Apigee OWASP top 10 query A8:2017 & A8:2013 & A1:2017

As per apigee docs for top 10 OWASP indicates following OWASP, have question on listed two OWASP

A8:2017 - Insecure Deserialization

The cache and other policies can be used to protect against replay attacks

we have apigee docs indicating about cache policy, but not sure if we have any sample covering above statement or how this is covered does not give better details.

A8:2013 - Cross-Site Request Forgery (CSRF) :

Consider using HMAC, state, hash, nonce, or PKCE techniques to prevent forgery and replay attacks.

Do we have any sample showing such working implementation.

A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP

Apigee docs lists the SQL Injection (using RegularExpressionProtection Policy) do we have similar aspects of Injection covered for NoSQL and LDAP using .RegularExpressionProtection ?

1 3 198
3 REPLIES 3

> A8:2017 - Insecure Deserialization

You can use Populate/Lookup Cache to manually decide what data to store. On the first instance of a call, PopulateCache with an appropriate hash, nonce, etc, and on every call check to see if LookupCache returns a stored value for that hash/nonce/etc.

> A8:2013 - Cross-Site Request Forgery (CSRF)

How exactly you implement this is going to vary a lot depending on your API use case.

> A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP

The RegularExpressionProtectionPolicy can protect against more or less any kind of injection you want to check for, with the only limitation being that you must write appropriate regular expressions to match the injected language syntax yourself. You can see some examples here:

https://docs.apigee.com/api-platform/reference/policies/regular-expression-protection#abouttheregula...

@Christian King Thanks for your response.

For listed OWASP A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP

When i refer the apigee doc it only indicated about " blacklist patterns" for SQL Injection & Server-Side Include Injection & XPath Abbreviated Syntax Injection & XPath Expanded Syntax Injection & JavaScript Injection & Java Exception Injection, could not find blacklist pattern specifically for NoSQL, LDAP.

Let me know if I am missing anything

Do you know what injection attacks your backend is vulnerable to?