What is SQL Injection?
SQL injection occurs when untrusted user input is concatenated into database queries. Attackers can manipulate queries to bypass authentication, extract data, or modify database contents.
Common Exploits:
- Bypass authentication with ' OR '1'='1
- Extract data with UNION SELECT statements
- Modify data with DROP TABLE or DELETE
- Execute commands with xp_cmdshell
Before WAF: Vulnerable
Without Cloudflare WAF, SQL injection payloads execute successfully
Try SQL Injection:
Or use cURL:
# Bypass authentication
curl -X POST "<your-worker-url>/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"admin'''--","password":"anything"}'
# Result: {"success":true,"role":"admin"}
# Payload commented out password check!Vulnerability: User input concatenated directly into SQL query without sanitization.
After WAF: Protected
With Cloudflare WAF OWASP Core Ruleset, SQL injection is blocked
Enable Cloudflare Protection:
- Go to Cloudflare Dashboard → Security → WAF
- Enable "OWASP Core Ruleset"
- Set SQL Injection sensitivity to "High"
- Re-run the exploit - it will be blocked with 403
Result: SQL injection patterns (', --, UNION, OR 1=1) are blocked at the edge.
Cloudflare WAF Protection
- ✓SQL Injection Rules: Block common SQLi patterns
- ✓Input Sanitization: Detect suspicious characters
- ✓OWASP Core Ruleset: Comprehensive attack protection