2024 5th International Conference on Communications, Information, Electronic and Energy Systems (CIEES)
20 – 22 November, 2024, Veliko Tarnovo, Bulgaria
Collaborative Detection of SQL Injection Attacks
2024 5th International Conference on Communications, Information, Electronic and Energy Systems (CIEES) | 979-8-3503-5286-3/24/$31.00 ©2024 IEEE | DOI: 10.1109/CIEES62939.2024.10811420
using SIEM, Multi-Wazuh Agents, and Diverse Web
Application Firewalls
Mustaghfir Naufal Zaidan
School of Informatics
Telkom University
Bandung, Indonesia
[email protected]
[email protected]
[email protected]
Abstract—SQL injection attacks pose a significant threat to
web applications and database systems. This study evaluates the
effectiveness of integrating Security Information and Event
Management (SIEM) with multi-Wazuh agents and diverse
Web Application Firewalls (WAF) to detect threats
collaboratively SQL injection attacks. The system was designed
using two web servers, each protected by a different WAF—
ModSecurity and NAXSI—and a centralized SIEM server
employing Wazuh. Tests were conducted using various SQL
injection techniques, including Time-Based Blind, Error-Based,
and Union-Based attacks. The results indicated that
ModSecurity proved more effective in detecting and mitigating
Time-Based and Error-Based SQL inj ection attacks, while both
WAFs performed similarly in handling Union-Based attacks.
The Wazuh platform collected and reported attack data
efficiently, offering security teams a clear and centralized view
of detected threats. This integration demonstrates the feasibility
of implementing collaborative threat detection using a SIEM
and diverse WAFs to enhance web application security against
SQL injection attacks.
Keywords—SQL injection, SIEM, WAF, multi-agent,
cybersecurity, collaborative detection
I. INTRODUCTION
SQL injection attacks pose a significant threat to web
applications and database systems. These vulnerabilities are
frequently exploited by attackers to compromise website
security and gain unauthorized access to sensitive information
[1]. SQL injection attacks involve the injection of malicious
code into a database-driven web application, allowing
attackers to manipulate the database and extract or modify
data [2]. As interactive web applications that rely on backend
database services proliferate, the prevalence of SQL injection
attacks increases [3].
The consequences of SQL injection attacks are severe,
leading to unauthorized access to databases, information
leakage, and data falsification in web applications [4]. These
attacks not only result in data breaches but also compromise
data integrity, disrupt server operations, and damage
organizational reputation [5]. Consequently, preventing SQL
injection attacks is crucial to maintaining the confidentiality
and integrity of data stored in databases [6].
To address this threat, researchers have explored various
approaches, including prevention techniques such as
complementary character coding and enhanced parameterized
979-8-3503-5286-3/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
Parman Sukarno Aulia Arif Wardana
School of Informatics School of Informatics
Telkom University Telkom University
Bandung, Indonesia Bandung, Indonesia
stored procedures, which effectively reduce the risk of
injecting malicious code. For instance, Ahmad and Karim [5]
developed an advanced parameterized stored procedure
method, significantly enhancing security by preventing SQL
injection attacks. Similarly, Mui and Frankl [6] proposed
combining complementary character coding to prevent web
application injections, effectively mitigating SQL injection
vulnerabilities.
Integrating SIEM systems with multi-Wazuh agents and
heterogeneous WAFs presents a powerful approach for
detecting threats collaboratively SQL injection attacks. The
multi-Wazuh agents efficiently monitor and collect security
data from various endpoints, which the SIEM system can then
centrally analyze to identify malicious SQL injection
attempts[7]. WAFs also play a crucial role in protecting web
applications from injection attacks, including SQL
injection[8]. By combining these technologies, organizations
can establish a proactive security posture that not only detects
SQL injection attacks but also responds to them in real time,
thereby reducing the potential risk to their web applications
and databases.
This study presents a novel approach by integrating the
Wazuh SIEM platform with multiple Web Application
Firewalls (WAFs), specifically ModSecurity and NAXSI, for
collaborative detection and mitigation of SQL injection
attacks. The key contributions of this research are outlined as
follows:
• Integration of diverse WAFs and SIEM: This
study integrates Wazuh SIEM with ModSecurity
and NAXSI to enhance the detection of SQL
injection threats, focusing on Time-Based, Error-
Based, and Union-Based SQL injection techniques.
• Performance analysis of WAFs: The study
compares the effectiveness of ModSecurity and
NAXSI in detecting SQL injection attacks.
ModSecurity outperformed NAXSI in Time-Based
and Error-Based attacks, while both WAFs showed
equal effectiveness in mitigating Union-Based
attacks.
• Centralized threat monitoring: Using the Wazuh
platform, the system efficiently collects and
visualizes log data in real-time, improving threat
detection and response times for security teams.
1

Fig. 1. Research Stages
This research provides a scalable and efficient framework
for enhancing web application security against SQL injection
attacks by leveraging the strengths of multiple WAFs
integrated within a SIEM platform.
II. THEORICAL BASIS
A. Security Information and Event Management
Security Information and Event Management (SIEM)
systems are indispensable in contemporary cybersecurity,
providing a centralized platform for organizations to monitor,
analyze, and respond to security events. Unlike traditional
Intrusion Detection Systems (IDS), SIEM systems offer a
holistic approach to security event management. They gather
and correlate security data from a variety of sources,
including network devices, servers, endpoints, and security
tools. This comprehensive data collection enables security
analysts to effectively detect, investigate, and respond to
security incidents[9].
B. Web Application Firewall
Web Application Firewall (WAF) theory is anchored in
the imperative to safeguard web applications from a myriad of
cyber threats, particularly those exploiting vulnerabilities
within web application code. A WAF serves as a defensive
shield positioned between a web application and the internet,
functioning primarily as a reverse proxy that scrutinizes
incoming and outgoing HTTP traffic. This inspection is
crucial for identifying and mitigating attacks such as SQL
injection, cross-site scripting (XSS), and other malicious
activities that could compromise the integrity and
confidentiality of web applications [10,11].
C. Multi-Wazuh Agent
The Wazuh agent is a host-based security tool that
functions as an endpoint detection and response (EDR)
system, concentrating on infrastructure monitoring, security
risk identification, and incident response [12].
2
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Network Topology
For example, in the realm of Industrial IoT security, the
Wazuh agent can receive outputs from machine learning
models in JSON log format and forward them to the server for
decoding and analysis [13].
III. RESEARCH METHOD
The research is conducted by rigorously testing and
evaluating the effectiveness of the integrated security
components, specifically the combination of SIEM with
ModSecurity and NAXSI WAF, in detecting and preventing
SQL injection attacks. This comprehensive analysis was
performed across several stages, as detailed in Fig. 1.
A. Preparation Process
The preparation phase is the foundation of this research. In
this stage, a through literature review and expert consultations
were conducted to gain a full understanding of the key
components and methods relevant to the study. The literature
review covered critical areas, including the role of Web
Application Firewalls (WAFs) in enhancing web security, best
practices for WAF implementation, detailed analyses of
ModSecurity and NAXSI, WAF integration and configuration
on web servers, the deployment of Wazuh as a SIEM system,
common web security threats, and the tools needed to
implement and test these security measures in a controlled
environment.
B. Design And Implementation
In this phase, a detailed system design is created based on
the collected information. The design is implemented using
two web servers and a SIEM server. Fig. 2 shows the proposed
system architecture, highlighting the connectivity between the
SIEM server, WAF, and web servers to monitor and protect
against attacks. This design focuses on providing strong
defense against SQL injection attacks by leveraging the
combined strengths of ModSecurity and NAXSI WAFs with
Wazuh’s centralized monitoring. Each web server is
configured with a different WAF and includes a Damn
Vulnerable Web Application (DVWA) to test the security
setup.
• Web Server 1 is safeguarded by the ModSecurity
WAF, which is specifically designed to filter traffic
types such as HTTP/HTTPS, query strings, cross-site
scripting (XSS), and SQL injection attacks.
ModSecurity, an open-source module, can be
seamlessly integrated with the Apache2 web server. It
employs the OWASP Core Rule Set, a collection of
pre-configured rules aimed at detecting and mitigating
common web application attacks.
 F:\Sqlmap\sqlmapproject-sqlmap-507c719>py sqlmap.py -u
http://192.168.26.128/dvwa/vulnerabilities/sqli/?id=1&Submit=
Submit# --level=5 --risk=3 --technique=T
--cookie=”PHPSESSID=f219ntei506o1lvrf3ipomehq;
security=low”
Fig. 3. Time-Based Blind SQL Injection Attack Command
F:\Sqlmap\sqlmapproject-sqlmap-507c719>py sqlmap.py -u
http://192.168.26.128/dvwa/vulnerabilities/sqli/?id=1&Submit=
Submit# --level=5 --risk=3 --technique=E
--cookie=”PHPSESSID=f219ntei506o1lvrf3ipomehq; security=low”
Fig. 4. Error-Based SQL Injection Attack Command
To facilitate effective testing of the ModSecurity
configuration, the DVWA is utilized on this web server,
simulating a vulnerable web application environment.
• Web server 2 is fortified by the NAXSI WAF,
seamlessly integrated with the NGINX web server.
NAXSI, an open-source module, functions as a Web
Application Firewall designed to detect and prevent
web application attacks such as SQL injection and
Cross-Site Scripting (XSS). When incorporated with
NGINX, NAXSI operates by utilizing a predefined set
of rules to scrutinize and block suspicious
HTTP/HTTPS requests. The DVWA application was
also deployed on this server to evaluate the efficacy of
the NAXSI configuration in mitigating security
threats.
• The SIEM server in this design integrates the open-
source security platform Wazuh, which is adept at
security monitoring, threat detection, and incident
response. Each web server within this configuration is
equipped with a Wazuh agent, responsible for
collecting and transmitting logs from each WAF to the
SIEM server. This setup ensures comprehensive
monitoring and enhances the system's ability to detect
and respond to security threats in real-time.
C. Testing
The testing phase aims to evaluate the effectiveness of the
configured WAFs and the Wazuh SIEM's ability to detect and
log SQL injection attacks. The SQLMap tool, an automated
tool for detecting and exploiting SQL injection vulnerabilities,
is used for this purpose.
This evaluation employs a split attack scenario, with
distinct attacks conducted against two different web servers at
separate times. The attacks are executed by two different
attackers:
• Attacker 1 employed a Windows operating system to
initiate the attack against Web Server 1, which was
fortified by ModSecurity.
• Conversely, Attacker 2 utilized Kali Linux to execute
the attack on Web Server 2, which was safeguarded
by NAXSI.
Three SQL injection techniques were tested using level 5
and risk 3 parameters, as shown in Fig. 3. These settings were
selected to simulate more complex, high-risk attack scenarios.
The parameter --
cookie="PHPSESSID=56em8p1f97khn8u5gr9j5e08kfh;secu
rity=low" was also used to ensure SQLMap ran within a valid
user session. The PHPSESSID identifies the session, while
3
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
F:\Sqlmap\sqlmapproject-sqlmap-507c719>py sqlmap.py -u
http://192.168.26.128/dvwa/vulnerabilities/sqli/?id=1&Submit=
Submit# --level=5 --risk=3 --technique=U --
cookie=”PHPSESSID=f219ntei506o1lvrf3ipomehq; security=low”
Fig. 5. Union-Based SQL Injection Attack Command
…
[00:22:11] [CRITICAL] all tested parameters do not appear to be
injectable. Rerun without providing the option '--technique'. If you
suspect that there is some kind of protection mechanism involved
(e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--
tamper=space2comment') and/or switch '--random-agent'
[00:22:11] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 23351 times
…
Fig. 6. Final Result of Time-Based SQL injection attack on web server 1
…
[09:56:04] [CRITICAL] all tested parameters do not appear to be
injectable. Rerun without providing the option '--technique'. If you
suspect that there is some kind of protection mechanism involved
(e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--
tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 09:56:04 /2024-09-09/
…
Fig. 7. Final Result of Time-Based SQL injection attack on web server 2
…
[10:18:45] [CRITICAL] all tested parameters do not appear to be
injectable. Rerun without providing the option '--technique'. If you
suspect that there is some kind of protection mechanism involved
(e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--
tamper=space2comment') and/or switch '--random-agent'
[10:18:45] [WARNING] HTTP error codes detected during run: 403
(Forbidden) - 14691 times
[*] ending @ 10:18:45 /2024-09-09/
…
Fig. 8. Final Result of Error-Based SQL injection attack on web server 1
security=low reflects the low-security setting of the DVWA
application, allowing for a more realistic test of vulnerable
conditions. Notably, the cookies on Web Server 1 and Web
Server 2 differ. Web Server 1, protected by ModSecurity,
uses a unique PHPSESSID, while Web Server 2, safeguarded
by NAXSI, has a different PHPSESSID, as each server
configures user sessions separately.
The following three attack techniques were implemented:
a) Time-Based Blind SQL Injection
Time-Based Blind SQL Injection is a technique wherein
the attacker sends an SQL query that instructs the server to
delay its response for a specified duration. The success of the
SQL injection is determined by measuring the server's
response time, parameter to execute this technique, as
illustrated in Fig. 3. The primary goal is to exploit
vulnerabilities that rely on response time for identification,
while evaluating the effectiveness of both the WAF and SIEM
in detecting and preventing such attacks.
b) Error-Based SQL Injection
Error-Based SQL Injection is a method where attackers
use server error messages to extract information about the
database structure. By injecting SQL commands that trigger
errors, attackers can access crucial details like database type,
 TABLE I. TOP 5 ALERTS OF TIME-BASED BLIND SQL INJECTION
No rule.description: Descending Count
1 ModSecurity: Rejected a query 22683
2 Web server 400 error code 15165
3 NAXSI warning 13347
4 A web attack returned code 200 5160
(success)
5 SQL injection attempt 4133
TABLE II. TOP 5 ALERTS OF ERROR-BASED SQL INJECTION
No rule.description: Descending Count
1 ModSecurity: Rejected a query 13340
2 NAXSI warning 8404
3 Web server 400 error code 7720
4 SQL injection attempt 3556
A web attack returned code 200
5 2772
(success)
tables, columns, and other sensitive SQLMap uses the “--
technique=E” parameter, as shown in Fig. 4, to perform this
technique. The main goal of this test is to assess how well the
Web Application Firewall (WAF) and Security Information
and Event Management (SIEM) system can detect and prevent
attacks exploiting server error messages, which often reveal
system vulnerabilities.
c) Union-Based SQL Injection
Union-based SQL injection is a method that leverages the
SQL UNION clause to merge results from legitimate queries
with those from maliciously crafted ones. This technique
enables attackers to extract data from other tables within the
database by combining legitimate results with queries that
introduce harmful data. SQLMap utilizes the “--technique=U”
parameter to exploit this method, as illustrated in Fig. 5.
Implementing the --technique=U parameter demonstrates how
SQLMap initiates tests using the Union-Based SQL Injection
technique, where manipulated SQL queries can reveal
sensitive information from different database tables.
D. Data Collection
In this section, the log data for each SQL Injection attack
tested is meticulously collected via the Wazuh Dashboard.
Wazuh provides detailed logs for each attack on the server
dashboards, encompassing critical information such as the
time of occurrence and the attacker's IP address. This report
presents an alerts summary, which includes a comprehensive
description of each threat and the number of events detected
by the WAF system on both servers. This summary serves as
a clear indicator of the system's effectiveness in identifying
and mitigating attacks, demonstrating that the detailed logs are
successfully captured by Wazuh across both servers.
E. Analysis
The results of each attack will be meticulously analyzed to
determine the efficacy of the WAF in thwarting the attack and
the proficiency of the Wazuh SIEM in detecting and logging
each attempt. The comprehensive log data generated from
each attack will provide valuable insights into the system's
capability to identify and counter SQL injection threats.
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
…
Percent [10:24:28] [CRITICAL] all tested parameters do not appear to be
injectable. Rerun without providing the option '--technique'. If
37 % you suspect that there is some kind of protection mechanism
25 % involved (e.g. WAF) maybe you could try to use option '--tamper'
22 % (e.g. '--tamper=space2comment') and/or switch '--random-
9% agent'
7% [*] ending @ 10:24:28 /2024-09-09/
…
Percent Fig. 9. Final Result of Error-Based SQL injection attack on web server 2
37 %
23 % …
22 % [11:52:08] [CRITICAL] all tested parameters do not appear to be
10 % injectable. Rerun without providing the option '--technique'. If
you suspect that there is some kind of protection mechanism
8%
involved (e.g. WAF) maybe you could try to use option '--tamper'
(e.g. '--tamper=space2comment') and/or switch '--random-
agent'
[11:52:08] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 2079 times
[*] ending @ 11:52:08 /2024-09-09/
…
Fig. 10. Final Result of Union-Based SQL injection attack on web server 1
…
[11:53:00] [CRITICAL] all tested parameters do not appear to be
injectable. Rerun without providing the option '--technique'. If
you suspect that there is some kind of protection mechanism
involved (e.g. WAF) maybe you could try to use option '--tamper'
(e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 11:53:00 /2024-09-09/
…
Fig. 11. Final Result of Union-Based SQL injection attack on web server 2
IV. DISCUSSION
This chapter elucidates the outcomes of SQL Injection
attack assessments conducted on two distinct web servers,
each configured with different Web Application Firewalls
(WAFs) and monitored via the Wazuh Security Information
and Event Management (SIEM) platform. The testing
scenarios were methodically executed on each web server
independently, enabling a comprehensive evaluation of the
efficacy of each WAF in isolation.
A. Time-Based Blind SQL Injection Attack
a) Modsecurity
The results of tests conducted on Web Server 1
demonstrated that ModSecurity effectively mitigated the
Time-Based Blind SQL Injection attacks, as illustrated in Fig.
6. ModSecurity efficiently detected and obstructed the attack
attempts, thereby safeguarding the server from potential time-
based exploitation.
b) NAXSI
The analysis of Web Server 2 indicates that NAXSI
effectively mitigates Time-Based Blind SQL Injection
attacks, as illustrated in Fig. 7. Although approximately 9% of
Time-Based Blind SQL Injection payloads were detected by
Wazuh through the Apache2 logs on Web Server 2, the
server's response code of 200 (Success) suggests that these
were false positives.
4
 TABLE III. UNION-BASED SQL INJECTION WAZUH DASHBOARD
No rule.description: Descending Count
1 ModSecurity: Rejected a query 2,065
2 Web server 400 error code 1,428
3 NAXSI warning 576
4 Multiple web server 400 error codes 113
from same source ip
5 SQL injection attempt 99
A 200 response indicates that the server successfully
processed the request, but it does not confirm a successful
exploitation of a vulnerability.This outcome underscores the
robustness of NAXSI in safeguarding the server from such
attacks.
c) Wazuh
In this assessment, Wazuh effectively identified and
categorized key security threats using logs from both Web
Server 1 and Web Server 2, as seen in Table I. These included
attacks blocked by ModSecurity (37%), client errors (25%)
from Web Server 1, and injection attempts by NAXSI (22%).
Wazuh also logged SQL injection attempts (7%) and
successful web attacks (9%) from Web Server 2. Through
centralized reporting, Wazuh collects data from multiple
devices, helping security teams prioritize responses. The
graph in Table I shows threat proportions, supporting resource
allocation to vulnerable areas. Wazuh's continuous monitoring
supports data-driven decisions in managing security risks.
B. Error-Based SQL Injection
a) Modsecurity
The evaluation of an error-based SQL Injection attack on
Web Server 1, which is safeguarded by ModSecurity,
demonstrated the WAF's efficacy in detecting and thwarting
such threats, as illustrated in Fig. 8. ModSecurity's response
involved logging the injection attempt and issuing a rule-
based error response. Consequently, no data was exfiltrated
from the database, affirming the WAF's capability to protect
the server from potential exploitation.
b) NAXSI
In the test conducted on Web Server 2 protected by
NAXSI, the system successfully detected and blocked the
attack, as illustrated in Fig. 9. Similar to ModSecurity, NAXSI
could identify error-based SQL Injection attack patterns and
provide appropriate responses. However, some HTTP 200
success responses indicated false positives, where the attack
was logged but did not successfully extract sensitive
information.
c) Wazuh
Wazuh, as the SIEM platform monitoring both web
servers, efficiently collected logs from ModSecurity and
NAXSI. The Wazuh dashboard, illustrated in Table II,
displays comprehensive data from both servers, documenting
the number of attack attempts and the outcomes. This data
reveals that the majority of attacks were successfully blocked
by the WAF, although a few false positives displayed a 200
(success) code. Wazuh effectively identifies SQL injection
attempts and reports critical threats in a structured and easily
analyzable manner, thereby aiding the security team in
prioritizing threat mitigation efforts.
C. Union-Based SQL Injection
a) Modsecurity
During the assessment of a Union-Based SQL Injection
attack on Web Server 1, which was safeguarded by
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
ModSecurity, the Web Application Firewall (WAF)
Percent effectively intercepted and blocked the malicious activity. The
48 % attack, which attempted to exploit the UNION clause in SQL
33 % queries to extract sensitive information, was thwarted without
14 % any data leakage. As depicted in Figure 10, ModSecurity's
3%
robust security protocols successfully neutralized the threat by
2% identifying and blocking the unauthorized queries, thereby
ensuring the integrity and confidentiality of the database.
b) NAXSI
The results of the Union-Based SQL Injection attack on
Web Server 2, protected by NAXSI, indicated that the WAF
effectively identified and mitigated the threat, thereby
preventing any leakage of sensitive information. As illustrated
in Fig. 11, NAXSI successfully flagged and blocked malicious
SQL commands, ensuring unauthorized data access attempts
were thwarted. The rule set employed by NAXSI was able to
detect the UNION query and deliver an appropriate defensive
response, safeguarding the integrity of the server.
c) Wazuh
During the testing of both web servers, Wazuh effectively
gathered and categorized data from each SQL injection
attempt. Table III provides a detailed analysis, showing how
Wazuh logs union-based attack attempts and classifies
security events from both ModSecurity and NAXSI. Wazuh's
centralized monitoring allowed for real-time threat detection
and in-depth post-incident analysis of the servers' responses to
SQL injection attacks. The report highlights Wazuh's
capability to track multiple defense layers and record critical
events for further analysis
D. Analysis
The data collected and visualized in the Wazuh Dashboard
revealed distinct differences in how ModSecurity and NAXSI
handled each SQL injection technique. The detailed analysis
of log data highlights the varied responses of the two WAFs,
showing how Wazuh effectively categorizes and displays
these findings:
a) Time-Based Blind SQL Injection
The analysis showed that ModSecurity blocked almost all
Time-Based Blind SQL Injection attempts, as confirmed by
the logs. Meanwhile, NAXSI had around 9% of payloads
return a code 200 (success), indicating false positives rather
than successful attacks. The Wazuh Dashboard clearly
highlights these discrepancies, demonstrating that
ModSecurity offers stronger protection for this type of attack,
while NAXSI's false positives require further review.
b) Error-Based SQL Injection:
ModSecurity successfully blocked all Error-Based SQL
Injection attempts, while NAXSI detected the attacks but
showed some false positives, with code 200 responses despite
no sensitive data being compromised. The Wazuh Dashboard
thoroughly recorded these events, emphasizing the differences
in error handling between the two WAFs. ModSecurity
outperformed NAXSI in preventing these errors.
c) Union-Based SQL Injection:
The results of the Union-Based SQL Injection testing
indicated that both ModSecurity and NAXSI effectively
blocked the attacks without exposing any sensitive data. The
logs aggregated and presented by Wazuh provided a clear
distribution of blocked attack attempts from both web servers.
For this specific technique, both WAFs demonstrated
5
 comparable performance, which was accurately reflected in
the Wazuh Dashboard without any significant false positives.
E. Comparison with Existing Solutions
The comparison between this study and references [14]
and [15] reveals notable differences in technology, attack
types, and protection methods. This study integrates Wazuh
SIEM with two different WAFs (ModSecurity and NAXSI),
while [14] uses ModSecurity with a reverse proxy, and [15]
combines SIEM with a proxy and WAF in a WordPress setup.
Unlike this study, which focuses solely on SQL Injection
(Time-Based, Error-Based, Union-Based), both [14] and [15]
cover a wider range of attacks, including SQL Injection,
Cross-Site Scripting (XSS), and Local File Inclusion (LFI). In
terms of protection, this study prioritizes collaborative
detection using multiple WAFs and SIEM, whereas [14] and
[15] mainly rely on ModSecurity, reverse proxy, and SIEM
for visualization in more limited contexts. Performance-wise,
this study reports 100% accuracy for ModSecurity and 91%
for NAXSI (Time-Based SQL Injection), while [14] shows
full detection without NAXSI, and [15] reports high detection
rates (97% for SQL Injection, 100% for XSS, 74% for LFI).
Only this study addresses false positives, noting a 9% rate for
NAXSI, which is not mentioned in [14] or [15]. Overall, this
study stands out by integrating multiple WAFs with SIEM for
more comprehensive threat detection, compared to the
narrower approaches in [14] and [15].
V. CONCLUSION
This research integrates the Wazuh SIEM platform with
multiple Web Application Firewalls (WAFs) to detect SQL
Injection attacks collaboratively. The results show that
ModSecurity outperformed NAXSI in detecting Time-Based
and Error-Based SQL Injection attacks, with fewer false
positives. Both WAFs were equally effective in mitigating
Union-Based attacks. Wazuh SIEM efficiently aggregated log
data, providing clear insights and improving response
efficiency. Overall, the integration of ModSecurity and
NAXSI with Wazuh SIEM enhanced threat detection,
demonstrating the potential of using multiple WAFs within a
SIEM framework for better threat management.
REFERENCES
[1] F. Q. Kareem, “SQL Injection Attacks Prevention System Technology:
Review”, Asian J. Res. Com. Sci., vol. 10, no. 3, pp. 13–32, Jul. 2021.
[2] H. Bahruddin, V. Suryani, and A.A. Wardana, “Adversary Simulation
of Structured Query Language (SQL) Injection Attack Using Genetic
Algorithm for Web Application Firewalls (WAF) Bypass”. In: Arai, K.
(eds) Intelligent Systems and Applications. IntelliSys 2023. Lecture
Notes in Networks and Systems, vol 823. Springer, Cham.
https://doi.org/10.1007/978-3-031-47724-9_43
6
Authorized licensed use limited to: St Petersburg Natl Uni of Info Tech Mech & Optics. Downloaded on March 21,2025 at 07:33:30 UTC from IEEE Xplore. Restrictions apply.
[3] Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama and Y. Takahama,
"Sania: Syntactic and Semantic Analysis for Automated Testing
against SQL Injection," Twenty-Third Annual Computer Security
Applications Conference (ACSAC 2007), Miami Beach, FL, USA,
2007, pp. 107-117, doi: 10.1109/ACSAC.2007.20.
[4] T. Matsuda, “On the Property of the Distribution of Symbols in SQL
Injection Attack,” International Journal of Intelligent Computing
Research, vol. 4, no. 4, 2013, pp. 376-381.
https://doi.org/10.20533/ijicr.2042.4655.2013.0049
[5] K. Ahmad and M. Karim, "A Method to Prevent SQL Injection Attack
using an Improved Parameterized Stored Procedure," International
Journal of Advanced Computer Science and Applications, vol. 12, (6),
2021. https://doi.org/10.14569/IJACSA.2021.0120636.
[6] R. Mui, and P. Frankl, “Preventing Web Application Injections with
Complementary Character Coding,” vol. 6879, 2011, pp. 80-99.
https://doi.org/10.1007/978-3-642-23822-2_5.
[7] C. Pinzón, J. Paz, Á. Herrero, E. Corchado, J. Bajo, and J. Corchado,
“IDMAS-SQL: Intrusion Detection Based on MAS to Detect and
Block SQL Injection Through Data Mining. Information Sciences,”
vol. 231, 2013, pp. 15-31. https://doi.org/10.1016/j.ins.2011.06.020
[8] J. Harefa, G. Prajena, A. Alexander, A. Muhamad, E. Dewa, and S.
Yuliandry, “SEA WAF: The Prevention of SQL Injection Attacks on
Web Applications. Advances in Science,” Technology and
Engineering Systems Journal, vol. 6, no. 2, 2021, pp. 405-411.
https://doi.org/10.25046/aj060247.
[9] R. Zuech, T. Khoshgoftaar, and R. Wald, "Intrusion detection and big
heterogeneous data: a survey", Journal of Big Data, vol. 2, no. 1, 2015.
https://doi.org/10.1186/s40537-015-0013-4.
[10] B. Dawadi, B. Adhikari, and D. Srivastava, "Deep learning technique-
enabled web application firewall for the detection of web attacks",
Sensors, vol. 23, no. 4, p. 2073, 2023. https://doi.org/10.3390/
s23042073.
[11] A. Alquwayzani, "Mitigating security risks in firewalls and web
applications using vulnerability assessment and penetration testing
(vapt)", International Journal of Advanced Computer Science and
Applications, vol. 15, no. 5, 2024. https://doi.org/10.14569/
ijacsa.2024.01505136
[12] J. R. Nandaputra, P. Sukarno, and A. A. Wardana. 2024. “Detection
and Prevention System on Computer Network to Handle Distributed
Denial-Of-Service (Ddos) Attack in Realtime and Multi-Agent.” 2024
10th International Conference on Computer Technology Applications
(ICCTA '24). pp. 237–241. https://doi.org/10.1145/3674558.3674592
[13] H. Zahid, S. Hina, M.F. Hayat, G.A. Shah, “Agentless Approach for
Security Information and Event Management in Industrial IoT.”
Electronics 2023, vol. 12, 1831. https://doi.org/10.3390/
electronics12081831.
[14] R. A. Muzaki, O. C. Briliyant, M. A. Hasditama and H. Ritchi,
"Improving Security of Web-Based Application Using ModSecurity
and Reverse Proxy in Web Application Firewall," 2020 International
Workshop on Big Data and Information Security (IWBIS), Depok,
Indonesia, 2020, pp. 85-90, doi: 10.1109/IWBIS50925.2020.9255601.
[15] T. Rahmawati, R. W. Shiddiq, M. R. Sumpena, S. Setiawan, N. Karna
and S. N. Hertiana, "Web Application Firewall Using Proxy and
Security Information and Event Management (SIEM) for OWASP
Cyber Attack Detection," 2023 IEEE International Conference on
Internet of Things and Intelligence Systems (IoTaIS), Bali, Indonesia,
2023, pp. 280-285, doi: 10.1109/IoTaIS60147.2023.10346051.