search cancel

"Protect Against Code Injection" can not parse "<?xml version" because of invalid character?

book

Article ID: 242773

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

I encountered this audit in the log:

2022-05-25T10:28:16.517+0200 WARNING 695 com.l7tech.server.policy.assertion.ServerCodeInjectionProtectionAssertion: 7152: Cannot parse Request message body as Invalid character in <?xml version; <?xml version="1.0" encoding="utf-8"?><Document xmlns="http://www.host.com/de/pacs.008.001.02.ch.02"><FIToFICstmrCdtTrf><GrpHdr><MsgId>YAPekdK?6ung</MsgId><CreDtTm>2022-05-25T10:28:22.144727923</CreDtTm><NbOfTxs>1</NbOfTxs><TtlIntrBkSttlmAmt Ccy="CHF">125</TtlIntrBkSttlmAmt><IntrBkSttlmDt>2022-05-25</IntrBkSttlmDt><SttlmInf><SttlmMtd>CLRG</SttlmMtd></SttlmInf><InstgAgt><FinInstnId><ClrSysMmbId><ClrSysId><Cd>CHSIC</Cd></ClrSysId><MmbId>830194</MmbId></ClrSysMmbId></FinInstnId></InstgAgt><InstdAgt><FinInstnId><ClrSysMmbId><ClrSysId><Cd>CHSIC</Cd></ClrSysId><MmbId>090002</MmbId></ClrSysMmbId></FinInstnId></InstdAgt></GrpHdr><CdtTrfTxInf><PmtId><InstrId>UET856ac8ebbdf64777826d9d514a9f220b</InstrId><EndToEndId>1d4799821d304f5c90d9632e8ae82bf8</EndToEndId><TxId>YAPekdK?6ung</TxId></PmtId><PmtTpInf><LclInstrm><Prtry>CSTPMT</Prtry></LclInstrm></PmtTpInf><IntrBkSttlmAmt Ccy="CHF">125</IntrBkSttlmAmt><SttlmPrty>HIGH</SttlmPrty><ChrgBr>SHAR</ChrgBr><Dbtr><Nm>Treuhand Maag</Nm><PstlAdr><StrtNm>Adlerstrasse</StrtNm><BldgNb>1</BldgNb><PstCd>9402</PstCd><TwnNm>Moerschwil</TwnNm><Ctry>CH</Ctry></PstlAdr></Dbtr><DbtrAcct><Id><IBAN>CH7883019TREUHANDMAAG</IBAN></Id></DbtrAcct><DbtrAgt><FinInstnId><ClrSysMmbId><ClrSysId><Cd>CHSIC</Cd></ClrSysId><MmbId>830194</MmbId></ClrSysMmbId><Nm>Yapeal AG</Nm></FinInstnId></DbtrAgt><CdtrAgt><FinInstnId><ClrSysMmbId><ClrSysId><Cd>CHSIC</Cd></ClrSysId><MmbId>090002</MmbId></ClrSysMmbId><Nm>PostFinance AG</Nm></FinInstnId></CdtrAgt><Cdtr><Nm>Swisscom AG</Nm><PstlAdr><StrtNm>Schochengasse</StrtNm><BldgNb>6</BldgNb><PstCd>9001</PstCd><TwnNm>St. Gallen</TwnNm></PstlAdr></Cdtr><CdtrAcct><Id><IBAN>CH1509000000900000505</IBAN></Id></CdtrAcct><RmtInf><Ustrd>05.04.2022</Ustrd></RmtInf></CdtTrfTxInf></FIToFICstmrCdtTrf></Document>.

This payload used to be parseable on V9.x but now it's rejected in 10.1. The primary tag is very common in XML payloads, therefore we don't understand what it doesn't like about it.

We only have "HTML/JavaScript Injection (Cross Site Scripting)" enabled under "Available Protections" within the assertion. Body is obviously ticked.

You can probably copy-paste the payload and might run into the same error. I'm already running into an error when I just try this little bit of the payload:

<?xml version=>

Seems like it doesn't like the "=" character?

Environment

Release : 10.1

Component : API GATEWAY

Resolution

The issue is the content-type. It's set to "application/x-www-form-urlencoded". Seems like in that case the Code Injection assertion can't parse the payload properly because of the "=".

With text/plain it works (which is what Postman is setting by default).