Mitigating SQL injections for APIs with WSO2 API Manager
How SQL Injections can affect APIs?
SQL Injection (SQLi) in the context of APIs refers to an injection attack wherein an attacker can execute malicious SQL statements or in other words pass malicious payloads to our API which is mapped to a backend service using this payload for database operations. Since an SQL Injection vulnerability could possibly affect any backend service that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of vulnerabilities present today.
By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use it to bypass a service’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL Injection can also be used to add, modify and delete records in a database, affecting data integrity. In other words this can provide an attacker with access to sensitive data he/she is not authorized to and can cause serious issues for your companies reputation as well.
How can we mitigate SQL Injections in API requests?
We need to take measures in order to mitigate such injections from our APIs by blocking such requests containing malicious payloads. How can we get this done? It is quite simple using the WSO2 API Manager. The WSO2 API Manager now supports threat protection at the gateway level so that when such a threat is identified the message will be dropped immediately so that it would not harm your backend. The following three types of threat protectors are supported with the WSO2 API Gateway.
- Regular Expression Threat Protection for API Gateway
- JSON Threat Protection for API Gateway
- XML Threat Protection for API Gateway
For SQL Injections what we will be using to demonstrate the threat protection is a regular expression threat protection against SQL injections. Let’s try it out.
Testing the threat protection against SQL Injections.
Configuring the Service.
- Download the WSO2 API Manager from here. Please note that you need to use API Manager version 2.2.0 or above for this use case.
- Checkout the github code from here and navigate to the location Blog-Samples/microservice-sample. Follow the instructions in this Readme file in order to start the service.
- This service will be started on port 8080. This is a simple msf4j service. To understand more on these type of microservices you can try this tutorial.
Creating the API.
- Start the WSO2 API Manager and navigate to the publisher. If you need help with creating and publishing an API refer this tutorial.
- Click on “Add New API” and select the “I have an Existing API” option.
- Upload the swagger file found in the location Blog-Samples/microservice-sample/swagger/pizzaAPISwagger.json and click on “Start Creating”.
- Provide and API context and then select “Next Implement” at the bottom of the page.
- Expand the Managed APIs section and provide the endpoint as “http://localhost:8080” This is the endpoint URL of the service which we started which is explained above. After adding this go to Next:Manage
- Under the Subscription tiers select “Unlimited” and then Save and Publish your API.
- Once you are navigated to the store subscribe and generate keys for this API. Refer this post on how to subscribe to the API.
Testing the API without threat detection.
- Let’s invoke this API using the following payload which should return us with a single record for the pizza corresponding to this pizza Id which is what the service is ideally written for.
{“pizza”: {“id”: “105”}}
- Now let’s perform an SQL injection on this payload. Modify the payload as below.
{“pizza”: {“id”: “105 OR ‘1’=’1';”}}
- This will return to us all the entries of the table due to the SQL injection attack which ideally should not happen.
Let’s mitigate this attack using the WSO2 API Manager.
Enabling threat detection for the API.
- Go back to the API Publisher and edit the Pizza API. Navigate to the Implement tab of the API.
- We are going to upload the sequence which does a regular expression threat protection against SQL injections. You can find the sequence in the location Blog-Samples/microservice-sample/sequence/regex_policy_sequence.xml
- Follow the section “Add a custom sequence” of this document on how to upload a custom sequence to the API. Make sure this is added to the in sequence.
- Go to the Manage tab and save and publish your API.
Testing the API with threat detection enabled.
- Let’s invoke it again with the malicious payload {“pizza”: {“id”: “105 OR ‘1’=’1';”}}.
- This time it will give us a message saying that an SQL injection was detected and drop the message.
There you have it. We have successfully mitigated an SQL injection using the WSO2 API Manager. For more on threat prevention and detection you can read this documentation.
References
[1] https://docs.wso2.com/display/AM2xx/Gateway+Threat+Protectors+for+API+Manager
[2] https://dzone.com/articles/writing-java-microservices-with-wso2-microservices
[3] https://wso2.com/products/microservices-framework-for-java/
[4] https://docs.wso2.com/display/AM220/Subscribe+to+an+API
[5] https://docs.wso2.com/display/AM220/Create+and+Publish+an+API