SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

sqlmap-tamper-scripts-evaluation.md

SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY

Below names are to be passed to the --tamper= parameter of sqlmap.

The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.

The scale is 0-5.

Tamper script(s) used	Violation Rating
apostrophemask	3-5
apostrophenullencode	4
appendnullbyte	5
base64encode	3
between	4
bluecoat	4
chardoubleencode	4
charencode	4
charunicodeencode	4
charunicodeescape	4
commalesslimit	3-4
commalessmid	4
concat2concatws	4
equaltolike	4
greatest	4
halfversionedmorekeywords	4
htmlencode	4
ifnull2ifisnull	4
informationschemacomment	4
least	4
lowercase	4
modsecurityversioned	4
modsecurityzeroversioned	3-4
multiplespaces	4
nonrecursivereplacement	1-3
overlongutf8	3
overlongutf8more	3
percentage	2
plus2concat	4
plus2fnconcat	4
randomcase	4
randomcomments	2-3
securesphere	4
space2comment	4
space2dash	3-4
space2hash	1-3
space2morecomment	4
space2morehash	1
space2mssqlblank	2-4
space2mssqlhash	4
space2mysqlblank	3-4
space2mysqldash	4
space2plus	3-4
space2randomblank	4
symboliclogical	4
sp_password	4
unionalltounion	4
unmagicquotes	4
uppercase	4
varnish	4
versionedkeywords	2
versionedmorekeywords	4
xforwardedfor	4
nonrecursivereplacement,space2morehash,space2hash	1

---

Among longer combinations:

Tamper script(s) used	Violation Rating
apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzerovers	1
between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor	1
apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes	1
apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,charunicodeescape,commalesslimit,commalessmid,commentbeforeparentheses,concat2concatws,equaltolike,escapequotes,greatest,halfversionedmorekeywords,htmlencode,ifnull2casewhenisnull,ifnull2ifisnull,informationschemacomment,least,lowercase,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,overlongutf8,overlongutf8more,percentage,plus2concat,plus2fnconcat,randomcase,randomcomments,securesphere,sp_password,space2comment,space2dash,space2hash,space2morecomment,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,symboliclogical,unionalltounion,unmagicquotes,uppercase,varnish,versionedkeywords,versionedmorekeywords,xforwardedfor	5

---

The last row represents all of tamper scripts used at once score. It looks like, it's not a good idea to use them all at once.

From tamper scripts that did best in this evaluation, we can point out:

• nonrecursivereplacement
• space2morehash
• space2hash

Although, they had not been tested against actual vulnerability, therefore this evalution does not take in account whether SQLMap was able to attack the vulnerability at all.