Regular expression protection -- Threat not getting identified for Script Injection

Not applicable

4365-regex.png

We are facing issues with the regular expression protection as the expression does not resolve when a java script gets injected thru a json payload / Json Path/ Variable. Looks like apigee truncates characters and does not treat the xml encoding properly

<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>

In the above case < is retained and *> changes to '>' when we look at the deployment from proxy development pane. Attached is the screenshot. Looking for a resolution to this.

1 3 731
3 REPLIES 3

Hi, I think what you are saying is

  • you are using the API Proxy Editor
  • you're pasting in code for a regular expression pattern
  • When you save the policy configuration, it seems to change after the save
  • and the policy isn't working as intended

Is that right?

If so, I suspect I know what's going on. It's an unfortunate interaction between the regex and the XML that contains it.

The regex pattern you showed

<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>

...must be wrapped in a CDATA section in order to preserve the angle brackets unchanged. For example:

<RegularExpressionProtection name="RegExProtection-2">
  <URIPath>
    <Pattern ignoreCase="false"><![CDATA[<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>]]></Pattern>
  </URIPath>
</RegularExpressionProtection>

In more detail.

Angle brackets are significant in XML - a left angle bracket < signals the beginning of the start or end of an element. a right angle bracket > signals the end of the start or end of an element. The stuff in between the start element and the end element is called a "text node" in XML speak. In the following XML snip:

<element1>abcdefg</element1>

"element1" is the name of the element. <element1> is the start. </element1> is the end. And "abcdefg" is the value of the text node child of the element named "element1".

If you want an angle bracket to be part of the value of a text node in an XML document, you must escape it with the CDATA section. CDATA stands for "Character Data" and is the way you "escape" angle brackets and other stuff that cannot normally be part of an XML text node. Since your regex contains angle brackets, you need to wrap it in a CDATA.

HTH

Hello @Dino and @Thomas RajuThis CDATA helps in conserving the < tag in the apigee policy. It wont give you any errors. But this is still not able to catch the restricted keywords like <script>.

I wrote one detailed question regarding the same. Please see and acknowledge if the issue is same as yours.

https://community.apigee.com/questions/52059/apigee-docs-provided-therat-protection-patterns-ar.html

Not applicable

Still did not work.