api
security_error
ai_generated
true
400 Bad Request: Query parameter contains blocked SQL keywords
ID: api/rest-query-parameter-sql-injection-blocked
88%Fix Rate
86%Confidence
1Evidence
2024-01-08First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS WAF 2024 | active | — | — | — |
| Cloudflare WAF 2023 | active | — | — | — |
| Kong Gateway 3.5 | active | — | — | — |
| nginx ModSecurity 3.0 | active | — | — | — |
Root Cause
API gateway or WAF (Web Application Firewall) flagged a query parameter value as containing SQL injection patterns (e.g., SELECT, DROP, UNION) and rejected the request.
generic中文
API 网关或 WAF(Web 应用防火墙)将查询参数值标记为包含 SQL 注入模式(例如 SELECT、DROP、UNION)并拒绝了该请求。
Official Documentation
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-whitelist.htmlWorkarounds
-
90% success Use POST requests with JSON body instead of GET with query parameters for search/filter endpoints that accept user input that may contain SQL keywords. This moves the payload out of the URL where WAF rules are typically less aggressive.
Use POST requests with JSON body instead of GET with query parameters for search/filter endpoints that accept user input that may contain SQL keywords. This moves the payload out of the URL where WAF rules are typically less aggressive.
-
85% success Add a WAF exception rule for the specific parameter name (e.g., 'search' or 'query') if the parameter is known to accept arbitrary text that may include SQL-like patterns as legitimate data (e.g., a code search tool).
Add a WAF exception rule for the specific parameter name (e.g., 'search' or 'query') if the parameter is known to accept arbitrary text that may include SQL-like patterns as legitimate data (e.g., a code search tool).
中文步骤
对于接受可能包含 SQL 关键字的用户输入的搜索/过滤端点,使用 POST 请求加 JSON 体代替 GET 加查询参数。这将负载移出 URL,WAF 规则通常对请求体不那么激进。
如果某个参数(如 'search' 或 'query')已知会接受可能包含类似 SQL 模式的任意文本作为合法数据(例如代码搜索工具),则为该特定参数名称添加 WAF 例外规则。
Dead Ends
Common approaches that don't work:
-
85% fail
Modern WAFs decode URL-encoded payloads before inspection; double encoding may work temporarily but is often patched quickly and violates API standards.
-
95% fail
This removes critical security protection, making the API vulnerable to actual SQL injection attacks; not recommended for production.