Novice Level

Securing an Apigee API Proxy

Pricing
30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

In a perfect world, you wouldn’t have to worry about unknown persons attacking your data services via SQL injection attacks. But we live in the real world, where such assaults are all too common. In this hands-on lab, we’ll first see how a SQL injection attempt can reach the backend server. Then, we’ll incorporate the Regular Expression Protection policy – with all the necessary regex patterns – to guard against this form of destructive access.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Test the Existing API Proxy
  1. On the Apigee dashboard page, click API Proxies.
  2. Open LA-Weather.
  3. Select the TRACE tab.
  4. In the URL field, add the following query parameters to the API proxy URI:
    ?q=seattle&appid=[YOUR_OPENWEATHERMAP_API_KEY]
    If you do not have an OpenWeatherMap API key, use fd4698c940c6d1da602a70ac34f0b147.
  5. Click Start Trace Session.
  6. Click Send.
  7. In the URL field, change the q value to delete.
  8. Click Send.
  9. Review the results.
  10. Click Stop Trace Session.
Add a Regular Expression Protection Policy
  1. Select the DEVELOP tab.
  2. In the Proxy Endpoints section of the Navigator, select PreFlow.
  3. In the Request area, click + Step.
  4. In the Add Step dialog, scroll down to the Security category, and choose Regular Expression Protection.
  5. Change the Display Name value to RegEx SQL Injection Protection.
  6. Click Add.
Customize the Code for SQL Injection

  1. With the RegEx SQL Injection Protection Policy selected, remove the following elements from the code:

    • <JSONPayload>
    • <QueryParam>
    • <FormParam>
    • <XMLPayload>
    • <Source>

  2. Within the <URIPath> element, add the following:

    <Pattern>[tT]rue</Pattern>
<Pattern>.*true.*</Pattern>
<Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern>

  3. Change the <Header> element to the following:

    <Header name="query">
  <Pattern>[tT]rue</Pattern>
  <Pattern>.*true.*</Pattern>
  <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern>
</Header>

  4. Change the <Variable> element to the following:

    <Variable name="request.content">
  <Pattern>[tT]rue</Pattern>
  <Pattern>.*true.*</Pattern>
  <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern>
</Variable>

  5. Copy and paste the entire <Variable> element, and change the name value to request.uri.

  6. Click Save.

Test the Updated API Proxy
  1. Return to the TRACE tab.
  2. In the URL field, add the following query parameters to the API proxy URI:
    ?q=delete&appid=[YOUR_OPENWEATHERMAP_API_KEY]
  3. Click Start Trace Session.
  4. Click Send.
  5. Review the results.
Contact SalesSee Pricing

Additional Resources

Your company has become concerned about the recent rise in SQL injection attacks and has given you the task of securing their API proxy. You decide to implement Apigee's Regular Expression Protection policy to prevent such assaults.

You’ll need to complete the following steps to accomplish your task:

  1. Test the existing API proxy.
  2. Add a Regular Expression Protection policy.
  3. Customize the code for SQL injection.
  4. Test the updated API proxy.

Please note: There are several prerequisites for this hands-on lab:

  1. You must have an Apigee account.
  2. You must have completed the following hands-on labs: Creating an Apigee API Proxy and Testing an API Proxy.
  3. Optionally, you should have registered for an API key with OpenWeathermap.org.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization