We have added in the "custom-message-received" policy an assertion to prevent code injection attack.
To prevent all code injection attack types, we've checked all the checkbox : "URL Path", "URL Query String" and "Body"
W've published an API on the Gateway. When this API is called, the assertion "code injection attack" consider it as an attack.
I did some tests and I noticed that the problem occurs when the body is scanned and the "LDAP DN Injection" and "LDAP Search Injection" protections checkbox are checked in the code injection assertion.
When I've unchecked them ("LDAP DN Injection" and "LDAP Search Injection"), the API Call is successfully performed (cf attached screenshot of the code injection assertion).
I would like to know: what is wrong in the API or assertion and what should I correct ?
Release : 9.4
Component : API GTW ENTERPRISE MANAGER
The LDAP DN Injection searches for the following meta characters in the string which it scans [\\,+"<>;] . This is not a code issue.
If you scan the entire body containing gateway policies, they contain many of these characters hence the request is getting flagged.
You should ideally extract a portion of the request which functionally makes sense to scan for LDAP injection such as a HTTP Param within a Routing assertion, but not scan the XML form of the routing assertion itself. That's why it is flagging the message as a potential attack.