I am currently using "Protect against SQL attack" for URL path and URL parameters.I have selected Standard SQL Injection Attack Protection in the assertion.
My valid request looks like below.https://<hostname>/v1/exampleData?SourceName=’test’&Period=’2016-11-08'
So, whenever I receive a request with url path as /v1/exampleData?## or url param as ?SourceName=’te'st’&Period=’2016#-11-08', I expect these requests to get rejected. But they are passing through without failing.
If I select, Invasive SQL Injection Attack Protection, my valid request also fails due to presence of quotes.
I appreciate if anyone can provide guidance on how to rectify this issue.
Normally, one should use URL-encoding to introduce any special characters in a query string.
For example, ?Name=O'Neill should be sent as ?Name=O%27Neill
So I would suggest you to enable Invasive SQL Injection Attack Protection and send/accept requests in following fashion:
And if there are special characters, use URL encoding:
Were you able to resolve the issue? What was the final result?
Stephen HughesBroadcom Support