I can see a lot of creative ways to bypass security rules in order to inject SQL statements. The rule of thumb is blacklist filtering is not adequate to fully prevent SQLi.
In the last section of the article is what that catch my eyes, the "Hacking Resistance (Time-to-Hack)". In the article,
The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.
The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions.
Think of a WAF as a tool to identify and block the initial probes and to alert incident response personnel. It is up to the IR teams to match wits with an attacker and protect the application as necessary.
The article also include the analysis of how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0. Here's the result:
- Avg. # of Requests to find an evasion: 433
- Avg. Duration (Time to find an evasion): 72 hrs
- Shortest # of Requests to find an evasion: 118
- Shortest Duration (Time to find an evasion): 10 hrs
The conclusion is: the data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.