Re: Regular expression pattern support

nithya_2020 · 07-05-2023 08:57 AM

Hi Team,

For regular expression policy we have listed the below regex for SQL injection checks :
/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix, /((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/ix, /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix, /((\%27)|(\'))union/ix, /exec(\s|\+)+(s |x)p\w+/ix which identifies few of the SQL injection attacks.

Please let us know the apigee recommendation on this.

API-Evangelist

General guidance.

You should speak to application security team as it is will help further tweak the regular expression if required with proper testing also make sure certain keywords are not part of payload which may block during the proxy pre-flow.

Always sanitize all user input before it is use plus have WAF to block common SQL injection attacks..

Just FYI ->

OWASP Cheat Sheet Series: SQL Injection: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Sample regular expression that restricts the following words:

delete
exec
drop
insert
shutdown
update
select
alter
create

<RegularExpressionProtection async="false" continueOnError="false" enabled="true" name="Regular-Expression-Protection-1">
    <DisplayName>Regular Expression Protection-1</DisplayName>
    <Properties/>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Variable name="request.content">
        <Pattern>(?i)((delete\s*from)|(\bexec\b)|(drop\s*table)|(drop[\s]*procedure)|(insert\s*into)|(shutdown)|(';shutdown --)|(update\s+[\w]+\s+set\s+(.*?)\s*)|(select\s+[\w]+\s+from\s+(.*?)\s*)|(alter\s+table)|(alter\s+view)|(create\s+database)|(create\s+procedure)|(create\s+table)|(create\s+view))</Pattern>
    </Variable>
    <Source>request</Source>
</RegularExpressionProtection>