webMethods

webMethods

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to prevent XSS in webMethods API Gateway

    Posted 26 days ago

    Hi All.

    How to protect APIs in API Gateway against XSS attacks. I have enabled SQL Injections and Json threat protection policies and we observed that when the json with scripts as string are passed i see the data is getting routed to downstream systems.

    I see this getting posted to downstream systems

    {
    "fullname":"<script> hello </script>"

    }

    . If i pass in ' quotes i see SQL injection threat protection is getting triggered. 

    {

    "fullname":" '<script> hello </script>' "

    }

    So how to identify XSS and stop in the threat protection layer itself rather than passing the request to downstream systems.

    Thanks

    Abhijith



    ------------------------------
    Abhijith Parre
    ------------------------------


  • 2.  RE: How to prevent XSS in webMethods API Gateway

    Posted 25 days ago

    Hi @Abhijith Parre

    Can you add more details about your system 

    API Gateway version : 
    API Gateway license : Standard or advance API Gateway
    There is no out of box features to captures the XSS attack till version 10.11 and to use the custom scripts to catch the XSS attacks. 



    ------------------------------
    Dinesh Janarthanam
    Software Consultant
    Digital Dubai Authority
    ------------------------------

    Original Message


  • 3.  RE: How to prevent XSS in webMethods API Gateway

    Posted 25 days ago
    Hi Dinesh

    Thanks for the reply.

    We are on advanced API Gateway v10.15. We have enabled threat and SQL injection in the threat protection policy. This seems to work only if in the request '  is passed.

    Regards
    Abhijith



    Original Message


Related Content