SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements. These API Security Best Practices includes security policies for Authentication and Authorization, Traffic Management and many more.
OWASP Top 10 that represents a broad consensus about the most critical security risks to web applications lists
Injection attacks as one of the Top 10 web application security attack.
SQL Injection attacks is a type of injection attack which is used by malicious users to gain access to or alter database information available only to the REST APIs, such as:-
- access sensitive data like user names and passwords.
- corrupt or delete data in the database.
Using
Regular Expression Protection Policy from SAP Cloud Platform API Management SQL injection attack can be easily detected. In this blog we will extend the previous blog of
Log all API Interactions to detect the usage of SQL commands like
drop table,
insert,
shutdown or
update, in URL patterns, query parameters etc. For the complete list of SQL commands, refer
OWASP SQL Injection Prevention cheat sheet.
More best practices covered in API Security Best Practices blog series.
Prerequisites
Launch API Portal
- Click on the link Access API Portal to open API Portal.
SQL Injection Threat Protection
In this section we would describe the usage of the
Regular Expression Protection Policy to detect the usage of SQL commands like
drop table,
insert,
shutdown or
update from OData query parameters like $format, $skip, $filter, $top and $count.
Refer Rate limit API calls blog to create an API Proxy to an OData API from SAP Gateway ES4 system.
- Navigate to the Define from the hamburger icon, then select the tab APIs. Select the API Proxy to which API Rate limiting was applied.
- Click on the Policies button of the selected API Proxy.
- Click on the Edit button from the Policy designer and Select PreFlow from the ProxyEndPoint section and then click on the + button next to the Regular Expression Protection Policy available under the Security Policies segment.
- In the Create policy screen specify the policy name say checkForCodeInjection and then click on the Add button.
- Select the newly added checkForCodeInjection policy then add the following policy snippet.
<RegularExpressionProtection async="false" continueOnError="false" enabled="true" xmlns="http://www.sap.com/apimgmt">
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<URIPath>
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</URIPath>
<QueryParam name="$format">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$top">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$skip">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$filter">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<QueryParam name="$count">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<Variable name="request.content">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</Variable>
<Source>request</Source>
</RegularExpressionProtection>
Note that the values of Regular expression pattern used in this blog is just a sample and would have to be extended to handles all the best practices described in OWASP SQL Protection cheat sheet.
- Click on the Update button to save the Policy changes
- Click on the Save button to save the changes to API Proxy.
With this we have successfully applied a Regular expression protection to detect SQL commands like drop table, insert, update, shutdown passed in the Query parameters, URL patterns or request body.
Finally testing the flow
- Navigate to the Test tab from the hamburger icon
- From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test.
- Click on the Authentication: None link and select Basic Authentication to set the user credential to connect to the SAP Gateway ES4 system
- Click on the Url Params button. Enter $format as URL parameter name and drop table as the parameter value and then click on the Send button
- Since a SQL command drop table was passed in the query parameter, it would detected by the Regular Expression Protection Policy and then an error would be returned.
- Change $format URL parameter value to json and then click on the Send button.
- Since the request is within the given limit defined in the Regular Expression Protection policy, the call would be successfully passed by the SAP API Management to the SAP Gateway system and the response returned.
Further Reads