Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Protect Against Code Injection Assertion

Last update November 13, 2018

The Protect Against Code Injection assertion provides threat protection against code injection attacks targeting web services and Web applications, including AJAX applications. Use this assertion to protect against the following threats:

  • HTML/JavaScript Injection (Cross-site Scripting)
  • Hex/Octal Encoded HTML/JavaScript Injection
    You may experience performance issues with this selection.
    Note: With this selection, you need not select the HTML/JavaScript Injection checkbox.

  • PHP Code Injection—Eval injection
  • Shell Injection
  • LDAP DN Injection
  • LDAP Search Injection
  • XPath Injection

This assertion can help protect vulnerable parameters in the path (or URI) of the URL, in addition to the URL query string and message body.

To learn about selecting the target message for this assertion, see Select a Target Message.

Using the Assertion

  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the Code Injection Protection Properties automatically appear; when modifying the assertion, right-click <target>: Protect against Code Injection in the policy window and select Code Injection Protection Properties or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows. 

    Setting Description
    Apply protection to:

    Specify where to apply the protection:

    • URL Path: Select this to protect the URL Path.
    • URL Query String: Select this to protect the query parameters in the URL.
    • Body: Select this to protect the body of the message. These will be scanned depending on the Content-Type header:
      • application/x-www-form-urlencoded: Scans Form Post parameters
      • application/json: Scans attribute values and character-data
      • multipart/form-data: Scans each MIME part; depends on Content-Type of MIME part
      • text/xml: Scans attribute values and character-data
      • anything else: Scans the entire message body
    Available Protections

    Select one or more injection threats to protect against. Point at each option to see a description of the protection offered. The assertion will fail upon the first protection violation detected.

    This assertion checks for injection of any executable code, not just malicious code. This is because it is not always possible to determine which code is malicious or benevolent. Be especially careful when using this protection on responses, because returned HTML often contains legitimate uses of the restricted tags.

  4. Click [OK] when done.
Was this helpful?

Please log in to post comments.

  1. Mark O'Donohue
    2018-03-26 07:38

    Body: Select this to protect the body of the message. These will be scanned depending on the Content-Type header:

    We do not mention application/json format which is also parsed and the fields checked as per the text/xml data. It does not fall into the "other' category where the entire message body is parsed.

    application/json : Scans attribute values and character-data

    For example, application/json, if the mime-type is not entered correctly then fails as it detected PHP special characters , whereas if content-type is set correctly to application/json then the PHP error is not raised.

    1. Carl Lum
      2018-03-28 05:57

      Thanks for this fine-point distinction, Mark! I've updated the topic and the addition will appear after the next republish.