More best practices covered in API Security Best Practices blog series.
In this blog, we would be extending the Regular Expression Protection Policy used in SQL Threat Protection blog to detect and mitigate the XXE attacks.
<RegularExpressionProtection async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<URIPath>
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</URIPath>
<QueryParam name="$format">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$top">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$skip">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$filter">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$count">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<Variable name="request.content">
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
<Pattern>[\s]*(?i)(!ENTITY)</Pattern>
</Variable>
<Source>request</Source>
</RegularExpressionProtection>
Note that the values of Regular expression pattern used in this blog is just a sample and would have to be extended to handles all the edge case.
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
{
"Note": "EPM DG: SO ID 0500000000 Deliver as fast as possible",
"NoteLanguage": "EN",
"CustomerID": "0100000000",
"CustomerName": "SAP",
"CurrencyCode": "EUR",
"GrossAmount": "28142.31",
"NetAmount": "23649.00",
"TaxAmount": "4493.31",
"LifecycleStatus": "N",
"LifecycleStatusDescription": "New",
"BillingStatus": "",
"BillingStatusDescription": "Initial",
"DeliveryStatus": "",
"DeliveryStatusDescription": "Initial",
"ToLineItems": [
{
"ProductID": "HT-1000",
"ItemPosition" : "0000000010",
"Note": "EPM DG: SO ID 0500000000 Item 0000000010",
"NoteLanguage": "EN",
"CurrencyCode": "EUR",
"GrossAmount": "3412.92",
"NetAmount": "2868.00",
"TaxAmount": "544.92",
"DeliveryDate": "/Date(1503532800000)/",
"Quantity": "3",
"QuantityUnit": "EA"
},
{
"ProductID": "HT-1001",
"ItemPosition" : "0000000020",
"Note": "EPM DG: SO ID 0500000000 Item 0000000020",
"NoteLanguage": "EN",
"CurrencyCode": "EUR",
"GrossAmount": "2972.62",
"NetAmount": "2498.00",
"TaxAmount": "474.62",
"DeliveryDate": "/Date(1503547200000)/",
"Quantity": "2",
"QuantityUnit": "EA"
}
]
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
37 | |
25 | |
17 | |
13 | |
7 | |
7 | |
7 | |
6 | |
6 | |
6 |