This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Best Practice for Cross Site Scripting(XSS)

Posted on 05-26-2016 01:49 PM
Not applicable
Reply posted on --/--/---- --:-- AM

Any Best Practice Steps or policies for Cross Site Scripting(XSS) Vulnerabilites ?

I read an article in community. But, do not mention how to achieve in Edge with samples. Can you help me how to achieve in Edge with sample ?

I read another document here saying "Examples of blacklist patterns" where Java Script Injection have pattern <\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>. But, which policy will accept this ?

Thank You.

0 6 4,223
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

You can use Regular Expression Protection Policy. http://docs.apigee.com/api-services/reference/regular-expression-protection

If any specified regular expressions evaluate to true, the message is considered a threat and is rejected.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

I used Regular Expression Protection Policy for Cross Site Scripting(XSS) where I used a pattern say Example :

Same can be applicable for Header, Query, JSON/XML Payload & URIPath. But, only CONS of using this policy is, have to map each parameter by parameter. So, need to edit this policy for every Proxy based on the parameter used on that proxy. That is biggest drawback on this policy to use for XSS which I see..

 <QueryParam name="myQuery">
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>        
        <Pattern ignoreCase="true"><\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*></Pattern>
  </QueryParam>

Posted on --/--/---- --:-- AM
sunandita_dam
New Member
In response to
Reply posted on --/--/---- --:-- AM

@Kumaresan Sithambaram Looks to me valid concern. @Anil Sagar , @Dino : Is there workaround of this issue?

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to sunandita_dam
Reply posted on --/--/---- --:-- AM

yes, I think if you wanted to apply a filter on all parameters, you'd need to script it with Javascript using the RegExp object. I think it's a valid request, to ask that the policy be expanded to handle all query params.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino Could you please elaborate about "filter on all parameters" ? and How do we achieve to read all query, header params using JS with Equivalent functionality of Reg. Exp. Policy ?

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

I mean, if you want to apply a regex test to all parameters, you would need to use Javascript to loop through them.

I suppose you would do something like this: 

var queryParamNames = context.getVariable("request.queryparams.names");
var a = queryParamNames.toArray();
var re = new RegExp('<\\s*script\\b[^>]*>[^<]+<\\s*\\/\\s*script\\s*>');
var isFault = null;
a.forEach(function(name) {
  if ( ! isFault) {
    var value = context.getVariable("request.queryparam." + name);
    if (re.test(value)) { isFault = name; }
  }
});


if (isFault) {
  context.setVariable('verify_qparams_failed', true);
  context.setVariable('verify_qparams_name', isFault);
  throw new Error("queryparam "+ isFault + " rejected as unsafe.");
}
else {
  context.setVariable('verify_qparams_failed', false);
}