Policy design: SQL Attack Protection Categories in CA API Gateway
search cancel

Policy design: SQL Attack Protection Categories in CA API Gateway

book

Article ID: 42981

calendar_today

Updated On:

Products

CA Rapid App Security CA API Gateway

Issue/Introduction

Protection against SQL attacks.

 

Environment

Release:
Component: APIGTW

Cause

The SSG (Gateway) will protect against various predefined SQL injection attacks, through the SQL Attack Protection assertion.

The following are considered the most common threats and are optionally blocked by this assertion:  

Known MS SQL Server Exploits Protection


* block: "exec" followed by whitespace and "sp" then string

- Sample Request Message Attachments
SqlAttack_MsSqlServerExploit_sp.xml
SqlAttack_MsSqlServerExploit_CapitalSP.xml

* block: "exec" followed by whitespace and "xp" then string

- Sample Request Message Attachment
SqlAttack_MsSqlServerExploit_xp.xml

* block: "exec" followed by whitespace and "sp" and "xp" then string

- Sample Request Message Attachment
SqlAttack_MsSqlServerExploit.xml


Known Oracle Exploit Protection

* block: bfilename

- Sample Request Message Attachment
SqlAttack_OracleExploit_bfilename.xml

* block: tz_offset

- Sample Request Message Attachment
SqlAttack_OracleExploit_offset.xml

* block: to_timestamp_tz

- Sample Request Message Attachment
SqlAttack_OracleExploit_timestamp.xml


Standard SQL Injection Attack Protection

* block: hash mark (#) inside element text

- Sample Request Message Attachment
SqlAttack_StandardSql_ElementHashMark.xml

* block: single-quote (') inside element text

- Sample Request Message Attachment
SqlAttack_StandardSql_ElementSingleQuote.xml

* block: double-dash (--) inside element text

- Sample Request Message Attachment
SqlAttack_StandardSql_ElementDoubleDash.xml

* block: hash mark (#) inside CDATA section

- Sample Request Message Attachment
SqlAttack_StandardSql_CdataHashMark.xml

* block: single-quote (') inside CDATA section

- Sample Request Message Attachment
SqlAttack_StandardSql_CdataSingleQuote.xml

* block: double-dash (--) inside CDATA section

- Sample Request Message Attachment
SqlAttack_StandardSql_CdataDoubleDash.xml

Invasive SQL Injection Attack Protection

* block: hash mark (#) anywhere within message (can be outside element text), including #xpointer by its hash mark (#)

- Sample Request Message Attachment
SqlAttack_InvasiveSql_HashMark.xml

* block: single-quote (') anywhere within message (can be outside element text)

- Sample Request Message Attachment
SqlAttack_InvasiveSql_SingleQuote.xml

* block: double-dash (--) anywhere within message (can be outside element text)

- Sample Request Message Attachment
SqlAttack_InvasiveSql_DoubleDash.xml

* block: signed xml (because of hash mark (#) within the request message)

- A request message with signed XML (eg. SSG policy with "WSS Sign SOAP Request", "Sign request element /soapenv:Envelope/soapenv:Body" and web consumption via SSB)

Resolution

To enable these blocks add the Protect Against SQL Attack assertion to the policy.

Attachments

1576696514141__SqlAttackProtection.zip get_app
Powered by Wolken Software