Layer7 API Management

  • 1.  Allow special character in URL query string

    Posted Mar 13, 2018 05:15 AM

    I have requirement and looking for appropriate solution.

    Requirement : Allow request having special character (|[%7C]) in query string e.g. http://<<hostname>>//category/results?Ns=sortPrice_AEO_INTL%7C1

     

    Analysis  : "Protect Against Code Injection Assertion" which provides basic threat protection against attacks on web applications by blocking malicious code injection. 

     

    I am thinking to use "Encode/Decode Data" assertion before "Protect Against Code Injection Assertion" . But don't know impact with respect to threat protection.

     

    Is there any way to configure special character which will be acceptable by  "Protect Against Code Injection Assertion"?

     

    Note :- Gateway version : 9.2

    Here is the my existing threat protection configuration:  

     

     



  • 2.  Re: Allow special character in URL query string

    Posted Mar 13, 2018 10:12 PM

    Hi Tattwa,

    You can create your own encapsulated assertion with the characters you want to block.

    Try using a regular expression to match for the characters and it can essentially work same as the Out of the Box assertion. Other than that, you cannot change the special characters used by the "Protect against code injection assertion"

    Hope this helps!



  • 3.  Re: Allow special character in URL query string

    Posted Mar 14, 2018 02:15 AM

    Thank you Sravankanumuri,

    If I use "Evaluate a regular expression" before "Protect against code injection assertion", am thinking it may not resolve the problem because, still it would be considered as threat. What do you say?



  • 4.  Re: Allow special character in URL query string

    Posted Mar 14, 2018 09:36 AM

    It certainly is a threat but just in the case if the client is highly trusted and you perform authentication/authorization before using Evaluate a regular expression it maybe fine. It is not recommended from the security best practices point of view.

    But as Mark mentioned below, it is better to avoid the % or | characters from client side.



  • 5.  Re: Allow special character in URL query string

    Broadcom Employee
    Posted Mar 13, 2018 10:33 PM

    Dear Tattwa ,

    The pipe character is blocked with a reason. Bypass this may expose risks. 

    Do they have  to use special chars? It's better to change it from the client side. Or, you may validate the client identity first before you bypass it (only if you 100% trust the client).

     

    Regards,

    Mark



  • 6.  Re: Allow special character in URL query string

    Posted Mar 14, 2018 02:29 AM

    Thank you Mark for your inputs,

    Yes, in particular scenario.

    Could you please let me know how to by pass special characters coming as part of request parameters. e.g. %7C



  • 7.  Re: Allow special character in URL query string

    Broadcom Employee
    Posted Mar 14, 2018 05:58 PM

    Dear Tattwadarsi Biswal ,

    2 options ,

    1. encode on client side

    (encode in the policy won't work, as the request already received and all its properties such as url are set)

    2. use different branches

    identify the client first, for trust client(s), goto a branch without protection check, the other go to the branch with protection assertion

     

    Regards,

    Mark



  • 8.  Re: Allow special character in URL query string

    Posted Mar 14, 2018 06:01 PM

    Nice. Thanks!!