ${...} | |
XPath | XPath injection patterns | // , contains() | |
Header | HTTP header injection | \r\n , \n\n |
Parameter | Type | Description | Required |
---|---|---|---|
content_to_check | array | Request parts to analyze | Yes |
action | string | Action to take when attack detected | Yes |
status_code | number | HTTP status code for blocked requests | No |
error_message | string | Custom error message | No |
predefined_injections | array | List of enabled attack types | Yes |
custom_patterns | array | Custom regex patterns | No |