{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • General
    • Edge/API Management
    • Developer Portal
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Apigee-127 /
avatar image
0
Question by Ziaur Raheman Khan · Jan 18, 2018 at 01:46 PM · 261 Views apigee edgeApigee APIdocumentationdocsthreat protectionregular expression protectionregex

Apigee Docs provided Java regular expression for XSS therat Protection patterns are not tested properly. They are not wokring after XML encoding of tags

APIgee Docs provided Regular exp protection patterns are not tested properly. They are not wokring after XML encoding of tags. I am trying the

After the XML encoding of the tag it looks like this, the first pattern do not capture the error it pass through,

<JSONPayload> 
  <JSONPath escapeSlashCharacter="true"> 
    <Expression>$</Expression>
    <Pattern>(?i)(.*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)</Pattern>
  </JSONPath> 
</JSONPayload>

We have encoded the below pattern

<Pattern><\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*></Pattern>

This is the body I am passing,

{"myvar": "hii", "someParam": "12345 <script>alert(1)</script>"}

But it passess through, but when I tried with changing the Expresion from

<Expression>$</Expression>

to

<Expression>$.someParam</Expression>

Then it is getting blocked.

So Apigee internally is able to convert the "<" and comapre with pattern given in the Regualr exp, but it needs explicit variable Name which contain the blcoked pattern.

And from @Dino , we have used one answer as well,

<PatternignoreCase="false"><![CDATA[<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>]]></Pattern>

but that also is not working. to block our keyword.

Please look into this and help us.

Tagging few folks, @Dino @Sudhee Sreedhara @wwitman @AMAR DEVEGOWDA @Anil Sagar

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

· Add your answer
  • Sort: 
avatar image
0

Answer by Dino   · Jan 23, 2018 at 06:09 PM

My advice: Don't use the JSONPayload.

Just apply the regex against the request.content.

Maybe use JavaScript to do so.

There's a previous Q&A on this site describing how to do that.

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Ziaur Raheman Khan · Jan 25, 2018 at 12:52 PM 0
Link

Thank you Dino for your response,

I have tried that java script as well, but it is also not catching the error,

var reqBody = context.getVariable("request.content"); print(reqBody);

regex[0] = RegExp("[\s]*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>)","i");

if (regex[0].test(reqBody)) { print("req body contains threat"); }

But this is also not blocking the error.

Please advice.

avatar image
0

Answer by Vinit Tyagi · Apr 18, 2018 at 07:45 PM

@avatar imageZiaur Raheman Khan You can throw the error in java script in place of printing

throw new Error("headers rejected as unsafe.");

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Your answer

Hint: You can notify a user about this post by typing @username

Up to 5 attachments (including images) can be used with a maximum of 5.0 MB each and 25.0 MB total.

Follow this Question

Answers Answers and Comments

93 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Issues with Proxy dependency Maven Plugin 1 Answer

a127 deploy to Apigee Edge takes ~2 minutes 1 Answer

Socket Hang Up When Deploying to Apigee Edge 1 Answer

Error generating proxy from WSDL: Unknown Error 0 Answers

Connection to microsoft database from Apigee edge? 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • General
  • Edge/API Management
  • Developer Portal
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges