Re: Filter allowed chars in request body, query pa...

krishnakumartce · 10-29-2022 03:42 PM

Is it possible to filter allowed chars in request body, query params.

For many of our API endpoints, the input is echoed unmodified in the application's response. Using this behavior, someone can send arbitrary Javascript in the request which will be echoed in the response, and the browser try to execute it.

How do I have Apigee filter for allowed chars in the request body so malicious scripts cannot be passed in the request?

ssvaidyanathan

@krishnakumartce - so you are basically looking for XSS attacks. For this you can use the Regular Expression Protection policy.

You can use a policy like this

<RegularExpressionProtection name="REP-JsonPathRegExProtection">
    <Source>request</Source>
    <JSONPayload escapeSlashCharacter="true">
       <JSONPath>
          <Expression>$.</Expression>
          <Pattern><![CDATA[ <\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*> ]]></Pattern>
       </JSONPath>
    </JSONPayload>
    <QueryParam name="query"> <!--replace with your query param -->
        <Pattern><![CDATA[ <\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*> ]]></Pattern>
    </QueryParam>
 </RegularExpressionProtection>

Please try it out and test. Thats just an example I provided

dchiesa1

I like Sai's answer, and also

For many of our API endpoints, the input is echoed unmodified in the application's response.

..in general this seems like a bad idea.

Using this behavior, someone can send arbitrary Javascript in the request which will be echoed in the response, and the browser try to execute it.

Notwithstanding Sai's advice, I think the attack vector you describe is probably not a dangerous one. Sending "arbitrary javascript" would require the browser page itself to be hijacked, and ... if that's hijacked, then anything goes. Protecting the APIs won't change that.

But anyway it's a good idea to not just echo back or process un-validated user input.

Filter allowed chars in request body, query params