TEC Workbook - IBM
TEC Workbook - IBM TEC Workbook - IBM
IBM Software The processing policy should now look like the following image. __5. Click the Apply Policy button to make your changes active. __6. In the soapUI request window, load the request from c:\labs\requests\missingDp.xml. Notice that the brand is missing the word “DataPower”. __7. Click the green submit button to POST the request to MyServiceProxy. You should receive a SOAP fault with an error message as shown in the following image. 2.5.1 SQL Injection Threat Filtering SQL Injection is an attack technique used to exploit Web sites and services that construct SQL statements from user-supplied input. For example, assume that a web service expects a SOAP request containing a element used for looking up a customer. KAPLAN The Web service uses an SQL statement with substitution parameters similar to the following SQL snippet: SELECT * FROM EMPLOYEE WHERE LASTNAME = ? After the substitution takes place, the resultant SQL statement will be: SELECT * FROM EMPLOYEE WHERE LASTNAME = 'KAPLAN' However, if the value submitted in the element contained a malicious SQL injection threat, it may look like this: KAPLAN’ OR ‘1’=’1 Page 44 WebSphere Lab Jam
The SQL statement would become: SELECT * FROM EMPLOYEE WHERE LASTNAME = 'KAPLAN' OR '1' = '1' IBM Software The service will return the details about ALL employees, since the WHERE clause will evaluate to true for every record in the EMPLOYEE table (because of the ‘1’ = ‘1’ clause). WebSphere DataPower SOA Appliances can protect against such SQL injection threats using a special SQL injection threat filter. It works the same way as the filter you tried in the previous steps, except that the logic is a bit more complex. The SQL Injection Threat filter has two parts: the base stylesheet filter (that uses and ), and an XML file that contains the various patterns to search for. Keeping the patterns in a separate XML file allows you to create more customized patterns. __1. In the policy editor window, drag another Filter action onto the processing rule to the right of the previously added filter action. __2. Double click the yellow outlined filter action to complete its configuration. __3. In the Transform field: __a. Change the upper dropdown to show: store:/// __b. In the lower dropdown box, select: SQL-Injection-Filter.xsl __4. Click the Done button. __5. Click the Apply Policy button to activate these changes. Lab 2 - Working with XML Page 45
- Page 1 and 2: WebSphere Lab Jam Connectivity WebS
- Page 3 and 4: Contents IBM Software CONNECTION PA
- Page 5 and 6: Connection Parameters Spreadsheet I
- Page 7 and 8: 1.4 Introduction to WebSphere DataP
- Page 9 and 10: IBM Software You’re now ready to
- Page 11 and 12: There are several areas in the WebG
- Page 13 and 14: 1.10 WebSphere DataPower Services I
- Page 15 and 16: IBM Software Gateway supports WebSp
- Page 17 and 18: cert: Directory Usage IBM Software
- Page 19 and 20: __7. Click on the small plus sign t
- Page 21 and 22: 1.13 Logging IBM Software WebSphere
- Page 23 and 24: ● Trigger a set of actions to occ
- Page 25 and 26: 1.13.4 Appliance management IBM Sof
- Page 27 and 28: 1.13.8 Configuration Comparison, Ch
- Page 29 and 30: Lab 2 Working with XML Prerequisite
- Page 31 and 32: 2.1.5 WebSphere DataPower Configura
- Page 33 and 34: IBM Software It’s also possible t
- Page 35 and 36: Match Rule - evaluate statements us
- Page 37 and 38: IBM Software __18. In the Configure
- Page 39 and 40: IBM Software __2. Expand the policy
- Page 41 and 42: IBM Software __12. In soapUI, click
- Page 43: IBM Software __3. Click the green s
- Page 47 and 48: __2. Click and drag a transform act
- Page 49 and 50: 2.7 Stylesheet Caching IBM Software
- Page 51 and 52: 2.8.3 Virus Scanning IBM Software V
- Page 53 and 54: Lab 3 Securing XML Message Content
- Page 55 and 56: 3.2.2 Create the Crypto Key and Cer
- Page 57 and 58: 3.2.7 Verifying the request signatu
- Page 59 and 60: __8. Click the Close Window link to
- Page 61 and 62: __12. Click on the small [+] to sho
- Page 63 and 64: IBM Software __3. Click on the last
- Page 65 and 66: IBM Software __6. In the list of co
- Page 67 and 68: __11. Click the Done button in the
- Page 69 and 70: Lab 4 Access Control Framework Prer
- Page 71 and 72: __3. Double click the yellow outlin
- Page 73 and 74: Appendix A. Notices This informatio
- Page 75 and 76: Appendix B. Trademarks and copyrigh
- Page 77 and 78: NOTES
The SQL statement would become:<br />
SELECT * FROM EMPLOYEE WHERE LASTNAME = 'KAPLAN' OR '1' = '1'<br />
<strong>IBM</strong> Software<br />
The service will return the details about ALL employees, since the WHERE clause will evaluate to true<br />
for every record in the EMPLOYEE table (because of the ‘1’ = ‘1’ clause).<br />
WebSphere DataPower SOA Appliances can protect against such SQL injection threats using a special<br />
SQL injection threat filter. It works the same way as the filter you tried in the previous steps, except that<br />
the logic is a bit more complex.<br />
The SQL Injection Threat filter has two parts: the base stylesheet filter (that uses and<br />
), and an XML file that contains the various patterns to search for. Keeping the patterns in a<br />
separate XML file allows you to create more customized patterns.<br />
__1. In the policy editor window, drag another Filter action onto the processing rule to the right of the<br />
previously added filter action.<br />
__2. Double click the yellow outlined filter action to complete its configuration.<br />
__3. In the Transform field:<br />
__a. Change the upper dropdown to show: store:///<br />
__b. In the lower dropdown box, select: SQL-Injection-Filter.xsl<br />
__4. Click the Done button.<br />
__5. Click the Apply Policy button to activate these changes.<br />
Lab 2 - Working with XML Page 45