SOC165 - Possible SQL Injection Payload Detected

SOC165 - Possible SQL Injection Payload Detected


Moving on to web attacks!

In this LetsDefend alert, our rule name hints at the risk of a potential SQL injection attack performed against our web application. Alert details told me that the device allowed the action, meaning that I may or may not expect to find some server-side manipulation based on the URL that was requested.

Following our playbook as always, I began my investigation by using the destination IP address provided in the alert to identify that the attack had occurred against our company's Web Server (WebServer1001).


Before moving forward, I gathered information about the domain, primary user and last login associated with this server.

A quick VirusTotal scan of the source IP, in addition to a Whois lookup, indicated that the attack was malicious and had come from the University of Southern California Information Services Institute. I supported these findings by also searching the IP on AbuseIPDB, which provided a 100% confidence of abuse and verified its origin to a city in California.

I then moved on to analyze the HTTP logs associated with the victimized device, and found the raw log file requesting the URL flagged in the alert. I took note of the user agent, response method, HTTP response size and status. It is important to note that the company web server HTTP response was a 500 status code, which tells us that the attack was not successful. To better understand the underlying nature of the HTTP request, the URL of which was clearly encoded, I leveraged CyberChef to decode the URL and uncovered its use of an "OR" operand followed by an always true statement "1=1" to which it would comment out (--). Ding! Standard SQL payload found.

To finish and summarize the results from the playbook tasks, I:

- verified that the traffic was malicious

- identified the attack as SQL injection

- combed through internal mail systems to find that this was not a planned test

- confirmed that traffic's direction as coming from the internet to our internal network (the web server)

- validated that the attack was unsuccessful


I documented the investigation artifacts, added my final notes, and closed the alert.