Code injection assertion
search cancel

Code injection assertion


Article ID: 141529


Updated On:


CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway


We have added in the "custom-message-received" policy an assertion to prevent code injection attack.

To prevent all code injection attack types, we've checked all the checkbox : "URL Path", "URL Query String"  and "Body"

We've checked all available protections : "HTML/Javascript injection ", "Hex/Octal...", "PHP", "Shell", "LDAP DN Injection", "LDAP Search Injection", "XPath injection".

W've published an API on the Gateway. When this API is called, the assertion "code injection attack" consider it as an attack. 

I did some tests and I noticed that the problem occurs when the body is scanned and the "LDAP DN Injection" and "LDAP Search Injection" protections checkbox are checked in the code injection assertion.

When I've unchecked them ("LDAP DN Injection" and "LDAP Search Injection"), the API Call is successfully performed (cf attached screenshot of the code injection assertion).

I would like to know: what is wrong in the API or assertion and what should I correct ?



Release : 9.4



The LDAP DN Injection searches for the following meta characters in the string which it scans [\\,+"<>;] . This is not a code issue.
If you scan the entire body containing gateway policies, they contain many of these characters hence the request is getting flagged.
You should ideally extract a portion of the request which functionally makes sense to scan for LDAP injection such as a HTTP Param within a Routing assertion, but not scan the XML form of the routing assertion itself.  That's why it is flagging the message as a potential attack.