Detection: SQL Injection User Agent Based
Overview
Detect SQL injection attacks that use the User-Agent header rather than URL parameters to bypass WAF protections or input filtering. This is an advanced evasion technique where attackers inject SQL code into the HTTP User-Agent header instead of query parameters or form fields. This method often bypasses traditional web application firewalls (WAFs) and input validation controls that focus on standard request parameters.
This detection identifies SQL injection patterns in the User-Agent header, including SQL commands (SELECT, UNION, INSERT), comment markers, logic-based patterns (OR 1=1), database-specific functions, and time-based techniques. Attackers increasingly target non-standard HTTP headers to evade security controls. Unlike parameter-based SQL injection, User-Agent-based attacks often bypass WAF rules focused on URL parameters and form fields, may not appear in web server logs that don't record full header information, and can exploit backend logging systems that directly store User-Agent values in databases.
Web applications that store User-Agent strings directly in databases without proper sanitization, log management systems that process User-Agent data through SQL queries, and analytics platforms that consume User-Agent data for statistics are particularly at risk from this attack vector.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.sql_injection_user_agent_basedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.sql_injection_user_agent_based --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere http_user_agent is not null and ( -- Basic SQL injection patterns in User-Agent http_user_agent ilike '%select%from%' or http_user_agent ilike '%union%select%' or http_user_agent ilike '%insert%into%' or http_user_agent ilike '%update%set%' or http_user_agent ilike '%delete%from%' or http_user_agent ilike '%drop%table%' -- Common SQL comment markers and logic patterns or http_user_agent ilike '%/*_%*/%' or http_user_agent ilike '%--+%' or http_user_agent ilike '%-- %' or http_user_agent ilike '%;--%' or http_user_agent ilike '%or%1=1%' or http_user_agent ilike '%or%true%' -- Database-specific User-Agent attacks or http_user_agent ilike '%@@version%' or http_user_agent ilike '%information_schema%' or http_user_agent ilike '%sql_injectionte_master%' or http_user_agent ilike '%pg_tables%' or http_user_agent ilike '%sys.%' -- Time-based techniques or http_user_agent ilike '%sleep(%' or http_user_agent ilike '%benchmark(%' or http_user_agent ilike '%pg_sleep(%' or http_user_agent ilike '%waitfor%delay%' )order by tp_timestamp desc;