Regular expression threat protection design

veera_penugonda · 05-09-2016 10:43 PM

Our API proxy will be exposed to the web. Please let me know what all regular expresssion injections needs to be part of our design as a a bear minimum based on the web threats we have currently. Our customer did not have any requirement for this. We already have JSON threat protection implemented as our input is going to be JSON.

Former Community Member

You might want to think about XSS (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) and SQL Injection (if it applies).

williamspaul-1

When faced with a question as wide open as this, I will usually try to narrow down the scope by asking what back-end systems are in use. This will help me understand what systems would be vulnerable such as SQL Injection if the target system is SQL Server. Other odd systems may require different mitigations -- for instance, MongoDB uses JSON key/value pairs with special names for operations which may need guards if Mongo is the target.

ceber

The "usage notes" section of the document has several good examples. http://docs.apigee.com/api-services/reference/regular-expression-protection

This is not an exhaustive list. Not all will be applicable in every situation.