Using the HTTP Malicious Patterns Detection Policy

Learn how to use regular expressions or Java markup tags in an HTTP Malicious Patterns Detection Policy to inspect messages for malicious content, and reject the messages, returning a fault, if a match is found.

About Policies Managing Policies About Operational Policies

Supported Platforms: 7.x, 8.x

Table of Contents

  1. Introduction
  2. Examples
  3. Configuration

Introduction

The HTTP Malicious Patterns Detection Policy is used to inspect HTTP messages for content that could be considered dangerous to an API or web service, and to reject the message, returning a fault, if any of the defined expressions match the dangerous content. Notes:

  • This policy uses regular expressions to define the content that could be considered dangerous, that would warrant a message being rejected.
  • Typical uses of this policy are for SQL Injection detection or JavaScript detection.
  • Two sample policies are provided in the root level Policies folder (HTTPJavascriptInjection and HTTPSQLInjection). You can directly attach these to a service or operation.

back to top

Examples

The product includes the following out-of-the-box examples that illustrate usage of the HTTP Malicious Pattern Detection Policy. You can use the sample policies located in the root Policies folder as-is, or you can customize the configuration to suit your needs and then attach them directly to a service or operation.

SQL Injection RegEx

A sample HTTPSQLInjection policy is included out-of-the-box. It includes three regular expressions that match SQL keywords and symbols, as shown below.

JavaScript Script Markup Tags

A sample HTTPJavascriptInjection policy is also included out-of-the-box. It includes expressions that match JavaScript script markup tags.

Configuration Options

The policy includes the following configuration options:

  • Inspect Headers: Optionally, HTTP headers can be scanned for patterns. If this options is selected, all headers are scanned. To scan specific headers rather than all, enter the header names in the header table.
  • Inspect Path: Check this box if you want the HTTP path to be scanned.
  • Inspect Parameters: Check this box if you want the HTTP query parameters to be scanned.
  • Exclude Markup: This option applies to content with markup such as XML or JSON. If markup is excluded, only the content of the properties, not the markup itself, will be scanned. For example, a JSON property name will not be scanned, just the property value.
  • Patterns: One or more regular expression patterns to scan for. Any match will cause the message to be rejected.

Back to top

Configuration

Let's take a quick walkthrough of the HTTP Malicious Pattern Detection policy configuration process to get you started.

Step 1: Add Policy / Use Sample Policy
  • In Policy Manager, to create an HTTP Malicious Pattern Detection policy instance, go to Policies > Operational Policies and choose Add Policy.
  • Use one of the HTTP Malicious Pattern Detection sample policies (HTTP Malicious Pattern Detection or HTTPJavascriptInjection). You can attach the policy "as is" or modify it.
Step 2: Modify Policy

When you choose to Modify the HTTP Malicious Pattern Detection Policy on the Policy Details page, the initial policy looks like this:

Step 3: Configure

The next step is to configure your policy with a regular expression or JavaScript markup tags. To get the most out of this policy, you will need a good working knowledge of regular expressions. Some online tools:

  • Regular Expression Tester: Rubular.com provides a nice online test tool.
  • Regular Expression Builder: Debuggex.com provides a more sophisticated (and more complex) tool for building and validating regular expressions.
Step 4: Attach Policy

After you've saved your policy, you can attach it:

  • To an individual web service to apply it to that service
  • At the Organization level to apply it to all services defined within the orgnization.

Back to top