AnsweredAssumed Answered

How to protect encoded XSS threats

Question asked by Kareem.shaik7 on May 2, 2017
Latest reply on May 3, 2017 by Stephen_Hughes

We need to protect our API from XSS threats. 


For example:

JSON Body:

{    "id": 1,    "name": "<script>alert123</script>",    "price": 12.50,    "tags": ["home", "green"]}

This can be blocked using 'Protect against code injection' assertion. 

Options selected: 'HTML/JavaScript Injection(Cross Site Scription)'. 


But how about a case where a code is injected using encoded values:

{    "id": 1,    "name": "%3Cscript%3Ealert123%3C%5Cscript%3E",    "price": 12.50,    "tags": ["home", "green"]}

Where decoded values are listed below:

%3C = <

%3E = >

%5C = \


"%3Cscript%3Ealert123%3C%5Cscript%3E = <script>alert123</script>

Gateway is unable to identify such threats and requests are getting processed. 


We do have tried by selecting an option 'XPath Injection' in 'Protect against code injection' assertion. 



Can someone help to fix this issue?