{"id":1597998,"date":"2026-04-20T13:34:06","date_gmt":"2026-04-20T11:34:06","guid":{"rendered":"https:\/\/blog.wedos.com\/?p=1597998"},"modified":"2026-04-20T13:34:10","modified_gmt":"2026-04-20T11:34:10","slug":"od-detekce-po-nasazeni-jak-vznika-nove-bezpecnostni-pravidlo-ve-wedos-global-protection","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/od-detekce-po-nasazeni-jak-vznika-nove-bezpecnostni-pravidlo-ve-wedos-global-protection","title":{"rendered":"Od detekce po nasazen\u00ed &#8211; jak vznik\u00e1 nov\u00e9 bezpe\u010dnostn\u00ed pravidlo ve WEDOS Global Protection"},"content":{"rendered":"\n<p>Od poloviny minul\u00e9ho roku pracujeme na nov\u00e9 infrastruktu\u0159e pro slu\u017ebu WEDOS Global Protection (WGP). C\u00edlem bylo vytvo\u0159it \u0159e\u0161en\u00ed, kter\u00e9 je robustn\u011bj\u0161\u00ed, rychlej\u0161\u00ed, snadn\u011bji udr\u017eovateln\u00e9 a umo\u017e\u0148uje nasazovat pokro\u010dilej\u0161\u00ed detek\u010dn\u00ed mechanismy.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Nov\u00e1 infrastruktura n\u00e1m umo\u017e\u0148uje analyzovat nejen HTTP hlavi\u010dky, ale i obsah requestu a dokonce i metadata na \u00farovni TLS komunikace. To otev\u00edr\u00e1 prostor pro techniky jako nap\u0159\u00edklad JA4 a JA4H fingerprinting a dal\u0161\u00ed univerz\u00e1ln\u011bj\u0161\u00ed detek\u010dn\u00ed metody.<\/p>\n\n\n\n<p>V lednu 2026 prob\u011bhla postupn\u00e1 migrace na nov\u00e9 \u0159e\u0161en\u00ed. V tuto chv\u00edli by na n\u011bm ji\u017e m\u011bli b\u00fdt v\u0161ichni z\u00e1kazn\u00edci vyu\u017e\u00edvaj\u00edc\u00ed WEDOS Global Protection. Pokud m\u00e1te aktivn\u00ed slu\u017ebu WGP a p\u0159\u00edstup do administrace, pravd\u011bpodobn\u011b jste si v\u0161imli nov\u00fdch mo\u017enost\u00ed pro tvorbu pravidel. Administrace samotn\u00e1 je\u0161t\u011b projde dal\u0161\u00edmi \u00fapravami.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d nem\u016f\u017eeme b\u00fdt p\u0159\u00edli\u0161 p\u0159\u00edsn\u00ed<\/h2>\n\n\n\n<p>S novou infrastrukturou jsme schopni technicky implementovat ochranu, kter\u00e1 by v mnoha p\u0159\u00edpadech dok\u00e1zala nahradit b\u011b\u017en\u00fd WAF pro webov\u00fd provoz na portech 80 a 443. To ale neznamen\u00e1, \u017ee je to v\u017edy spr\u00e1vn\u00fd p\u0159\u00edstup.<\/p>\n\n\n\n<p>V re\u00e1ln\u00e9m provozu existuje velk\u00e9 mno\u017estv\u00ed nestandardn\u00edch aplikac\u00ed a API rozhran\u00ed. Pokud nastav\u00edme pravidla p\u0159\u00edli\u0161 p\u0159\u00edsn\u011b, za\u010dneme rozb\u00edjet legitimn\u00ed provoz z\u00e1kazn\u00edk\u016f. Proto mus\u00ed b\u00fdt pravidla navrhov\u00e1na s velkou opatrnost\u00ed.<\/p>\n\n\n\n<p>Bezpe\u010dnost je v\u017edy kompromis mezi:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ochranou infrastruktury<\/li>\n\n\n\n<li>stabilitou slu\u017eby<\/li>\n\n\n\n<li>kompatibilitou s aplikacemi z\u00e1kazn\u00edk\u016f<\/li>\n<\/ul>\n\n\n\n<p>Pr\u00e1v\u011b proto m\u00e1me definovan\u00e9 procesy, kter\u00e9 ur\u010duj\u00ed, jak reagujeme na nov\u00e9 typy \u00fatok\u016f.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Vlna scanov\u00e1n\u00ed zranitelnost\u00ed p\u0159es EXTRACTVALUE<\/h2>\n\n\n\n<p>Minul\u00fd t\u00fdden jsme zaznamenali zv\u00fd\u0161enou aktivitu automatizovan\u00e9ho scanov\u00e1n\u00ed zranitelnost\u00ed zam\u011b\u0159en\u00e9ho na SQL injection techniky vyu\u017e\u00edvaj\u00edc\u00ed funkci <strong>EXTRACTVALUE<\/strong>.<\/p>\n\n\n\n<p>Nejde o novou techniku. Je zn\u00e1m\u00e1 v\u00edce ne\u017e deset let a pat\u0159\u00ed mezi tzv. <em>error-based SQL injection<\/em>. P\u0159esto se pravideln\u011b vrac\u00ed ve vln\u00e1ch v\u017edy po zve\u0159ejn\u011bn\u00ed nov\u00fdch zranitelnost\u00ed v b\u011b\u017en\u011b pou\u017e\u00edvan\u00fdch aplikac\u00edch.<\/p>\n\n\n\n<p>Princip je jednoduch\u00fd.<\/p>\n\n\n\n<p>Funkce <code>EXTRACTVALUE()<\/code> slou\u017e\u00ed v MySQL\/MariaDB pro pr\u00e1ci s XML daty. Pokud dostane nevalidn\u00ed vstup, vr\u00e1t\u00ed chybovou hl\u00e1\u0161ku. A pr\u00e1v\u011b do t\u00e9to chybov\u00e9 hl\u00e1\u0161ky je mo\u017en\u00e9 vlo\u017eit data z datab\u00e1ze.<\/p>\n\n\n\n<p>Uk\u00e1zkov\u00fd payload m\u016f\u017ee vypadat nap\u0159\u00edklad takto:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>EXTRACTVALUE(1, CONCAT(':', (SELECT user())))<\/code><\/pre>\n\n\n\n<p>V\u00fdsledkem je chyba datab\u00e1ze, kter\u00e1 by za ide\u00e1ln\u00edch okolnost\u00ed pro \u00fato\u010dn\u00edka vypadala n\u00e1sledovn\u011b:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>XPATH syntax error: ':root@localhost'<\/code><\/pre>\n\n\n\n<p>Tedy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>aplikace vr\u00e1t\u00ed chybu<\/li>\n\n\n\n<li>chyba obsahuje data z datab\u00e1ze<\/li>\n\n\n\n<li>\u00fato\u010dn\u00edk z\u00edsk\u00e1 informace bez nutnosti zobrazit v\u00fdstup aplikace<\/li>\n<\/ul>\n\n\n\n<p>To je d\u016fvod, pro\u010d se tato technika pou\u017e\u00edv\u00e1 v automatizovan\u00fdch skenerech, je prost\u011b jednoduch\u00e1, rychl\u00e1 a spolehliv\u00e1.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d se tato technika objevila pr\u00e1v\u011b te\u010f<\/h2>\n\n\n\n<p>V posledn\u00edch m\u011bs\u00edc\u00edch bylo publikov\u00e1no v\u011bt\u0161\u00ed mno\u017estv\u00ed SQL injection zranitelnost\u00ed v r\u016fzn\u00fdch webov\u00fdch aplikac\u00edch a pluginech. Jakmile se podobn\u00e1 zranitelnost objev\u00ed v datab\u00e1zi CVE nebo exploit datab\u00e1z\u00edch, automatizovan\u00e9 n\u00e1stroje za\u010dnou b\u011bhem kr\u00e1tk\u00e9 doby prohled\u00e1vat internet a testovat dostupn\u00e9 slu\u017eby.<\/p>\n\n\n\n<p>Nap\u0159\u00edklad:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>v \u00fanoru 2026 byla zve\u0159ejn\u011bna chyba <strong>CVE-2026-24419<\/strong> v aplikaci OpenSTAManager, kter\u00e1 umo\u017e\u0148ovala z\u00edsk\u00e1vat data z datab\u00e1ze pr\u00e1v\u011b pomoc\u00ed funkc\u00ed <code>extractvalue()<\/code> nebo <code>updatexml()<\/code> prost\u0159ednictv\u00edm chybov\u00fdch zpr\u00e1v datab\u00e1ze<\/li>\n\n\n\n<li>dal\u0161\u00ed zranitelnosti typu SQL injection byly publikov\u00e1ny v r\u016fzn\u00fdch webov\u00fdch aplikac\u00edch a syst\u00e9mech, nap\u0159\u00edklad <strong>CVE-2025-34038<\/strong>, kde bylo mo\u017en\u00e9 spustit libovoln\u00e9 SQL dotazy p\u0159es nevalidovan\u00fd parametr v HTTP po\u017eadavku<\/li>\n\n\n\n<li>podobn\u00e9 chyby se objevuj\u00ed opakovan\u011b v pluginech a webov\u00fdch aplikac\u00edch, kde aplikace p\u0159\u00edmo pou\u017e\u00edv\u00e1 vstup u\u017eivatele p\u0159i sestavov\u00e1n\u00ed SQL dotaz\u016f bez spr\u00e1vn\u00e9ho o\u0161et\u0159en\u00ed vstup\u016f<\/li>\n<\/ul>\n\n\n\n<p>Jakmile je takov\u00e1 zranitelnost zve\u0159ejn\u011bna, nast\u00e1v\u00e1 typicky n\u00e1sleduj\u00edc\u00ed sc\u00e9n\u00e1\u0159:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>publikace zranitelnosti<\/li>\n\n\n\n<li>zve\u0159ejn\u011bn\u00ed exploitu nebo proof-of-concept<\/li>\n\n\n\n<li>automatizovan\u00e9 scanov\u00e1n\u00ed internetu<\/li>\n\n\n\n<li>pokusy o identifikaci zraniteln\u00fdch syst\u00e9m\u016f<\/li>\n<\/ol>\n\n\n\n<p>Nejde tedy o c\u00edlen\u00fd \u00fatok na konkr\u00e9tn\u00ed web. Jde o systematick\u00e9 testov\u00e1n\u00ed velk\u00e9ho mno\u017estv\u00ed syst\u00e9m\u016f, kter\u00e9 se velice snadno prom\u011bn\u00ed v takov\u00fd men\u0161\u00ed DDoS \u00fatok.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Jak vypadalo konkr\u00e9tn\u00ed scanov\u00e1n\u00ed<\/h1>\n\n\n\n<p>N\u00ed\u017ee je uk\u00e1zka re\u00e1ln\u00e9ho scanov\u00e1n\u00ed jednoho e-shopu, kter\u00fd m\u00e1 velmi dob\u0159e optimalizovan\u00fd k\u00f3d, tak\u017ee \u00fatok zvl\u00e1dl ust\u00e1t, ale byl v\u00fdrazn\u011b zpomalen. Mimochodem jedn\u00e1 se o n\u00e1\u0161 VEDOS NoLimit Extra, kter\u00fd po velk\u00fdch optimalizac\u00edch ze za\u010d\u00e1tku roku celkem slu\u0161n\u011b zrychlil.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69e644035133a&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69e644035133a\" class=\"wp-block-image size-large wp-lightbox-container\"><img decoding=\"async\" width=\"1024\" height=\"311\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" data-src=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits-1024x311.png\" alt=\"\" class=\"wp-image-1598019 lazyload\" data-srcset=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits-1024x311.png 1024w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits-300x91.png 300w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits-768x233.png 768w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits-1536x467.png 1536w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-hits.png 1906w\" data-sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/311;\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Zv\u011bt\u0161it\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><figcaption class=\"wp-element-caption\">Zhruba hodinu a p\u016fl dlouh\u00e9 scanov\u00e1n\u00ed zranitelnost\u00ed c\u00edlov\u00e9ho webu. Jedn\u00e1 se \u010dist\u011b o requests distribuovan\u00e9 infrastruktury, kter\u00e9 jdou do tis\u00edc\u016f za minutu.<\/figcaption><\/figure>\n\n\n\n<p>Souhrn dat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1 c\u00edlov\u00e1 dom\u00e9na<\/li>\n\n\n\n<li>56 Points of Presence (PoPs), p\u0159es kter\u00e9 provoz proch\u00e1zel<\/li>\n\n\n\n<li>19 858 unik\u00e1tn\u00edch IP adres<\/li>\n\n\n\n<li>218 577 legitimn\u011b vypadaj\u00edc\u00edch HTTP po\u017eadavk\u016f<\/li>\n\n\n\n<li>d\u00e9lka \u00fatoku p\u0159ibli\u017en\u011b 1,5 hodiny<\/li>\n<\/ul>\n\n\n\n<p>\u00dato\u010dn\u00edk velmi pe\u010dliv\u011b reguloval po\u010det request\u016f.<\/p>\n\n\n\n<p>Za celou dobu:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pouze 1 IP p\u0159ekro\u010dila 500 request\u016f<\/li>\n\n\n\n<li>pouze 9 IP p\u0159ekro\u010dilo 100 request\u016f<\/li>\n\n\n\n<li>v\u011bt\u0161ina IP generovala jen des\u00edtky po\u017eadavk\u016f<\/li>\n<\/ul>\n\n\n\n<p>To je typick\u00e9 chov\u00e1n\u00ed modern\u00edch scanner\u016f, kter\u00e9 hledaj\u00ed zranitelnosti. P\u0159ed rokem by to bylo n\u011bco v\u00fdjime\u010dn\u00e9ho a dob\u0159e c\u00edlen\u00e9ho, dnes jsou podobn\u00e9 v\u011bci na denn\u00edm po\u0159\u00e1dku pro masov\u00e9 scanov\u00e1n\u00ed. <\/p>\n\n\n\n<p>Nejde o p\u0159et\u00ed\u017een\u00ed serveru velk\u00fdm objemem provozu. Jde o dlouhodob\u00e9, distribuovan\u00e9 testov\u00e1n\u00ed zranitelnost\u00ed. Nicm\u00e9n\u011b kdy\u017e ke sv\u00e9mu provozu p\u0159id\u00e1te p\u00e1r tis\u00edc po\u017eadavk\u016f na formul\u00e1\u0159e za minutu, u\u017e to je zn\u00e1t. A ne ka\u017ed\u00fd m\u00e1 tak dob\u0159e optimalizovan\u00fd web a NoLimit Extra \ud83d\ude09<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;69e6440352249&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"69e6440352249\" class=\"wp-block-image size-large wp-lightbox-container\"><img decoding=\"async\" width=\"1024\" height=\"335\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" data-src=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact-1024x335.png\" alt=\"\" class=\"wp-image-1598037 lazyload\" data-srcset=\"https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact-1024x335.png 1024w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact-300x98.png 300w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact-768x251.png 768w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact-1536x503.png 1536w, https:\/\/blog.wedos.com\/wp-content\/uploads\/2026\/04\/SQLi-EXTRACTVALUE-impact.png 1769w\" data-sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 1024px; --smush-placeholder-aspect-ratio: 1024\/335;\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Zv\u011bt\u0161it\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"state.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Na druhou stranu, web vlivem \u00fatoku za\u010dal postupn\u011b zpomalovat a to tak, \u017ee to u\u017e bylo znateln\u00e9. Na grafu vid\u00edte d\u00e9lku spojen\u00ed na origin server a dobu odpov\u011bdi.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co je na tom zaj\u00edmav\u00e9 z pohledu obrany<\/h2>\n\n\n\n<p>\u00dato\u010dn\u00edk pou\u017eil n\u011bkolik technik, kter\u00e9 umo\u017enily obej\u00edt z\u00e1kladn\u00ed automatick\u00e9 blokace:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>n\u00edzk\u00fd po\u010det request\u016f z jedn\u00e9 IP adresy<\/li>\n\n\n\n<li>distribuovan\u00fd provoz z velk\u00e9ho mno\u017estv\u00ed zdroj\u016f<\/li>\n\n\n\n<li>obfuskovan\u00e9 SQL payloady<\/li>\n\n\n\n<li>absence typick\u00fdch signatur \u00fatoku<\/li>\n\n\n\n<li>postupn\u00e9 zat\u011b\u017eov\u00e1n\u00ed serveru<\/li>\n\n\n\n<li>a p\u00e1r dal\u0161\u00edch, kter\u00e9 ve\u0159ejn\u011b nem\u016f\u017eeme prezentovat<\/li>\n<\/ul>\n\n\n\n<p>To je d\u016fle\u017eit\u00e9. Klasick\u00e9 rate limiting mechanismy v takov\u00e9m p\u0159\u00edpad\u011b nefunguj\u00ed, proto\u017ee:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ka\u017ed\u00e1 IP generuje jen mal\u00e9 mno\u017estv\u00ed po\u017eadavk\u016f<\/li>\n\n\n\n<li>provoz je rozlo\u017een\u00fd v \u010dase<\/li>\n\n\n\n<li>po\u017eadavky vypadaj\u00ed relativn\u011b norm\u00e1ln\u011b<\/li>\n<\/ul>\n\n\n\n<p>Pokud by to optimalizoval, tak n\u011bjak\u00fdch 1 &#8211; 2K request\u016f za minutu si nikdo na rychlosti nev\u0161imne. A to je dost.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co z toho plyne pro ochranu infrastruktury<\/h2>\n\n\n\n<p>Takov\u00e9 \u00fatoky dnes p\u0159edstavuj\u00ed typick\u00fd &#8222;provoz&#8220; na internetu. Nejde u\u017e o v\u00fdjime\u010dnou ud\u00e1lost. Takov\u00e9ho provozu blokujeme vy\u0161\u0161\u00ed des\u00edtky procent. <\/p>\n\n\n\n<p>SQL injection pat\u0159\u00ed dlouhodob\u011b mezi nej\u010dast\u011bj\u0161\u00ed webov\u00e9 zranitelnosti a st\u00e1le se objevuje v nov\u00fdch aplikac\u00edch, \u010dasto kv\u016fli nespr\u00e1vn\u00e9mu zpracov\u00e1n\u00ed vstup\u016f p\u0159i sestavov\u00e1n\u00ed SQL dotaz\u016f. V\u011bt\u0161inou le\u017e\u00ed ochrana na stran\u011b tv\u016frce skriptu, aby tyto vstupy o\u0161et\u0159il. Nicm\u00e9n\u011b p\u00e1r tis\u00edc request\u016f do formul\u00e1\u0159\u016f je prost\u011b slu\u0161n\u00e1 z\u00e1t\u011b\u017e, kterou neodbav\u00edte p\u0159es cache. <\/p>\n\n\n\n<p>Z pohledu infrastruktury to znamen\u00e1:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00fatok nemus\u00ed server shodit<\/li>\n\n\n\n<li>ale m\u016f\u017ee ho v\u00fdrazn\u011b zpomalit<\/li>\n\n\n\n<li>a generovat zbyte\u010dnou z\u00e1t\u011b\u017e<\/li>\n<\/ul>\n\n\n\n<p>Proto je d\u016fle\u017eit\u00e9 reagovat rychle, ale z\u00e1rove\u0148 opatrn\u011b.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SQL injection \u0159e\u0161\u00edme dlouhodob\u011b ale opatrn\u011b<\/h2>\n\n\n\n<p>SQL injection \u00fatoky nejsou nic nov\u00e9ho. Pat\u0159\u00ed mezi nejd\u00e9le zn\u00e1m\u00e9 a nej\u010dast\u011bj\u0161\u00ed webov\u00e9 zranitelnosti a v r\u016fzn\u00fdch podob\u00e1ch se objevuj\u00ed prakticky neust\u00e1le.<\/p>\n\n\n\n<p>Proto jsme v r\u00e1mci WEDOS Global Protection u\u017e d\u0159\u00edve implementovali sadu pravidel zam\u011b\u0159en\u00fdch na nej\u010dast\u011bj\u0161\u00ed techniky, nap\u0159\u00edklad:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>time-based SQL injection (<code>sleep()<\/code>, <code>pg_sleep()<\/code>)<\/li>\n\n\n\n<li>pokusy o na\u010dten\u00ed soubor\u016f z filesystemu (<code>load_file()<\/code>)<\/li>\n\n\n\n<li>klasick\u00e9 injection patterny (<code>union select<\/code>, <code>or 1=1<\/code>)<\/li>\n\n\n\n<li>pokusy o manipulaci s SQL koment\u00e1\u0159i<\/li>\n\n\n\n<li>dal\u0161\u00ed typick\u00e9 signatury pou\u017e\u00edvan\u00e9 automatizovan\u00fdmi n\u00e1stroji<\/li>\n<\/ul>\n\n\n\n<p>Tato pravidla pou\u017e\u00edv\u00e1me dlouhodob\u011b a funguj\u00ed velmi dob\u0159e. Z\u00e1rove\u0148 je ale pou\u017e\u00edv\u00e1me opatrn\u011b. D\u016fvod je jednoduch\u00fd. Velk\u00e9 mno\u017estv\u00ed z\u00e1kazn\u00edk\u016f pou\u017e\u00edv\u00e1 API rozhran\u00ed, kter\u00e1 mohou obsahovat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SQL-like dotazy<\/li>\n\n\n\n<li>filtra\u010dn\u00ed v\u00fdrazy<\/li>\n\n\n\n<li>vlastn\u00ed query syntaxe<\/li>\n\n\n\n<li>nestandardn\u00ed parametry<\/li>\n<\/ul>\n\n\n\n<p>Pokud bychom nastavili pravidla p\u0159\u00edli\u0161 p\u0159\u00edsn\u011b, za\u010dali bychom blokovat legitimn\u00ed provoz. Proto se sna\u017e\u00edme dr\u017eet princip: <strong>detekovat konkr\u00e9tn\u00ed techniku \u00fatoku, ne obecn\u00e1 kl\u00ed\u010dov\u00e1 slova<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d jsme nov\u00e9 pravidlo nem\u011bli nasazen\u00e9 d\u0159\u00edve<\/h2>\n\n\n\n<p>Pravidlo proti SQL injection p\u0159es <code>EXTRACTVALUE()<\/code> jsme m\u011bli p\u0159ipraven\u00e9 ji\u017e d\u0159\u00edve.<br>Nebyl to nov\u00fd n\u00e1pad. P\u0159i historick\u00fdch testech na re\u00e1ln\u00fdch datech ale nar\u00e1\u017eelo na jeden probl\u00e9m a to false positive.<\/p>\n\n\n\n<p>Konkr\u00e9tn\u011b n\u011bkter\u00e9 nestandardn\u00ed API po\u017eadavky z\u00e1kazn\u00edk\u016f obsahovaly podobn\u00e9 konstrukce jako:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>funkce<\/li>\n\n\n\n<li>z\u00e1vorky<\/li>\n\n\n\n<li>textov\u00e9 v\u00fdrazy<\/li>\n\n\n\n<li>kombinace parametr\u016f<\/li>\n<\/ul>\n\n\n\n<p>A jednoduch\u00e1 detekce by vedla k blokov\u00e1n\u00ed legitimn\u00edho provozu. To je situace, kter\u00e9 se sna\u017e\u00edme vyhnout za ka\u017edou cenu. Zvl\u00e1\u0161t\u011b proto, \u017ee WGP chr\u00e1n\u00ed slu\u017eby VEDOS, kde z\u00e1kazn\u00edci s touto ochranou nepo\u010d\u00edtaj\u00ed. <\/p>\n\n\n\n<p>Z pohledu infrastruktury je toti\u017e hor\u0161\u00ed rozb\u00edt skript z\u00e1kazn\u00edka ne\u017e  nechat proj\u00edt jednotliv\u00fd scanovac\u00ed po\u017eadavek. P\u0159eci jen neo\u0161et\u0159en\u00e9 vstupy u skriptu jsou odpov\u011bdnost\u00ed majitele webu. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co se zm\u011bnilo<\/h2>\n\n\n\n<p>Aktu\u00e1ln\u00ed vlna scanov\u00e1n\u00ed zm\u011bnila situaci. Je masivn\u00ed, profesion\u00e1ln\u00ed a nejde po jednotliv\u00fdch z\u00e1kazn\u00edc\u00edch. C\u00edlem m\u016f\u017ee b\u00fdt doslova ka\u017ed\u00fd. Nav\u00edc se celkem efektivn\u011b vyh\u00fdb\u00e1 \u0159ad\u011b detek\u010dn\u00edch technik.<\/p>\n\n\n\n<p>Mo\u017enost\u00ed jak toto vy\u0159e\u0161it m\u00e1me v\u00edcero, ale \u0159ekn\u011bme \u017ee tato konkr\u00e9tn\u00ed SQLi si prost\u011b zaslou\u017e\u00ed tak\u00e9 vlastn\u00ed pravidlo. Otev\u0159ela se tak star\u0161\u00ed issue, porovnali jsme p\u016fvodn\u00ed n\u00e1vrhy, doporu\u010den\u00ed OWASP a nov\u00e1 data. <\/p>\n\n\n\n<p>Od p\u016fvodn\u00edho n\u00e1vrhu jsme se nav\u00edc u\u017e posunuli po\u0159\u00e1dn\u011b kup\u0159edu a \u010d\u00e1st fale\u0161n\u011b pozitivn\u00edch zvl\u00e1dneme p\u0159\u00edpadn\u011b vy\u0159e\u0161it jinak. A tak vznikl koncept nov\u00e9ho pravidla.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Jak prob\u00edhalo testov\u00e1n\u00ed a nasazen\u00ed pravidla<\/h2>\n\n\n\n<p>Nasazen\u00ed nov\u00e9ho pravidla neprob\u00edh\u00e1 jedn\u00edm krokem. Je to \u0159\u00edzen\u00fd proces.Typick\u00fd postup:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) n\u00e1vrh pravidla<\/h3>\n\n\n\n<p>C\u00edl:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>detekovat konkr\u00e9tn\u00ed techniku \u00fatoku<\/li>\n\n\n\n<li>minimalizovat false positive<\/li>\n\n\n\n<li>zachovat n\u00edzkou v\u00fdpo\u010detn\u00ed n\u00e1ro\u010dnost<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2) test v izolovan\u00e9m prost\u0159ed\u00ed<\/h2>\n\n\n\n<p>Ov\u011b\u0159ujeme:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>funk\u010dnost<\/li>\n\n\n\n<li>v\u00fdkon<\/li>\n\n\n\n<li>stabilitu<\/li>\n<\/ul>\n\n\n\n<p>Nap\u0159\u00edklad:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>jestli pravidlo spr\u00e1vn\u011b detekuje payload<\/li>\n\n\n\n<li>jestli neblokuje b\u011b\u017en\u00e9 requesty<\/li>\n\n\n\n<li>jestli nezvy\u0161uje latenci<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3) backtest na re\u00e1ln\u00fdch datech<\/h2>\n\n\n\n<p>To je kl\u00ed\u010dov\u00e1 f\u00e1ze. Pou\u017e\u00edv\u00e1me historick\u00e9 logy z produk\u010dn\u00edho provozu a simulujeme:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>b\u011b\u017en\u00fd provoz<\/li>\n\n\n\n<li>API requesty<\/li>\n\n\n\n<li>zn\u00e1m\u00e9 \u00fatoky<\/li>\n<\/ul>\n\n\n\n<p>C\u00edlem je zjistit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>kolik \u00fatok\u016f pravidlo zachyt\u00ed<\/li>\n\n\n\n<li>kolik legitimn\u00edch request\u016f by zablokovalo<\/li>\n<\/ul>\n\n\n\n<p>V\u00fdsledek v tomto konkr\u00e9tn\u00edm p\u0159\u00edpad\u011b:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>100 % detekce aktu\u00e1ln\u00ed vlny scanov\u00e1n\u00ed<\/li>\n\n\n\n<li>0 false positive v testovan\u00fdch datech<\/li>\n\n\n\n<li>v\u00edce ne\u017e 99,9 % detekce star\u0161\u00edch SQLi \u00fatok\u016f<\/li>\n<\/ul>\n\n\n\n<p>To je v prost\u0159ed\u00ed sd\u00edlen\u00e9ho hostingu velmi dobr\u00fd kompromis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d nen\u00ed c\u00edlem 100 % detekce v\u0161ech SQL injection<\/h2>\n\n\n\n<p>Tohle je d\u016fle\u017eit\u00e9 vysv\u011btlit. WEDOS Global Protection nen\u00ed n\u00e1hradou za bezpe\u010dn\u011b napsan\u00e9 skripty. Jednak st\u00e1le vznikaj\u00ed nov\u00e9 a nov\u00e9 varianty a ne\u017e k nim bychom vytvo\u0159ili pravidlo tak m\u016f\u017ee b\u00fdt pozd\u011b, a tak\u00e9 nen\u00ed mo\u017en\u00e9 ud\u011blat univerz\u00e1ln\u00ed pravidla pro ka\u017ed\u00e9ho. To co se hod\u00ed pro blog anebo eshop nebude spr\u00e1vn\u011b fungovat pro API. <\/p>\n\n\n\n<p>Zodpov\u011bdnost za bezpe\u010dnost aplikace v\u017edy z\u016fst\u00e1v\u00e1 na stran\u011b v\u00fdvoj\u00e1\u0159e. <\/p>\n\n\n\n<p>Na\u0161\u00edm hlavn\u00edm c\u00edlem je:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sn\u00ed\u017eit z\u00e1t\u011b\u017e infrastruktury<\/li>\n\n\n\n<li>omezit automatizovan\u00e9 scanov\u00e1n\u00ed<\/li>\n\n\n\n<li>zlep\u0161it stabilitu slu\u017eby<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Fin\u00e1ln\u00ed review a nasazen\u00ed<\/h2>\n\n\n\n<p>Po dokon\u010den\u00ed testov\u00e1n\u00ed n\u00e1sleduje fin\u00e1ln\u00ed kontrola. Sou\u010d\u00e1st\u00ed je manu\u00e1ln\u00ed review bezpe\u010dnostn\u00edm t\u00fdmem a v\u00fdvoj\u00e1\u0159i. Zam\u011b\u0159ujeme se hlavn\u011b na:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>kontrolu v\u00fdkonu &#8211; pravidlo nesm\u00ed b\u00fdt zbyte\u010dn\u011b n\u00e1ro\u010dn\u00e9<\/li>\n\n\n\n<li>simulace provozu &#8211; tohle je sp\u00ed\u0161e o tom na kterou vrstvu pravidlo um\u00edstit<\/li>\n\n\n\n<li>anal\u00fdza mo\u017en\u00fdch slabin &#8211; je t\u0159eba myslet na \u0159adu dal\u0161\u00edch pravidel a hlavn\u011b u\u017eivatelsk\u00e1 pravidla<\/li>\n<\/ul>\n\n\n\n<p>V t\u00e9to f\u00e1zi vyu\u017e\u00edv\u00e1me i automatizovan\u00e9 n\u00e1stroje pro anal\u00fdzu pravidel, v\u010detn\u011b model\u016f strojov\u00e9ho u\u010den\u00ed, kter\u00e9 pom\u00e1haj\u00ed identifikovat potenci\u00e1ln\u00ed probl\u00e9my nebo ne\u010dekan\u00e9 sc\u00e9n\u00e1\u0159e.<\/p>\n\n\n\n<p>Teprve pot\u00e9 doch\u00e1z\u00ed k nasazen\u00ed.<\/p>\n\n\n\n<p>V tomto konkr\u00e9tn\u00edm p\u0159\u00edpad\u011b byl \u010das od detekce \u00fatoku po nasazen\u00ed pravidla p\u0159ibli\u017en\u011b 4 dny.<\/p>\n\n\n\n<p>Ov\u0161em v p\u0159\u00edpad\u011b kritick\u00e9 situace jsme schopni distribuovat nov\u00e1 pravidla velmi rychle. Od zaps\u00e1n\u00ed pravidla do syst\u00e9mu to aktu\u00e1ln\u011b zvl\u00e1d\u00e1me u p\u0159ibli\u017en\u011b 90 % lokalit do 5 minut a \u0161echny lokality p\u0159ibli\u017en\u011b do 15 minut.<\/p>\n\n\n\n<p>Distribuce prob\u00edh\u00e1 paraleln\u011b do v\u0161ech lokalit infrastruktury. Na\u0161\u00edm c\u00edlem je glob\u00e1ln\u00ed nasazen\u00ed do 5 minut. To je technick\u00fd c\u00edl, na kter\u00e9m aktu\u00e1ln\u011b pracujeme.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Z\u00e1v\u011br<\/h1>\n\n\n\n<p>Podobn\u00e9 vlny scanov\u00e1n\u00ed zranitelnost\u00ed dnes pat\u0159\u00ed k b\u011b\u017en\u00e9mu provozu na internetu. Nejde o v\u00fdjime\u010dn\u00e9 ud\u00e1losti, ale o kontinu\u00e1ln\u00ed proces, kter\u00fd se opakuje poka\u017ed\u00e9, kdy\u017e je zve\u0159ejn\u011bna nov\u00e1 zranitelnost nebo exploit.<\/p>\n\n\n\n<p>Na\u0161\u00edm c\u00edlem nen\u00ed blokovat ka\u017ed\u00fd jednotliv\u00fd pokus o \u00fatok za ka\u017edou cenu.<br>Na\u0161\u00edm c\u00edlem je udr\u017eet infrastrukturu stabiln\u00ed, minimalizovat zbyte\u010dnou z\u00e1t\u011b\u017e server\u016f a reagovat rychle na nov\u00e9 techniky, kter\u00e9 se v provozu objev\u00ed.<\/p>\n\n\n\n<p>Nov\u00e1 infrastruktura WEDOS Global Protection n\u00e1m v tom d\u00e1v\u00e1 v\u00fdrazn\u011b lep\u0161\u00ed mo\u017enosti.<\/p>\n\n\n\n<p>Tento konkr\u00e9tn\u00ed p\u0159\u00edpad ukazuje, jak dnes v praxi prob\u00edh\u00e1 reakce na nov\u00e9 typy &#8222;neakutn\u00edch&#8220; \u00fatok\u016f od identifikace probl\u00e9mu p\u0159es anal\u00fdzu dat a\u017e po nasazen\u00ed pravidla do produkce.<\/p>\n\n\n\n<p>Bezpe\u010dnost nen\u00ed jednor\u00e1zov\u00e9 nastaven\u00ed. Je to kontinu\u00e1ln\u00ed proces. A pr\u00e1v\u011b na tom je postavena i filozofie WEDOS Global Protection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Od poloviny minul\u00e9ho roku pracujeme na nov\u00e9 infrastruktu\u0159e pro slu\u017ebu WEDOS Global Protection (WGP). C\u00edlem bylo vytvo\u0159it \u0159e\u0161en\u00ed, kter\u00e9 je robustn\u011bj\u0161\u00ed, rychlej\u0161\u00ed, snadn\u011bji udr\u017eovateln\u00e9 a umo\u017e\u0148uje nasazovat pokro\u010dilej\u0161\u00ed detek\u010dn\u00ed mechanismy.<\/p>\n","protected":false},"author":2,"featured_media":1598111,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[193,177],"class_list":["post-1597998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-sqli","tag-wedos-global-protection"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1597998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=1597998"}],"version-history":[{"count":7,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1597998\/revisions"}],"predecessor-version":[{"id":1598140,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1597998\/revisions\/1598140"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/1598111"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=1597998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=1597998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=1597998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}