Skip to Content

SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.

In the blog series Threat Protection against SQL Injection attacks and XML External Entity injection attacks, we have described the usage of Regular Expression Protection security policy from SAP Cloud Platform API Management to protect the API against commonly occurring cloud threats. In the blog Log all API interactions, we have described the usage of Message Logging Policy from SAP Cloud Platform to log API interactions into a Third party logging server like Loggly.

In this blog, we would cover the scenario of raising alerts whenever a code injection threat (SQL Threat/ XXE attack) is detected. This scenario can be easily modeled using the Message Logging Policy from SAP Cloud Platform API Management to log any security threats detected into a Loggly tenant and then using the raise alerts features from Loggly to send email notifications, whenever an cloud threat is detected.

In the blog we have used Loggly as the Third Party Logging server, alternatively other logging server like Splunk could be used.

More best practices covered in API Security Best Practices blog series.

Prerequisites

Customer Token from Loggly tenant

  • Sign in to your Loggly tenant.
  • Navigate to the Source Setup and then click on the tab Customer Tokens to fetch your Loggly token. This token would have to be used in the Message Logging Policy later in the section Log Regular Protection Threats.

 

Launch API Portal

 

  • Click on the link Access API Portal to open API Portal.

 

Log Regular Protection Threats

 

In this section we would use Message Logging Policy to log detected threats into a Loggly server

In this blog, we would be extending the Regular Expression Protection Policy used in XXE Threat Protection blog.
  • Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.

 

  • Click on the Policies button of  the selected API Proxy.

 

  • Select PreFlow from the ProxyEndPoint and select checkForCodeInjection policy, then update the policy by setting the continueOnError flag to true.

 

  • Click on the + button next to the Message Logging Policy available under the Extensions Policies segment to log the generated log message to a Third Party logging server.



  • In the Create policy screen specify the policy name say logThreatsToLoggly and then click on the Add button.

 

  • Select the policy newly added logThreatsToLoggly policy then add the following policy snippet to log the generated log data into a Loggly tenant.
In this blog, we have used Loggly as the third party logging server, alternatively any other logging server like Splunk can also be used.

<MessageLogging async="false" continueOnError="true" enabled="true" xmlns='http://www.sap.com/apimgmt'>
	<Syslog>
		<Message>[YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN@41058 tag="{apiproxy.name}" tag="Threat Detection"]</Message>
		<Host>logs-01.loggly.com</Host>
    	<!-- This is default port value -->
	    <Port>514</Port>
	    <Protocol>TCP</Protocol>
	</Syslog>
</MessageLogging>

 

The above snippet would log the api proxy name for which the threat was detected and also add tag Threat Detection to the log message. This tag would be used to create custom alerts on Loggly server in section Configuring Alerts on Loggly Server.

 

 

  • Edit the policy snippet added to post log message to Loggly server to use your customer token configured in the Loggly tenant as explained in section Customer Token from Loggly tenant by replacing the text YOUR_LOGGLY_TENANT_CUSTOMER_TOKEN (highlighted in previous screenshot) with your Loggly customer token.

 

 

  • In the Condition String specify the following condition to log messages only when a threat is detected (i.e the Regular Expression Policy failure cases)
regularexpressionprotection.failed = true

 

 

  • Click on the + button next to the Raise Fault Policy available under the Mediation Policies segment.

 

  • In the Create policy screen specify the policy name say raiseAccessDeniedError and then click on the Add button.

 

 

  • Select the newly created raiseAccessDeniedError policy and add the following policy snippet to return the error with status code 403 and Access denied error.
<RaiseFault async="true" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
	<!-- Defines the response message returned to the requesting client -->
	<FaultResponse>
		<Set>
			<Payload contentType="text/plain">Your access is denied</Payload> 
			<StatusCode>403</StatusCode>
			<ReasonPhrase>Access denied</ReasonPhrase>
		</Set>
	</FaultResponse>
	<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

 

RaiseFault Policy allows to return custom error message to the client. The above policy snippet would return the error response with the HTTP status set to 403 and the reason phrase is set to Access denied.

 

  • In the Condition String specify the following condition to raise access denied error only when a threat is detected (i.e the Regular Expression Policy failure cases)
regularexpressionprotection.failed = true

 

 

  • Click on the Update button to save the Policy changes

  • Click on the Save button to save the changes to API Proxy.

 

 

 

With this we have successfully applied a Message Logging Policy to log the threats detected via Regular Threat detection to a Third Party logging server like Loggly and raise 403 access denied error.

Configuring Alerts on Loggly Server

In this section we would cover the steps to configure alerts on the Loggly server.

  • Sign in to your Loggly tenant.
  • Navigate to the Search tab and then click on the tab +  New

 

  • Next to the text field All Sources, enter the text tag=”Threat Detection”, to create custom search to identify log messages with the tag Threat Detection. This tag is used in Message logging policy while logging detected threats. From the time window field, select last 30 minutes options

 

  • Click on the Favorites ( * icons) to save the search field as custom search field and then select the option Save this search as.

 

  • In Create Saved Search dialog, enter the name of custom search say Threat Detection and then select option Save then create alert.

 

  • In the Add Alert dialog, enter the name and description of the alert say Cloud Threat Detection, specify the alert conditions, enter the email address to which the alert email notifications should be sent and then click on the Save button.

 

 

 

  • The newly created alert would appear under the Alert tab

 

With this we have successfully created an Alert in Loggly tenant to send email notification whenever more than 10 log messages with tags Threat Detection is received in a given window of 1 hour.

 

Finally testing the flow

 

  • Navigate to the Test tab from the hamburger icon

 

 

  • From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.

 

 

  • Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system

 

 

 

  • Click on the Url Params button. Enter $format as URL parameter name and drop table as the parameter value and then click on the Send button

 

  • Since a SQL command drop table was passed in the query parameter, it would be detected by the Regular Expression Protection Policy and then an error would be returned.

 

  • Click on the send button multiple times (more than 10 times) so that alert is raised and an email notification is sent to your configured email address.

 

 

Further Reads

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply