Technical Overview

The Injection Protection plugin implements a multi-layered defense system to detect and block various injection attacks. It operates in the pre-request stage and analyzes all parts of incoming HTTP requests.

Core Components

The detection system is composed of several core components designed to ensure high performance and accuracy in identifying malicious requests.

1. Pattern Detection Engine

This component is responsible for identifying malicious patterns using optimized matching techniques.
  • Pre-compiled regular expressions for faster performance.
  • Case-insensitive pattern matching to detect variations.
  • Support for complex attack patterns that span multiple tokens or formats.
  • Custom pattern registration to allow user-defined detection logic.

2. Request Analyzer

The Request Analyzer dissects incoming HTTP requests and prepares them for pattern inspection.
  • Multi-part request analysis, including headers, query parameters, and body content.
  • JSON and form-data parsing to normalize structured payloads.
  • Recursive object traversal for deeply nested content.
  • UTF-8 encoding support to handle all standard web formats.

3. Attack Detection System

This system evaluates parsed requests against all registered patterns and coordinates the response logic.
  • Real-time pattern matching to immediately detect threats.
  • Concurrent request processing for scalability under load.
  • Early termination on detection to prevent further processing of malicious requests.
  • Detailed attack logging for observability and forensic analysis.

SQL Injection Detection

CategoryTechniques / Indicators
Union-based AttacksUNION SELECT statements
Stacked queries
Comment-based injections
Error-based AttacksType conversion attacks
XPATH errors
Syntax errors
Time-based AttacksSLEEP() functions
BENCHMARK() calls
Heavy queries

Command Injection Detection

Command injection occurs when untrusted input is used to build and execute system-level commands. This plugin detects several patterns commonly associated with command injection attempts.

  • Shell Commands

    The plugin can identify execution of typical shell commands that indicate a potential attack:
    • System command execution
    • Process spawning
    • Command chaining

  • Shell Shock Patterns

    The following patterns associated with Shellshock vulnerabilities are detected:
    • Environment variables
    • Function definitions
    • Command substitution

  • Command Separators

    Special characters used to chain or separate commands are monitored, including:
    • Semicolons (;)
    • Pipes (|)
    • Backticks (`)

Path Traversal Detection

Path Traversal vulnerabilities allow attackers to access files and directories outside the intended scope. This plugin detects such attempts using multiple strategies.

  • Directory Navigation

    TechniqueDescription
    Parent directory referencesUsage of ../ or ..\\ to move up in the file system hierarchy
    Absolute pathsDirect access to system paths like /etc/passwd or C:\\Windows\\System32
    Symbolic linksUse of symlinks to bypass file access restrictions

  • Encoding Variations

    TechniqueDescription
    URL encodingObfuscation using %2e%2e%2f (../) or similar
    Double encodingNested encoding such as %252e%252e%252f
    Unicode variantsAlternate character representations like ■■/

SSRF Detection

Server-Side Request Forgery (SSRF) occurs when an attacker tricks the server into making requests to unintended locations. The plugin detects SSRF attempts through URL patterns and internal access indicators.

  • URL Schemes

    TechniqueDescription
    File protocolAttempts to access local files using file://
    HTTP/HTTPSRedirection or access to potentially unsafe endpoints
    Data URIsEmbedding data payloads using data: scheme

  • Internal Access

    TechniqueDescription
    Localhost referencesTargets like 127.0.0.1, ::1, or localhost
    Private IP rangesAccess to internal network IPs (e.g., 192.168.x.x, 10.x.x.x)
    DNS rebindingManipulating DNS resolution to redirect to internal services

Processing Pipeline

The processing pipeline defines the sequence of operations performed on each incoming request, from parsing to final response generation.

  • Request Parsing

    StepDescription
    Header extractionCollect and normalize request headers
    Query parameter parsingExtract and decode query string values
    Body deserializationParse request body (e.g., JSON, form-data)
    Content type handlingDetermine how to interpret the body based on Content-Type

  • Pattern Matching

    StepDescription
    Regular expression evaluationMatch request content against known attack patterns
    Custom pattern checkingApply user-defined rules and patterns
    Threshold validationEvaluate if pattern matches exceed configured limits
    Attack categorizationClassify the type of detected threat

  • Decision Making

    StepDescription
    Threat scoringAssign severity score based on matches and context
    Action determinationDecide whether to block, log, or allow the request
    Response generationPrepare appropriate HTTP response
    Error handlingCapture and respond to internal processing issues

  • Response Generation

    StepDescription
    Status code selectionReturn appropriate HTTP status (e.g., 403, 422)
    Error message formattingInclude meaningful messages for blocked requests
    Header modificationAdd or modify headers (e.g., for CORS, security)
    Logging and metricsRecord processing outcomes for observability

Configuration Details

The plugin allows for flexible configuration of pattern types to adapt to various security needs.

Pattern Types

TypeDescription
Predefined Patterns- Built-in security rules
- Common attack signatures
- Updated regularly
- Performance optimized
Custom Patterns- User-defined rules
- Regular expressions
- Pattern descriptions
- Priority settings

Content Analysis

PartChecks
Header AnalysisKey-value pair checking
Size validation
Encoding verification
Protocol compliance
Query AnalysisParameter inspection
Value validation
Encoding checks
Length limits
Body AnalysisContent parsing
Deep object inspection
Array handling
Size validation

Performance Optimization

Pattern Matching

  • Pre-compiled patterns
  • Early termination
  • Memory efficient
  • CPU optimized

Request Processing

  • Concurrent handling
  • Buffered reading
  • Streaming support
  • Resource limits

Memory Management

  • Zero-copy where possible
  • Buffer pooling
  • Garbage collection friendly
  • Memory limits

Features

Feature
Multiple attack type detection (SQL, NoSQL, Command, Path Traversal, etc.)
Configurable blocking actions
Pattern-based detection with regular expressions
Support for custom patterns
Request content analysis (headers, path, query, body)

Attack Types

The plugin detects the following types of attacks:
Attack TypeDescriptionExample Pattern
SQLSQL injection attemptsUNION SELECT, DROP TABLE
NoSQLMongoDB injection patterns$where, $regex
CommandShell command injectionsystem(), exec()
Path TraversalDirectory traversal attempts../, ..\\
LDAPLDAP injection patterns(cn=*), `((cn=*))`
XMLXML injection and XXE<!ENTITY, SYSTEM
SSRFServer-side request forgeryfile://, dict://
File InclusionLocal/Remote file inclusioninclude(), require()
TemplateTemplate injection attempts{{.}}, ${...}
XPathXPath injection patterns//, contains()
HeaderHTTP header injection\r\n, \n\n

Configuration

{
  "name": "injection_protection",
  "enabled": true,
  "stage": "pre_request",
  "settings": {
    "content_to_check": ["headers", "path_and_query", "body"],
    "action": "block",
    "status_code": 400,
    "error_message": "Potential security threat detected",
    "predefined_injections": [
      {
        "type": "sql",
        "enabled": true
      },
      {
        "type": "command",
        "enabled": true
      }
    ],
    "custom_patterns": [
      {
        "name": "custom_pattern",
        "pattern": "malicious.*pattern",
        "description": "Custom malicious pattern"
      }
    ]
  }
}

Configuration Parameters

ParameterTypeDescriptionRequired
content_to_checkarrayRequest parts to analyzeYes
actionstringAction to take when attack detectedYes
status_codenumberHTTP status code for blocked requestsNo
error_messagestringCustom error messageNo
predefined_injectionsarrayList of enabled attack typesYes
custom_patternsarrayCustom regex patternsNo

Usage Example

curl -X POST "http://localhost:8080/api/v1/gateways" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Protected Gateway",
    "subdomain": "protected",
    "required_plugins": [
      {
        "name": "injection_protection",
        "enabled": true,
        "stage": "pre_request",
        "settings": {
          "content_to_check": ["headers", "path_and_query", "body"],
          "action": "block",
          "status_code": 400,
          "predefined_injections": [
            {
              "type": "sql",
              "enabled": true
            },
            {
              "type": "command",
              "enabled": true
            }
          ]
        }
      }
    ]
  }'

Best Practices

  1. Enable Multiple Attack Types
  • Enable relevant attack types for your application
  • Consider your application’s attack surface
  • Balance security vs false positives
  1. Content Selection
  • Check all relevant request parts
  • Consider performance impact
  • Monitor for false positives
  1. Custom Patterns
  • Keep patterns specific and targeted
  • Test thoroughly before deployment
  • Document pattern purposes
  1. Error Messages
  • Use informative but safe messages
  • Avoid revealing system details
  • Log detailed information internally

Performance Considerations

  • Uses pre-compiled regex patterns
  • Efficient request parsing
  • Minimal memory footprint
  • Linear scaling with request size
  • Concurrent processing support