Protect Against Code Injection Assertion
The Protect Against Code Injection assertion provides threat protection against code injection attacks targeting web services and Web applications, including AJAX applications. Use this assertion to protect against the following threats:
Protect Against Code Injectionassertion provides threat protection against code injection attacks targeting web services and Web applications, including AJAX applications. Use this assertion to protect against the following threats:
- PHP Code Injection—Eval injection
- Shell Injection
- LDAP DN Injection
- LDAP Search Injection
- XPath Injection
This assertion can help protect vulnerable parameters in the path (or URI) of the URL, in addition to the URL query string and message body.
To learn about selecting the target message for this assertion, see Select a Target Message.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- When adding the assertion, theCode Injection ProtectionPropertiesautomatically appear; when modifying the assertion, right-clickin the policy window and select<target>:Protect against Code InjectionCode Injection Protection Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- Configure the properties as follows.SettingDescriptionApply protection to:Specify where to apply the protection:
- URL Path:Select this to protect the URL Path.
- URL Query String:Select this to protect the query parameters in the URL.
- Body:Select this to protect the body of the message. These will be scanned depending on the Content-Type header:
Available ProtectionsSelect one or more injection threats to protect against. Point at each option to see a description of the protection offered. The assertion will fail upon the first protection violation detected.This assertion checks for injection ofanyexecutable code, not just malicious code. This is because it is not always possible to determine which code is malicious or benevolent. Be especially careful when using this protection on responses, because returned HTML often contains legitimate uses of the restricted tags.
- application/x-www-form-urlencoded:Scans Form Post parameters
- application/json:Scans attribute values and character-data
- multipart/form-data:Scans each MIME part; depends on Content-Type of MIME part
- text/xml:Scans attribute values and character-data
- anything else: Scans the entire message body
- Click [OK] when done.