RegExThreatProtection

This policy enables you to reduce the risk of content-level attack by evaluating the request content against predefined regular expressions.

In case that specified regular expressions evaluate to true, the message is considered a threat and rejected.

No regular expression can eliminate all content-based attacks, and multiple mechanisms should be combined to enable defense-in-depth. With this in mind, these are recommended patterns for blacklisting content.

Blacklisted Patterns


Name	Regular xpression
SQL Injection	[\s]((delete)\|(exec)\|(drop\stable)\|(insert)\|(shutdown)\|(update)\|(or))
Server-Side Include Injection	<!--\s<!--(include\|exec\|echo\|config\|printenv)\s+.
XPath Abbreviated Syntax Injection	(/(@?[\w_?\w:\]+(\[[^]]+\]))?)+
XPath Expanded Syntax Injection	/?(ancestor(-or-self)?\|descendant(-or-self)?\|following(-sibling))
JavaScript Injection	<\sscript\b[^>]>[^<]+<\s/\sscript\s*>
Java Exception Injection	.Exception in thread.

Examples

Example 1:

In this example, the uriPath, query parameters, headers, and jsonPayload are checked for threats:

<regExThreatProtection xmlns="http://www.infor.com/ion/api"
     nxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     name="regExThreatProtection-example"
     displayName="regExThreatProtection-example" enabled="true" version="1.0">
      <uriPath>
            <pattern>\\d{3}[-.]?\\d{3}[-.]?\\d{4}</pattern>
      </uriPath> 
      <jsonPayload>
           <jsonPath>
                <expression>^.*</expression>
                 <pattern>.*uglyThreat.*</pattern>
           </jsonPath>
      </jsonPayload>
      <queryParam name="name">
         <pattern>[tT]rue</pattern>
         <pattern>.*true.*</pattern>
      </queryParam>
      <header name="greetings">
         <pattern>[tT]rue</pattern>
         <pattern>.*true.*</pattern>
      </header>
      <header name="greeting">
          <pattern>[tT]rue</pattern>
          <pattern>.*true.*</pattern>
      </header>
</regExThreatProtection>

Example 2:

In this example, the xmlPayload is checked for threats:

<regExThreatProtection xmlns="http://www.infor.com/ion/api"
     nxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     name="regExThreatProtection-example"
     displayName="regExThreatProtection-example" enabled="true">
      <xmlPayload> 
           <namespaces>
               <namespace prefix="infor">http://www.infor.com</namespace>
               <namespace prefix="acme">http://www.acme.com</namespace>
           </namespaces>
           <xPath>
                <expression>//infor:title/text()</expression>
                <pattern>.*ThreatTitle.*</pattern>
           </xPath>
      </xmlPayload>
</regExThreatProtection>

Configuration


Element name	Default	Presence	Type	Multiplicity
uriPath	n/a	Optional	n/a	0..1
uriPath.pattern	n/a	Required	string	1..*
jsonPayload	n/a	Optional	n/a	0..1
jsonPayload.jsonPath	n/a	Required	n/a	1..*
jsonPayload.jsonPath.expression	n/a	Required	string	1..1
jsonPayload.jsonPath.pattern	n/a	Required	string	1..*
xmlPayload	n/a	Optional	n/a	0..1
xmlPayload.namespaces	n/a	Optional	n/a	0..1
xmlPayload.namespaces.namespace	n/a	Optional	string	0..*
xmlPayload.xPath	n/a	Required	n/a	1
xmlPayload.xPath.expression	n/a	Required	string	1
xmlPayload.xPath.pattern	n/a	Required	string	1..*
queryParam	n/a	Optional	n/a	0..1
queryParam.pattern	n/a	Required	string	1..*
header	n/a	Optional	n/a	0..1
header.pattern	n/a	Required	string	0..1

<regExThreatProtection> attributes

<regExThreatProtection name="regExThreatProtection-example" displayName="regExThreatProtection-example" enabled="true" version="1.0">


Field name	Description	Default	Presence
name	Name of this policy instance.	N/A	Required
displayName			Optional
enabled	Indicates if a policy is enforced or not. If set to false, a policy is turned off, and not enforced.	true	Optional
version	Policy version.	N/A	Required

<uriPath> element

This is an optional element that configures the regular expressions that must be evaluated against the URIPath.

This element is used to match the path of the URI.

The path starts with a forward slash and is the string that comes after the host and port. The path does not include the protocol, host, and port of the URI. For example, the path of the URI is the mywebsite/customers section in the following URI:

https://myserver:8443/mywebsite/customers

Only one uriPath element is allowed. The uriPath can contain multiple patterns.

 
<uriPath>
     <pattern>\\d{3}[-.]?\\d{3}[-.]?\\d{4}</pattern>
</uriPath>

<jsonPayload> element

This is an optional element that configures the string to be extracted from a JSON payload and evaluated against the regular expressions provided.

Only one jsonPayload element is allowed. The jsonPayload can contain multiple jsonPath elements, which in turn can contain multiple patterns.

This rule executes only if the content type header is set to json.

<jsonPayload>
     <jsonPath>
          <expression>^.*</expression>
          <pattern>.*uglyThreat.*</pattern>
     </jsonPath>
</jsonPayload>

<queryParam> element

This is an optional element that indicates the regular expressions that must be evaluated against a given query parameter.

Multiple queryParam elements are allowed. The queryParam element can contain multiple patterns.

<queryParam name="name">
    <pattern>[tT]rue</pattern>
    <pattern>.*true.*</pattern>
</queryParam>

<xmlPayload> element

This is an optional element that configures the string to be extracted from an XML payload and evaluated against the regular expressions provided.

Only one xmlPayload element is allowed. The xmlPayload can contain multiple xPath elements, which in turn can contain multiple patterns.

This rule executes only if the content type header is set to xml.

<xmlPayload>
    <namespaces>
       <namespace prefix="infor">http://www.infor.com</namespace>
       <namespace prefix="acme">http://www.acme.com</namespace>
    </namespaces>
    <xPath>
       <expression>//infor:title/text()</expression>
       <pattern>.*ThreatTitle.*</pattern>
   </xPath>
</xmlPayload>

<nameSpaces> element

This is an optional element that indicates the allowed name spaces to be used in an xmlPayload element.

<header> element

This is an optional element that indicates the regular expressions that must be evaluated against the a given header.

Multiple header elements are allowed. The header element can contain multiple patterns.

<header name="greeting">
     <pattern>[tT]rue</pattern>
     <pattern>.*true.*</pattern>
</header>