Part 6 – API Security Best Practices – XML Threat ...

divyamary · ‎2017 Aug 18

SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.

OWASP Top 10 that represents a broad consensus about the most critical security risks to web applications lists Injection attacks as one of the Top 10 web application security attack. Attackers use code injection techniques such as sending inflated messages or deep nested requests to consume API server memory resources making the server unavailable.

XML Threat Policy from SAP API Management can be easily added to any API to comply to the security rules for input validation that is listed in OWASP security checks to mitigate injection attacks. In this blog we will extend the previous blog of JSON Threat protection to add the support for XML Threat protection to an SAP Gateway OData Service

More best practices covered in API Security Best Practices blog series.

Prerequisites

SAP Cloud Platform API Management tenant.

Launch API Portal

Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).

Navigate to the Services tab, search for API Management service tile and click to open API Management service.

Click on the link Access API Portal to open API Portal.

XML Threat Protection

In this section we would describe the usage of the XML Threat Protection policy to processing of large XML payload with deep nested child elements.

Refer Rate limit API calls blog to create an API Proxy to an OData API from SAP Gateway and applying an API Rate limit using Quota policy. In this blog we would be extending the same to add the support for data masking for OData APIs.

Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.

Click on the Policies button of the selected API Proxy.

Click on the Edit button from the Policy designer and Select PreFlow from the ProxyEndPoint section and then click on the + button next to the XML Threat Protection Policy available under the Security Policies segment.

In the Create policy screen specify the policy name say mitigateXMLCodeInjection and then click on the Add button.

Select the newly added mitigateXMLCodeInjection policy then add the following policy snippet.

<XMLThreatProtection async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">

   <NameLimits>

	    <Element>50</Element>

	    <Attribute>10</Attribute>

		<NamespacePrefix>10</NamespacePrefix>

		<ProcessingInstructionTarget>10</ProcessingInstructionTarget>

	</NameLimits>

	<Source>request</Source>

	<StructureLimits>

		<NodeDepth>10</NodeDepth>

		<AttributeCountPerElement>5</AttributeCountPerElement>

       <NamespaceCountPerElement>5</NamespaceCountPerElement>

       <ChildCount  includeComment="true" includeElement="true" includeProcessingInstruction="true" includeText="true">50</ChildCount>

	</StructureLimits>

	<ValueLimits>

		<Text>50</Text>

		<Attribute>100</Attribute>

		<NamespaceURI>100</NamespaceURI>

		<Comment>10</Comment>

		<ProcessingInstructionData>10</ProcessingInstructionData>

   </ValueLimits>

</XMLThreatProtection>

Note that the values of XML threat protection limit used in this blog is just a sample and a lower value has been set for ease of testing.

In the Condition String text box, enter the following snippet so that the JSON Threat protection policy is executed only for modifying request like POST/PUT.

request.verb = "PUT" or request.verb = "POST"

Click on the Update button to save the Policy changes

Click on the Save button to save the changes to API Proxy.

With this we have successfully applied a XML threat protection policy to minimize the risk posed by content-level attacks.

Finally testing the flow

Navigate to the Test tab from the hamburger icon

From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.

Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system

Enter your user credential to the SAP Gateway ES4 system and click on the OK button

Since we would using a POST call to pass the JSON payload, x-csrf-token handling would be required. Click on the Headers button. Enter x-csrf-token as header name and fetch as the header value and then click on the Send button

- Click on the response headers tab, then copy the x-csrf-token value received from the server in the OData batch request call

Append /SalesOrderSet to the API Proxy URL and then select POST method. In the x-csrf-token header value paste the x-csrf-token header response received from the server in previous call. Click on the + button next to the Headers and then add a new header named Content-Type with value set to application/xml. Click on the + button next to the Headers again and then add another header named Accept with value set to application/xml. In the request body, paste the following request payload and then click on the Send button

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">

    <category term="GWSAMPLE_BASIC.SalesOrder" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/>

    <link href="SalesOrderSet('0500000000')/ToLineItems" rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/ToLineItems" type="application/atom+xml;type=feed" title="ToLineItems">

        <m:inline>

            <feed>

                <entry>

                    <category term="GWSAMPLE_BASIC.SalesOrderLineItem" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/>

                    <content type="application/xml">

                    	<m:properties>

                            <d:ItemPosition>0000000010</d:ItemPosition>

                            <d:ProductID>HT-1031</d:ProductID>

                            <d:Note>EPM DG</d:Note>

                            <d:NoteLanguage>EN</d:NoteLanguage>

                            <d:CurrencyCode>GBP</d:CurrencyCode>

                            <d:GrossAmount>1017.45</d:GrossAmount>

                            <d:NetAmount>855.00</d:NetAmount>

                            <d:TaxAmount>162.45</d:TaxAmount>

                            <d:DeliveryDate>2017-08-24T04:00:00.0000000</d:DeliveryDate>

                            <d:Quantity>3</d:Quantity>

                            <d:QuantityUnit>EA</d:QuantityUnit>

                        </m:properties>

                    </content>

                </entry>

            </feed>

        </m:inline>

    </link>

    <content type="application/xml">

        <m:properties>

            <d:Note>EPM DG</d:Note>

            <d:NoteLanguage>EN</d:NoteLanguage>

            <d:CustomerID>0100000000</d:CustomerID>

            <d:CustomerName>SAP</d:CustomerName>

            <d:CurrencyCode>EUR</d:CurrencyCode>

            <d:GrossAmount>28142.31</d:GrossAmount>

            <d:NetAmount>23649.00</d:NetAmount>

            <d:TaxAmount>4493.31</d:TaxAmount>

            <d:LifecycleStatus>N</d:LifecycleStatus>

            <d:LifecycleStatusDescription>New</d:LifecycleStatusDescription>

            <d:BillingStatus/>

            <d:BillingStatusDescription>Initial</d:BillingStatusDescription>

            <d:DeliveryStatus/>

            <d:DeliveryStatusDescription>Initial</d:DeliveryStatusDescription>

            <d:CreatedAt>2017-08-17T04:00:00.0000000</d:CreatedAt>

            <d:ChangedAt>2017-08-18T07:21:02.6190000</d:ChangedAt>

        </m:properties>

    </content>

</entry>

Since the request is within the given limit defined in the XML Threat Protection policy, the call would be successfully passed by the SAP API Management to the SAP Gateway system and a Sales order would be get created.

In the request body, paste the following request payload and then click on the Send button

<entry xmlns="http://www.w3.org/2005/Atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">

    <category term="GWSAMPLE_BASIC.SalesOrder" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/>

    <link href="SalesOrderSet('0500000000')/ToLineItems" rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/ToLineItems" type="application/atom+xml;type=feed" title="ToLineItems">

        <m:inline>

            <feed>

                <entry>

                    <category term="GWSAMPLE_BASIC.SalesOrderLineItem" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme"/>

                    <content type="application/xml">

                    	<m:properties>

                            <d:ItemPosition>0000000010</d:ItemPosition>

                            <d:ProductID>HT-1031</d:ProductID>

                            <d:Note>EPM DG: SO ID 0500000000 Item 0000000090</d:Note>

                            <d:NoteLanguage>EN</d:NoteLanguage>

                            <d:CurrencyCode>GBP</d:CurrencyCode>

                            <d:GrossAmount>1017.45</d:GrossAmount>

                            <d:NetAmount>855.00</d:NetAmount>

                            <d:TaxAmount>162.45</d:TaxAmount>

                            <d:DeliveryDate>2017-08-24T04:00:00.0000000</d:DeliveryDate>

                            <d:Quantity>3</d:Quantity>

                            <d:QuantityUnit>EA</d:QuantityUnit>

                        </m:properties>

                    </content>

                </entry>

            </feed>

        </m:inline>

    </link>

    <content type="application/xml">

        <m:properties>

            <d:Note>EPM DG: SO ID 0500000000 Deliver as fast as possible</d:Note>

            <d:NoteLanguage>EN</d:NoteLanguage>

            <d:CustomerID>0100000000</d:CustomerID>

            <d:CustomerName>SAP</d:CustomerName>

            <d:CurrencyCode>EUR</d:CurrencyCode>

            <d:GrossAmount>28142.31</d:GrossAmount>

            <d:NetAmount>23649.00</d:NetAmount>

            <d:TaxAmount>4493.31</d:TaxAmount>

            <d:LifecycleStatus>N</d:LifecycleStatus>

            <d:LifecycleStatusDescription>New</d:LifecycleStatusDescription>

            <d:BillingStatus/>

            <d:BillingStatusDescription>Initial</d:BillingStatusDescription>

            <d:DeliveryStatus/>

            <d:DeliveryStatusDescription>Initial</d:DeliveryStatusDescription>

            <d:CreatedAt>2017-08-17T04:00:00.0000000</d:CreatedAt>

            <d:ChangedAt>2017-08-18T07:21:02.6190000</d:ChangedAt>

        </m:properties>

    </content>

</entry>

This time, the XML threat protection limit would be violated and an error from the SAP API Management system would be received.

Further Reads

Next part of the API security best practices blog series - Log all API interactions

Previous part of the API security best practices blog series – JSON Threat protection against inject...

API Security Best Practices

For more blogs on SAP Cloud Platform API Management visit us at SAP Community