Apigee Docs provided Java regular expression for XSS therat Protection patterns are not tested properly. They are not wokring after XML encoding of tags
APIgee Docs provided Regular exp protection patterns are not tested properly. They are not wokring after XML encoding of tags. I am trying the
After the XML encoding of the tag it looks like this, the first pattern do not capture the error it pass through,
<JSONPayload>
<JSONPath escapeSlashCharacter="true">
<Expression>$</Expression>
<Pattern>(?i)(.*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)</Pattern>
</JSONPath>
</JSONPayload>
We have encoded the below pattern
<Pattern><\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*></Pattern>
This is the body I am passing,
{"myvar": "hii", "someParam": "12345 <script>alert(1)</script>"}
But it passess through, but when I tried with changing the Expresion from
<Expression>$</Expression>
to
<Expression>$.someParam</Expression>
Then it is getting blocked.
So Apigee internally is able to convert the "<" and comapre with pattern given in the Regualr exp, but it needs explicit variable Name which contain the blcoked pattern.
And from @Dino , we have used one answer as well,
<PatternignoreCase="false"><![CDATA[<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>]]></Pattern>
but that also is not working. to block our keyword.
Please look into this and help us.
Tagging few folks, @Dino @Sudhee Sreedhara @wwitman @AMAR DEVEGOWDA @Anil Sagar
Answer by Dino
·
Jan 23, 2018 at 06:09 PM
My advice: Don't use the JSONPayload.
Just apply the regex against the request.content.
Maybe use JavaScript to do so.
There's a previous Q&A on this site describing how to do that.
Thank you Dino for your response,
I have tried that java script as well, but it is also not catching the error,
var reqBody = context.getVariable("request.content"); print(reqBody);
regex[0] = RegExp("[\s]*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>)","i");
if (regex[0].test(reqBody)) { print("req body contains threat"); }
But this is also not blocking the error.
Please advice.
@
Ziaur Raheman Khan You can throw the error in java script in place of printing
throw new Error("headers rejected as unsafe.");
