Regex (Regular Expression) Protection policy extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates the data against predefined regular expressions and rejects the message that is considered as a threat.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: Regex Protection Policy Configuration attributes
| Property | Description |
|---|---|
| Source Message | The message from which information needs to be extracted. |
| URI Path Pattern | Provides the regular expressions against which information extracted from the URI path needs to be evaluated. Enable this property to add the pattern using Add button. |
| Query Param | Specifies that information needs to be extracted from the request query parameter and evaluated against the regular expressions provided. |
| Query Param Pattern | Provides the regular expressions against which information extracted from the request query parameter needs to be evaluated. |
| Header | Specifies that information needs to be extracted from the headers (request and response) and evaluated against the regular expressions provided. |
| Header Pattern | Provides the regular expressions against which information extracted from the request and response headers needs to be evaluated. |
| Form Param | Specifies that information needs to be extracted from the request form parameter and evaluated against the regular expressions provided. |
| Form Param Pattern | Provides the regular expressions against which information extracted from the request form parameter needs to be evaluated. |
| Variable | Specifies that information needs to be extracted from the given variable and evaluated against the regular expressions provided. |
| Variable Param Pattern | Provides the regular expressions against which information extracted from the given variable needs to be evaluated. |
Example
The request URL used in this example is the following:
| http://192.168.2.39:1860/wsstub/1.0/gettripprice?adults=adu&duration=dur&from=fro&rooms=roo&to=to |
The response for this request (when there is no Regex Protection policy added) is as shown below:
| {"Envelope": {"Body": {"getTripPriceResponse": {"return": "dur"}}}} |
Configure Regex Protection policy for this project as shown below:
Figure 2: Regex Protection policy properties with values provided in the Example
The Query Parameter used, 'duration', is one of the parameters. The Query Parameters pattern [a-zA-Z]+[ a-zA-Z-_]* matches first Alpha character and followed by any number of Characters/Spaces/Hyphens/Underscore.
If the duration parameter is set to any value which matches the pattern set, then it will be treated as a threat.
Send the above request after adding the policy to the Proxy Request.
It will be considered as a threat and will be rejected; the error output looks as below:
{ "ErrorMessage" : "Regular Expression Threat Detected", "ErrorCode" : "Threat Detected", "MoreInfo" : "Policy Name - Regex, Type - REGEX_PROTECTION" } |