When base path of the API is modified to an invalid value then Apigee throws "CLASSIFICATION_FAILED" error code. This error comes when Apigee platform does not find any API deployed in the plex environment with the specified base path.

If somehow, attacker is able to inject malicious code in request URI then Apigee Edge platform returns error message. Sample request and response provided below.

Sample Request:

GET /v1/productssss,<script>alert('x')</script> HTTP/1.1

Host: apigee-XXXX.XXX.net

Authorization: Bearer DY85rJ3sOVmm1RRE4GtonqO8W0f1

Accept: application/json

Cache-Control: no-cache

Postman-Token: 3e00c4ad-fb3e-2796-0b30-00bcc1784c17

Note : /v1/products is the valid basepath.

Sample Response:

Connection →keep-alive

Content-Length →213

Content-Type →application/json

Date →Wed, 20 Apr 2016 09:41:45 GMT

Server →Apigee Router

{ "fault": { "faultstring": "Unable to identify proxy for host: secure and url: /v1/productssss,%3Cscript%3Ealert('x')%3C/script%3E", "detail": { "errorcode": "messaging.adaptors.http.configuration.ApplicationNotFound" } } }

If this returned message text will be included in error message as a part of web content then the reflected JavaScript code might be executed within the user’s browser context and that may cause problem by stealing user information.