We have a requirement to check if the payload attribute is XSS attack (for eg. <script>alert('XSS')</script> in base64 format it will be 'PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='). The attribute content is in base64 format. We want to check for HTTP special characters if its present then discard the attribute content. Can someone please help.
I suppose you will need to base64 decode the content, and THEN check it against a regex.
The attached proxy shows how you could do that.
regex-protection-after-base64-decode.zip
Basically you can use an AssignMessage to decode it, and then just use your normal regex policy on the variable. Like this
<AssignMessage name='AM-Decode'> <DisplayName>AM-Decode</DisplayName> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <AssignVariable> <Name>decoded_content</Name> <Template>{decodeBase64(message.content)}</Template> </AssignVariable> </AssignMessage>
And then
<RegularExpressionProtection name="RegularExpressionProtection-1"> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <Variable name="decoded_content"> <Pattern><![CDATA[(?i)(.*?(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)]]></Pattern> </Variable> </RegularExpressionProtection>
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |