When base path of the API is modified to an invalid value then Apigee throws "CLASSIFICATION_FAILED" error code. This error comes when Apigee platform does not find any API deployed in the plex environment with the specified base path.
If somehow, attacker is able to inject malicious code in request URI then Apigee Edge platform returns error message. Sample request and response provided below.
Sample Request:
GET /v1/productssss,<script>alert('x')</script> HTTP/1.1
Host: apigee-XXXX.XXX.net
Authorization: Bearer DY85rJ3sOVmm1RRE4GtonqO8W0f1
Accept: application/json
Cache-Control: no-cache
Postman-Token: 3e00c4ad-fb3e-2796-0b30-00bcc1784c17
Note : /v1/products is the valid basepath.
Sample Response:
Connection →keep-alive
Content-Length →213
Content-Type →application/json
Date →Wed, 20 Apr 2016 09:41:45 GMT
Server →Apigee Router
{ "fault": { "faultstring": "Unable to identify proxy for host: secure and url: /v1/productssss,%3Cscript%3Ealert('x')%3C/script%3E", "detail": { "errorcode": "messaging.adaptors.http.configuration.ApplicationNotFound" } } }
If this returned message text will be included in error message as a part of web content then the reflected JavaScript code might be executed within the user’s browser context and that may cause problem by stealing user information.
Solved! Go to Solution.
Hi @Varun Singh,
To handle this you can add an API proxy with basepath "/" with a policy to display fault message. The same has been explained in Best Practices for API proxy design and deveplopment here.
or you can add a resource in each proxy with no pathsuffix with a policy to display a customized error message.
Hi @Varun Singh,
To handle this you can add an API proxy with basepath "/" with a policy to display fault message. The same has been explained in Best Practices for API proxy design and deveplopment here.
or you can add a resource in each proxy with no pathsuffix with a policy to display a customized error message.
Thanks @GargiTalukdar. Adding an API proxy with base path / can be the possible solution to override the error message returned from Edge.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |