Code injection assertion

book

Article ID: 141529

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

We have added in the "custom-message-received" policy an assertion to prevent code injection attack.

To prevent all code injection attack types, we've checked all the checkbox : "URL Path", "URL Query String"  and "Body"

We've checked all available protections : "HTML/Javascript injection ", "Hex/Octal...", "PHP", "Shell", "LDAP DN Injection", "LDAP Search Injection", "XPath injection".

W've published an API on the Gateway. When this API is called, the assertion "code injection attack" consider it as an attack. 

I did some tests and I noticed that the problem occurs when the body is scanned and the "LDAP DN Injection" and "LDAP Search Injection" protections checkbox are checked in the code injection assertion.

When I've unchecked them ("LDAP DN Injection" and "LDAP Search Injection"), the API Call is successfully performed (cf attached screenshot of the code injection assertion).

I would like to know: what is wrong in the API or assertion and what should I correct ?

 

Environment

Release : 9.4

Component : API GTW ENTERPRISE MANAGER

Resolution

The LDAP DN Injection searches for the following meta characters in the string which it scans [\\,+"<>;] . This is not a code issue.
If you scan the entire body containing gateway policies, they contain many of these characters hence the request is getting flagged.
You should ideally extract a portion of the request which functionally makes sense to scan for LDAP injection such as a HTTP Param within a Routing assertion, but not scan the XML form of the routing assertion itself.  That's why it is flagging the message as a potential attack.