Integration Server 10.11 | Integration Server Administrator's Guide | Configuring webMethods Enterprise Gateway | About SQL Injection Protection
 
About SQL Injection Protection
You can use the SQL injection protection filter of Enterprise Gateway to block requests that could possibly cause an SQL injection attack. When this filter is enabled in Enterprise Gateway, Integration Server checks each request message for specific patterns of characters or keywords that are associated with potential SQL injection attacks. If a match is found in the request parameters or payload, Integration Server blocks the request from further processing.
Integration Server processes the incoming payload at Enterprise Gateway and if the incoming request contains characters that are not permitted for a database, based on how the rule is configured, Integration Server either denies the request and sends an alert about the violation or allows the request and sends an alert about the violation.
Integration Server provides two types of filters that you can enable to prevent SQL injection attacks:
*Database-Specific SQL Injection Protection. If enabled, Integration Server will check the incoming payload based on the specified database and GET or POST request parameters. If no parameter is specified, all input parameters will be checked for possible SQL injection attack. Integration Server adheres to the ESAPI (OWASP Enterprise Security API) standards while validating the parameters.
Parameters are applicable only for HTTP queries and HTTP form data, in which there are name value pairs.
For example, in the HTTP query string, http://localhost:1111/invoke/myjdbc.db:addUser?userid=' or '1'='1' --, the parameter is userid.
*Standard SQL Injection Protection. If enabled, Integration Server will block XML and SOAP payload messages that contain quotation mark ('), number sign (#), or double hyphen (--) in the message.Integration Server currently supports only the XML and SOAP payload messages. For example, in the following XML payload, the Text elements (Title, Artist, and Country) contain invalid characters, ', #, and -- respectively.
<CATALOG>
<CD>
<TITLE>Albu'm name</TITLE>
<ARTIST>John# Smith</ARTIST>
<COUNTRY>USA--</COUNTRY>
<YEAR>2014</YEAR>
</CD>
</CATALOG>