Skip to main content

Securing an Apigee API Proxy

Hands-On Lab

 

Photo of Joseph Lowery

Joseph Lowery

Google Cloud Training Architect II in Content

Length

00:30:00

Difficulty

Beginner

In a perfect world, you wouldn't have to worry about unknown persons attacking your data services via SQL injection attacks. But we live in the real world, where such assaults are all too common. In this hands-on lab, we'll first see how a SQL injection attempt can reach the backend server. Then, we'll incorporate the Regular Expression Protection policy – with all the necessary regex patterns – to guard against this form of destructive access.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Securing an Apigee API Proxy

Introduction

In a perfect world, you wouldn't have to worry about unknown persons attacking your data services via SQL injection attacks. But we live in the real world, where such assaults are all too common. In this hands-on lab, we'll first see how a SQL injection attempt can reach the backend server. Then, we'll incorporate the Regular Expression Protection policy – with all the necessary regex patterns – to guard against this form of destructive access.

Connecting to the Lab

  1. Navigate to https://cloud.google.com/apigee.
  2. Click the Try it free button.
  3. Create a free Apigee account.

Test the Existing API Proxy

  1. On the Apigee dashboard page, click API Proxies.
  2. Open LA-Weather.
  3. Select the TRACE tab.
  4. In the URL field, add the following query parameters to the API proxy URI: ?q=seattle&appid=[YOUR_OPENWEATHERMAP_API_KEY] If you do not have an OpenWeatherMap API key, use fd4698c940c6d1da602a70ac34f0b147.
  5. Click Start Trace Session.
  6. Click Send.
  7. In the URL field, change the q value to delete.
  8. Click Send.
  9. Review the results.
  10. Click Stop Trace Session.

Add a Regular Expression Protection Policy

  1. Select the DEVELOP tab.
  2. In the Proxy Endpoints section of the Navigator, select PreFlow.
  3. In the Request area, click + Step.
  4. In the Add Step dialog, scroll down to the Security category, and choose Regular Expression Protection.
  5. Change the Display Name value to RegEx SQL Injection Protection.
  6. Click Add.

Customize the Code for SQL Injection

  1. With the RegEx SQL Injection Protection Policy selected, remove the following elements from the code:
    • <JSONPayload>
    • <QueryParam>
    • <FormParam>
    • <XMLPayload>
    • <Source>
  2. Within the <URIPath> element, add the following:
    <Pattern>[tT]rue</Pattern>
    <Pattern>.*true.* </Pattern>
    <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb)) </Pattern>
  3. Change the <Header> element to the following:
    <Header name="query">
    <Pattern>[tT]rue</Pattern>
    <Pattern>.*true.* </Pattern>
    <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb)) </Pattern>
    </Header>
  4. Change the <Variable> element to the following:
    <Variable name="request.content">
    <Pattern>[tT]rue</Pattern>
    <Pattern>.*true.* </Pattern>
    <Pattern>[s]*((delete)|(exec)|(drops*table)|(insert)|(shutdown)|(update)|(borb)) </Pattern>
    </Variable>
  5. Copy and paste the entire <Variable> element, and change the name value to request.uri.
  6. Click Save.

Test the Updated API Proxy

  1. Return to the TRACE tab.
  2. In the URL field, add the following query parameters to the API proxy URI: ?q=delete&appid=[YOUR_OPENWEATHERMAP_API_KEY]
  3. Click Start Trace Session.
  4. Click Send.
  5. Review the results.

Conclusion

Congratulations, you've successfully completed this hands-on lab!