HTTP requests containing likely SQL injection queries

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect HTTP requests whose query strings contain patterns often associated with SQL injection probes.

Strategy

This rule monitors OCSF HTTP query strings for suspicious SQL-like constructions and correlates volume and success responses, grouped by @ocsf.src_endpoint.ip and path.

Triage and response

  • Review application and database logs for the time window around the alert from {{@ocsf.src_endpoint.ip}}.
  • Validate that user input is handled with parameterized queries or equivalent controls on affected routes.