{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Edge/API Management /
avatar image
0
Question by Alex Patel · Dec 10, 2018 at 08:32 PM · 143 Views json payloadsql injection

RegularExpression for many JSONpath

In RegularExpression Policy, we want to implement SQLInjection Policy. This Policy requires to put JSONPath of every field that we want to check with SQLInjection. In our request JSON payload, we want to check 100+ JSON paths for SQLInjection and those paths are dynamic also.

Is there any other way to check SQLInjection on every JSON path?

Example:

<JSONPayload><JSONPath><Expression>$.store.book[*].author</Expression><Pattern>REGEX PATTERN</Pattern><Pattern>REGEX PATTERN</Pattern></JSONPath></JSONPayload>

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

1 Answer

  • Sort: 
avatar image
0

Answer by Dino-at-Google   · Dec 11, 2018 at 12:25 AM

yes: don't use JSONPayload.

If you want to examine the entire payload, and not a specific jsonpath, then do not select a specific JSON Path with the JSONPayload element.

Just use

<RegularExpressionProtection name="RegularExpressionProtection-1">
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <Variable name="request.content">
    <Pattern><![CDATA[(?i)(.*?(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)]]></Pattern>
  </Variable>
</RegularExpressionProtection>


...or substitute your pattern of choice.

The idea is to examine the entire payload, not specific JSON paths within the payload.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

66 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

extractvariables.ExecutionFailed 1 Answer

What are the supported JSON Schema validators 2 Answers

Rest > Soap (using POST), json payload parameters are not propagated 1 Answer

SQL Injection Threat Protection at Header 1 Answer

How to modify and construct json payload request in Javascript policy ? 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges