Part 5 – API Security Best Practices – JSON Threat...

divyamary · ‎2017 Aug 18

SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.

OWASP Top 10 that represents a broad consensus about the most critical security risks to web applications lists Injection attacks as one of the Top 10 web application security attack. Attackers use code injection techniques such as sending inflated messages or deep nested requests to consume API server memory resources making the server unavailable.

JSON Threat Policy from SAP API Management can be easily added to any API to comply to the security rules for input validation that is listed in OWASP security checks to mitigate injection attacks. In this blog we will use JSON Threat policy to specify limits on incoming request body such as the maximum number of elements allowed inside an array, maximum depth of JSON object, maximum numbers of properties allowed in an object for a REST/ OData API.

This blog is a continuation of the API Security best practices blog series and in the previous blog data masking of sensitive data in OData/REST APIs was covered.

More best practices covered in API Security Best Practices blog series.

Prerequisites

SAP Cloud Platform API Management tenant.

Launch API Portal

Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).

Navigate to the Services tab, search for API Management service tile and click to open API Management service.

Click on the link Access API Portal to open API Portal.

JSON Threat Protection

In this section we would describe the usage of the JSON Threat Protection policy to limit the size of the JSON payload to the following values :-

Maximum of 2 number of Array elements.

Maximum container depth allowing a deep nesting of elements within an object to a maximum of 5 levels.

Maximum of 50 properties within a JSON object.

Maximum property name length of 50 characters.

Maximum property string value of 500 characters.

Refer Rate limit API calls blog to create an API Proxy to an OData API from SAP Gateway and applying an API Rate limit using Quota policy. In this blog we would be extending the same to add the support for data masking for OData APIs.

Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.

Click on the Policies button of the selected API Proxy.

Click on the Edit button from the Policy designer and Select PreFlow from the ProxyEndPoint section and then click on the + button next to the JSON Threat Protection Policy available under the Security Policies segment.

In the Create policy screen specify the policy name say mitigateJSONCodeInjection and then click on the Add button.

Select the newly added mitigateJSONCodeInjection policy then add the following policy snippet.

<JSONThreatProtection async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">

	<ArrayElementCount>2</ArrayElementCount>

	<ContainerDepth>5</ContainerDepth>

	<ObjectEntryCount>50</ObjectEntryCount>

	<ObjectEntryNameLength>50</ObjectEntryNameLength>

	<Source>request</Source>

	<StringValueLength>500</StringValueLength>

</JSONThreatProtection>

Note that the values of JSON threat protection limit used in this blog is just a sample and a lower value has been set for ease of testing.

In the Condition String text box, enter the following snippet so that the JSON Threat protection policy is executed only for modifying request like POST/PUT.

request.verb = "PUT" or request.verb = "POST"

Click on the Update button to save the Policy changes

Click on the Save button to save the changes to API Proxy.

With this we have successfully applied a JSON threat protection policy to minimize the risk posed by content-level attacks.

Finally testing the flow

Navigate to the Test tab from the hamburger icon

From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.

Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system

Enter your user credential to the SAP Gateway ES4 system and click on the OK button

Since we would using a POST call to pass the JSON payload, x-csrf-token handling would be required. Click on the Headers button. Enter x-csrf-token as header name and fetch as the header value and then click on the Send button

- Click on the response headers tab, then copy the x-csrf-token value received from the server in the OData batch request call

Append /SalesOrderSet to the API Proxy URL and then select POST method. In the x-csrf-token header value paste the x-csrf-token header response received from the server in previous call. Click on the + button next to the Headers and then add a new header named Content-Type with value set to application/json. Click on the + button next to the Headers again and then add another header named Accept with value set to application/json. In the request body, paste the following request payload and then click on the Send button

{

        "Note": "EPM DG: SO ID 0500000000 Deliver as fast as possible",

        "NoteLanguage": "EN",

        "CustomerID": "0100000000",

        "CustomerName": "SAP",

        "CurrencyCode": "EUR",

        "GrossAmount": "28142.31",

        "NetAmount": "23649.00",

        "TaxAmount": "4493.31",

        "LifecycleStatus": "N",

        "LifecycleStatusDescription": "New",

        "BillingStatus": "",

        "BillingStatusDescription": "Initial",

        "DeliveryStatus": "",

        "DeliveryStatusDescription": "Initial",

        "ToLineItems":  [

                {

                    "ProductID": "HT-1000",

                    "ItemPosition" : "0000000010",

                    "Note": "EPM DG: SO ID 0500000000 Item 0000000010",

                    "NoteLanguage": "EN",

                    "CurrencyCode": "EUR",

                    "GrossAmount": "3412.92",

                    "NetAmount": "2868.00",

                    "TaxAmount": "544.92",

                    "DeliveryDate": "/Date(1503532800000)/",

                    "Quantity": "3",

                    "QuantityUnit": "EA"

                },

                {

                    "ProductID": "HT-1001",

                    "ItemPosition" : "0000000020",

                    "Note": "EPM DG: SO ID 0500000000 Item 0000000020",

                    "NoteLanguage": "EN",

                    "CurrencyCode": "EUR",

                    "GrossAmount": "2972.62",

                    "NetAmount": "2498.00",

                    "TaxAmount": "474.62",

                    "DeliveryDate": "/Date(1503547200000)/",

                    "Quantity": "2",

                    "QuantityUnit": "EA"

                }

            ]

      

}

Since the JSON request is within the given limit defined in the JSON Threat Protection policy, the call would be successfully passed by the SAP API Management to the SAP Gateway system and a Sales order would be get created.

In the request body, paste the following request payload and then click on the Send button

{

        "Note": "EPM DG: SO ID 0500000000 Deliver as fast as possible",

        "NoteLanguage": "EN",

        "CustomerID": "0100000000",

        "CustomerName": "SAP",

        "CurrencyCode": "EUR",

        "GrossAmount": "28142.31",

        "NetAmount": "23649.00",

        "TaxAmount": "4493.31",

        "LifecycleStatus": "N",

        "LifecycleStatusDescription": "New",

        "BillingStatus": "",

        "BillingStatusDescription": "Initial",

        "DeliveryStatus": "",

        "DeliveryStatusDescription": "Initial",

        "ToLineItems":  [

                {

                    "ProductID": "HT-1000",

                    "ItemPosition" : "0000000010",

                    "Note": "EPM DG: SO ID 0500000000 Item 0000000010",

                    "NoteLanguage": "EN",

                    "CurrencyCode": "EUR",

                    "GrossAmount": "3412.92",

                    "NetAmount": "2868.00",

                    "TaxAmount": "544.92",

                    "DeliveryDate": "/Date(1503532800000)/",

                    "Quantity": "3",

                    "QuantityUnit": "EA"

                },

                {

                    "ProductID": "HT-1001",

                    "ItemPosition" : "0000000020",

                    "Note": "EPM DG: SO ID 0500000000 Item 0000000020",

                    "NoteLanguage": "EN",

                    "CurrencyCode": "EUR",

                    "GrossAmount": "2972.62",

                    "NetAmount": "2498.00",

                    "TaxAmount": "474.62",

                    "DeliveryDate": "/Date(1503547200000)/",

                    "Quantity": "2",

                    "QuantityUnit": "EA"

                },

				{

                    "ProductID": "HT-1001",

                    "ItemPosition" : "0000000030",

                    "Note": "EPM DG: SO ID 0500000000 Item 0000000020",

                    "NoteLanguage": "EN",

                    "CurrencyCode": "EUR",

                    "GrossAmount": "2972.62",

                    "NetAmount": "2498.00",

                    "TaxAmount": "474.62",

                    "DeliveryDate": "/Date(1503547200000)/",

                    "Quantity": "2",

                    "QuantityUnit": "EA"

                }

            ]

      

}