Protect Against Code Injection Assertion

The Protect Against Code Injection assertion provides threat protection against code injection attacks targeting web services and Web applications, including AJAX applications. Use this assertion to protect against the following threats:
gateway90
The 
Protect Against Code Injection 
assertion provides threat protection against code injection attacks targeting web services and Web applications, including AJAX applications. Use this assertion to protect against the following threats:
HTML/JavaScript Injection (Cross-site Scripting)
PHP Code Injection—Eval injection
Shell Injection
LDAP DN Injection
LDAP Search Injection
XPath Injection
This assertion can help protect vulnerable parameters in the path (or URI) of the URL, in addition to the URL query string and message body.
To learn about selecting the target message for this assertion, see Select a Target Message.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the 
    Code Injection Protection
     Properties
     automatically appear; when modifying the assertion, right-click 
    <target>:
     Protect against Code Injection
     in the policy window and select 
    Code Injection Protection Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows. 
    Setting
    Description
    Apply protection to:
    Specify where to apply the protection:
    • URL Path:
      Select this to protect the URL Path.
    • URL Query String:
      Select this to protect the query parameters in the URL.
    • Body:
      Select this to protect the body of the message. These will be scanned depending on the Content-Type header:
      • application/x-www-form-urlencoded:
        Scans Form Post parameters
      • application/json:
        Scans attribute values and character-data
      • multipart/form-data:
        Scans each MIME part; depends on Content-Type of MIME part
      • text/xml:
        Scans attribute values and character-data
      • anything else: Scans the entire message body
    Available Protections
    Select one or more injection threats to protect against. Point at each option to see a description of the protection offered. The assertion will fail upon the first protection violation detected.
    This assertion checks for injection of
    any
    executable code, not just malicious code. This is because it is not always possible to determine which code is malicious or benevolent. Be especially careful when using this protection on responses, because returned HTML often contains legitimate uses of the restricted tags.
  4. Click [
    OK
    ] when done.