False Injection Attacks Caused by JWTs

Document ID : KB000122986
Last Modified Date : 31/01/2019
Show Technical Document Details
Issue:
There is a URL that redirects customers to an OAuth 2.0 login page. Before getting redirected, the gateway checks for code injections and sql injections. Infrequently, the gateway detects code injections and will not redirect to login page even though there was no code injection.
Cause:
Special characters generated in JWTs can cause false SQL attacks.
Resolution:
The attached sample policy checks the validation of the JWT after it's been decoded. Whether the JWT is valid or not determines the next step in the policy:
  • If the JWT is valid, you bypass the Protect Against assertions and continue processing
  • If the JWT is not valid, the Protect Against assertions are executed and processing stops

NOTE: This sample policy, out of the box, may not meet your security team's compliance requirements. You can use the sample policy to add additional logic to bring the JWT validation and Protect Against assertion check into compliance.
File Attachments:
validateSignatureJWTPolicy.xml