Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

WAF Blocking JQL Queries as SQL INJECTION

Nikhil
Nikhil November 19, 2018
We have spoke to our WAF vendor and they came with the following issues. were WAF is blocking the traffic as it assumes JQL as SQL. Is there any way we could do the changes in APPLICATION LEVEL. For Eg:- Users "A" when accessing externally filtering an issue using JQL filter. JIRA is unable to load the issues. When checked WAF logs method say PUT and Attack say SQL INJECTION. Is there any way we can over come this issue. Thankyou
Answer
Watch
Like Be the first to like this
3459 views

3 answers

2 votes
Grigory Salnikov
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 19, 2018

Hi @Nikhil !

I think you could approach this issue from 2 sides:

1. Whitelist known IP addresses (for example your HQ's or branches');

2. Tune WAF so that it accepts frequent JQL expressions, especially those used in public filters.

View More Comments
Seth
Seth
Contributor
November 19, 2018

I'm not sure what WAF is being used, but we used an AWS WAF that would flag a request as SQL injection just for having " and " or " or " in the string. There is a lot of syntax in common between JQL and SQL, so whitelisting the known IP addresses or specific pages that accept JQL is going to be your best bet.

To be fair, the AWS WAF rules didn't allow for much tuning (that I'm aware of), but your WAF may.

View More Comments
Like # people like this
Grigory Salnikov
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 19, 2018

False-positives are an essential part of every WAF, so you're to spend some time fine-tuning it. WAFs are not to be considered as some kind of safety-switch :)

View More Comments
Like # people like this
Nikhil
Nikhil November 21, 2018

@Seth whitelisting web pages is not a good option as it my be same as just disableing SQL Injection. Thank you

Like
Seth
Seth
Contributor
November 21, 2018

Yeah, it does disable WAF SQL injection protection on those pages. In our app, we've just taken extra care to make sure those pages aren't vulnerable to SQL injection. The WAF should be a first-line of defense, not the only defense.

The point of the WAF SQL injection filter is to block requests that look like they contain SQL when they shouldn't. Since JQL is so similar to SQL in syntax, any request that is expected to contain JQL will need to bypass the WAF.

Not quite this extreme, but it would be like putting a SQL-injection WAF in front of phpmyadmin, then complaining that I can't submit any queries.

Like
Reply
0 votes
Nikhil
Nikhil November 21, 2018

Yeah true we are using fortinet. And I was just checking other way how can we make this application secure. Thank you

Reply
0 votes
Nikhil
Nikhil November 21, 2018

@Seth I am sorry I didn't get you. Can you explain wether this can be done or not in WAF. By the way is there a way we can set WAF to accept JQL but still not accept WAF. I guess I am asking which is not possible. Anyways thank you guys.

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 21, 2018

The problem here is your WAF settings, and you're asking people who know Atlassian stuff, not WAF (and you've not even said what WAF). 

You need to configure the WAF to allow this through, there's nothing that can be done on the application side, as it's not doing anything wrong.

It certainly is possible, if you're using the right sort of WAF.  The response from your vendor (try to blame someone else) suggests that it doesn't support doing it properly, so you're probably stuck.

Like Seth likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.