Evaluate message content using RegularExpressionProtection

Was this helpful?

A regular expression, or regex for short, is a set of strings that specify a pattern in a string. Regular expressions enable content to be programmatically evaluated for patterns. Regular expressions can be used, for example, to evaluate entered a properly structured email address. For more information, see Regular Expressions in the Java Tutorials.

The API Platform enables you to configure regular expressions that can be evaluated at runtime against API traffic to identify common content-level threats that follow certain patterns. The policy extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates that content against pre-defined regular expressions. If any specified regular expressions evaluate to true, the message is considered a threat and is rejected.

The most common usage of RegularExpressionProtection is the evaluation of JSON and XML payloads for malicious content.

For example, to evaluate JSON payloads for SQL injection attacks, evaluate the JSON payload using the following JSONPath expression combined with a regular expression. The regular expression pattern is evaluated against the content extracted by the JSONPath expression:

<RegularExpressionProtection name="JsonSQLInjectionEvaluation">
    <Source>request</Source>
    <JSONPayload>
        <JSONPath>
            <Expression>$.</Expression>
            <Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(or))</Pattern>
        </JSONPath >
    </JSONPayload>
</RegularExpressionProtection>

No regular expression can eliminate all content-based attacks, and multiple mechanisms should be combined to enable defense-in-depth. With this in mind, some recommended patterns for blacklisting content:

Back to top

Blacklisted patterns

Name Regular Expression
SQL Injection [\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(or))
Server-Side Include Injection <!--\s*<!--(include|exec|echo|config|printenv)\s+.*
XPath Abbreviated Syntax Injection (/(@?[\w_?\w:\*]+(\+\])*)?)+
XPath Expanded Syntax Injection /?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling))
JavaScript Injection <\s*script\b[^>]*>[^<]+<\s*/\s*script\s*>
Java Exception Injection .*Exception in thread.*
Back to top

Configuring RegularExpressionProtection policy

Configure the RegularExpressionProtection policy using the following elements.

Field Name Description
Source (Optional) Contains the message from which information needs to be extracted.
  • If the Source variable is missing, it is treated as a simple message. For example, <Source>message</Source>
  • If the Source variable cannot be resolved, or resolves to a non-message type, the policy fails to respond.
IgnoreUnresolvedVariables (Optional) Valid values: true/false
Default value: false
If set to false and any variable is unresolvable, the policy fails to respond.
If set to true and any variable is unresolvable, it is treated as empty string (Null).
Patterns (Optional) URIPath Extracts information from the request URI path and matches it with the specified regular expressions.
QueryParam Extracts information from the request query parameter and matches it with the specified regular expressions.
Header Extracts information from the request and response header and matches it with the specified regular expressions.
FormParam Extracts information from the request form parameter and matches it with the specified regular expressions.
Variable Extracts information from the given variable and matches it with the specified regular expressions.
XMLPayload (Optional) Namespaces Specifies the namespace to be used in the XPath evaluation.
XPath Expression Specifies the XPath expression defined for the variable. Only XPath 1.0 expressions are supported. For example, <Expression>/company/employee[@age>=$request.header.age]</Expression> extracts details for employees whose age is greater than or equal to the value specified in request.header.age.
Type Specifies the datatype; default is string.
Pattern Defines the regular expression pattern.
JSONPayload (Optional) JSONPath Expression Specifies the JSONPath expression defined for the variable.
Pattern Defines the regular expression pattern.
Back to top

Policy schema

Each policy must conform to a policy schema. All policy constructs such as elements and attributes mentioned above are defined in a schema. To download the schema, click here.

Example - Regular Expression Protection policy

<RegularExpressionProtection name="mypolicy">
    <Source>response</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <URIPath>
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>
    </URIPath>
    <QueryParam name="greeting">
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>
    </QueryParam>
    <Header name="greeting">
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>
    </Header>
    <FormParam name="greeting">
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>
    </FormParam>
    <Variable name="request.content">
        <Pattern>[tT]rue</Pattern>
        <Pattern>.*true.*</Pattern>
    </Variable>
    <XMLPayload>
        <Namespaces>
            <Namespace prefix="apigee">http://www.apigee.com</Namespace>
        </Namespaces>
        <XPath>
            <Expression>/apigee:Greeting/apigee:User</Expression>
            <Type>string</Type>
            <Pattern>[tT]rue</Pattern>
            <Pattern>.*true.*</Pattern>
        </XPath>
    </XMLPayload>
    <JSONPayload>
        <JSONPath>
            <Expression>$.store.book[*].author</Expression>
            <Pattern>[tT]rue</Pattern>
            <Pattern>.*true.*</Pattern>
        </JSONPath >
    </JSONPayload>
</RegularExpressionProtection>

Back to top