As per apigee docs for top 10 OWASP indicates following OWASP, have question on listed two OWASP
A8:2017 - Insecure Deserialization
The cache and other policies can be used to protect against replay attacks
we have apigee docs indicating about cache policy, but not sure if we have any sample covering above statement or how this is covered does not give better details.
A8:2013 - Cross-Site Request Forgery (CSRF) :
Consider using HMAC, state, hash, nonce, or PKCE techniques to prevent forgery and replay attacks.
Do we have any sample showing such working implementation.
A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP
Apigee docs lists the SQL Injection (using RegularExpressionProtection Policy) do we have similar aspects of Injection covered for NoSQL and LDAP using .RegularExpressionProtection ?
> A8:2017 - Insecure Deserialization
You can use Populate/Lookup Cache to manually decide what data to store. On the first instance of a call, PopulateCache with an appropriate hash, nonce, etc, and on every call check to see if LookupCache returns a stored value for that hash/nonce/etc.
> A8:2013 - Cross-Site Request Forgery (CSRF)
How exactly you implement this is going to vary a lot depending on your API use case.
> A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP
The RegularExpressionProtectionPolicy can protect against more or less any kind of injection you want to check for, with the only limitation being that you must write appropriate regular expressions to match the injected language syntax yourself. You can see some examples here:
@Christian King Thanks for your response.
For listed OWASP A1:2017 - Injection To protect against untrusted data injection like SQL, NoSQL, LDAP
When i refer the apigee doc it only indicated about " blacklist patterns" for SQL Injection & Server-Side Include Injection & XPath Abbreviated Syntax Injection & XPath Expanded Syntax Injection & JavaScript Injection & Java Exception Injection, could not find blacklist pattern specifically for NoSQL, LDAP.
Let me know if I am missing anything
Do you know what injection attacks your backend is vulnerable to?