Layer7 API Management

Expand all | Collapse all

Facing Issue with Protect Against SQL Attacks

  • 1.  Facing Issue with Protect Against SQL Attacks

    Posted 03-27-2018 06:11 AM

    Hello Team,

     

    I am currently using "Protect against SQL attack" for URL path and URL parameters.
    I have selected Standard SQL Injection Attack Protection in the assertion.

     

    My valid request looks like below.
    https://<hostname>/v1/exampleData?SourceName=’test’&Period=’2016-11-08'

     

    So, whenever I receive a request with url path as /v1/exampleData?##  or url param as ?SourceName=’te'st’&Period=’2016#-11-08', I expect these requests to get rejected. But they are passing through without failing.

     

    If I select, Invasive SQL Injection Attack Protection, my valid request also fails due to presence of quotes.

     

    I appreciate if anyone can provide guidance on how to rectify this issue.

     

    Regards,

    Saidawali



  • 2.  Re: Facing Issue with Protect Against SQL Attacks

    Posted 04-06-2018 05:24 AM

    Normally, one should use URL-encoding to introduce any special characters in a query string.

    For example, ?Name=O'Neill should be sent as ?Name=O%27Neill

     

    So I would suggest you to enable Invasive SQL Injection Attack Protection and send/accept requests in following fashion:

     

    https://<hostname>/v1/exampleData?SourceName=test&Period=2016-11-08

     

    And if there are special characters, use URL encoding:

     

    https://<hostname>/v1/exampleData?SourceName=te%27st&Period=2016%23-11-08



  • 3.  Re: Facing Issue with Protect Against SQL Attacks

    Posted 12-11-2018 03:10 PM

    Good afternoon,

     

    Were you able to resolve the issue? What was the final result?

     

    Sincerely,


    Stephen Hughes
    Broadcom Support