In a perfect world, you wouldn’t have to worry about unknown persons attacking your data services via SQL injection attacks. But we live in the real world, where such assaults are all too common. In this hands-on lab, we’ll first see how a SQL injection attempt can reach the backend server. Then, we’ll incorporate the Regular Expression Protection policy – with all the necessary regex patterns – to guard against this form of destructive access.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Test the Existing API Proxy
- On the Apigee dashboard page, click API Proxies.
- Open LA-Weather.
- Select the TRACE tab.
- In the URL field, add the following query parameters to the API proxy URI:
?q=seattle&appid=[YOUR_OPENWEATHERMAP_API_KEY]
If you do not have an OpenWeatherMap API key, usefd4698c940c6d1da602a70ac34f0b147
. - Click Start Trace Session.
- Click Send.
- In the URL field, change the
q
value todelete
. - Click Send.
- Review the results.
- Click Stop Trace Session.
- Add a Regular Expression Protection Policy
- Select the DEVELOP tab.
- In the Proxy Endpoints section of the Navigator, select PreFlow.
- In the Request area, click + Step.
- In the Add Step dialog, scroll down to the Security category, and choose Regular Expression Protection.
- Change the Display Name value to RegEx SQL Injection Protection.
- Click Add.
- Customize the Code for SQL Injection
With the RegEx SQL Injection Protection Policy selected, remove the following elements from the code:
<JSONPayload>
<QueryParam>
<FormParam>
<XMLPayload>
<Source>
Within the
<URIPath>
element, add the following:<Pattern>[tT]rue</Pattern> <Pattern>.*true.*</Pattern> <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern>
Change the
<Header>
element to the following:<Header name="query"> <Pattern>[tT]rue</Pattern> <Pattern>.*true.*</Pattern> <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern> </Header>
Change the
<Variable>
element to the following:<Variable name="request.content"> <Pattern>[tT]rue</Pattern> <Pattern>.*true.*</Pattern> <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb))</Pattern> </Variable>
Copy and paste the entire
<Variable>
element, and change thename
value torequest.uri
.Click Save.
- Test the Updated API Proxy
- Return to the TRACE tab.
- In the URL field, add the following query parameters to the API proxy URI:
?q=delete&appid=[YOUR_OPENWEATHERMAP_API_KEY] - Click Start Trace Session.
- Click Send.
- Review the results.