In RegularExpression Policy, we want to implement SQLInjection Policy. This Policy requires to put JSONPath of every field that we want to check with SQLInjection. In our request JSON payload, we want to check 100+ JSON paths for SQLInjection and those paths are dynamic also.
Is there any other way to check SQLInjection on every JSON path?
Example:
<JSONPayload><JSONPath><Expression>$.store.book[*].author</Expression><Pattern>REGEX PATTERN</Pattern><Pattern>REGEX PATTERN</Pattern></JSONPath></JSONPayload>
Answer by Dino-at-Google
·
Dec 11, 2018 at 12:25 AM
yes: don't use JSONPayload.
If you want to examine the entire payload, and not a specific jsonpath, then do not select a specific JSON Path with the JSONPayload element.
Just use
<RegularExpressionProtection name="RegularExpressionProtection-1"> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <Variable name="request.content"> <Pattern><![CDATA[(?i)(.*?(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)]]></Pattern> </Variable> </RegularExpressionProtection>
...or substitute your pattern of choice.
The idea is to examine the entire payload, not specific JSON paths within the payload.
extractvariables.ExecutionFailed 1 Answer
What are the supported JSON Schema validators 2 Answers
Rest > Soap (using POST), json payload parameters are not propagated 1 Answer
SQL Injection Threat Protection at Header 1 Answer
How to modify and construct json payload request in Javascript policy ? 2 Answers