How to block Time-Based Blind SQL Injection Attacks

Question

I have a web app and a PT was successful to perform this attack:

https://mywebsite/Login.aspx?test=;waitfor delay '0:0:__TIME__'—

The VS has ASM profile with server technologies:

The policy is in blocking mode

I don't want to remove "test" parameter from the parameters list

In the ASM policy I see Signature ID: 200002548

"SQL-INJ waitfor delay (URI)" in Block = YES and Enable = YES

I don't understand why the ASM is not blocking this attack?

How do I block this kind of attack using attack signatures?

noamrotter · Answer

I have noticed that Parameter * was in stagingand URL * was in staging.Enforcing them made the attack to be blocked.&nbsp;

Forum Discussion