科技回声

Umh, this article is dubious.1. If your WAF can be fooled by adding a X-Forwarded-For header, trouble ahead.2. If your security strategy is about mitigating attacks where the payload matches some regular expressions, trouble ahead. Machine learning? Double trouble ahead.3. If you don't write only completely static queries[1] to then use as prepared statements or use a proper ORM[2] when using a SQL database, trouble ahead.[1] <a href="https://www.akadia.com/services/dyn_modify_where_clause.html" rel="nofollow">https://www.akadia.com/services/dyn_modify_where_clause.html</a>[2] Like linq, jOOQ...

WAF's are never good enough. They're a weak band-aid used by companies who lack the expertise to find and fix security bugs in their own code.

This is an advertisement.

That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate

WAF's are never good enough. They're a weak band-aid used by companies who lack the expertise to find and fix security bugs in their own code.

This is an advertisement.

That's why we now have RASP. It's better than SQL proxy and WAF, because you have both the SQL query and the HTTP parameters and you can correlate them to be super accurate

Preventing SQL Injections When WAF’s Not Enough

4 条评论

Preventing SQL Injections When WAF’s Not Enough

4 条评论