This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

RegularExpressionProtection policy performance issues with larger payloads

Posted on 10-09-2017 12:43 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We have the following policy to scan the JSON payload of POST requests for any XML or javascript injections.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RegularExpressionProtection async="false" continueOnError="false" enabled="true" name="XSS-Injection-Protection-On-Request-Body">
    <DisplayName>XSS Injection Protection on Request Body</DisplayName>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <JSONPayload>
        <JSONPath>
            <Expression>$</Expression>
            <Pattern><![CDATA[[\s]*(?i)(<\s*script\b[^>]*>)]]></Pattern>
            <Pattern>.*[<>=]+.*</Pattern>
        </JSONPath>
    </JSONPayload>
    <Source>request</Source>
</RegularExpressionProtection>

For typical requests that have about 70 lines of JSON data (when pretty printed) this policy takes about 200 milliseconds to scan/parse the request body. But whenever request has larger payloads this policy execution is taking longer resulting in longer response times (we noticed that this policy is taking around 3 seconds to parse a 700 line JSON payload).

So I was wondering if there's something that I need to fine-tune the regex here or a better way of implementing this policy? Please advise.

Solved Solved
1 6 653
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Hmmm 3 seconds? That seems unacceptable.

Is this a paid organization? or a trial org ?

If I were investigating this, I'd do these two things:

  1. Try to aply the regex to the plaintext payload. The way you are doing it, the policy first de-serializes the content into a JSON object, and then analyzes the properties in that object. You could skip the first step and just treat the input as text. Policy config Like this: 

    <RegularExpressionProtection name="XSS-Injection-Protection-On-Request-Body">
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
     <Variable name="request.content">
         <Pattern>REGEX PATTERN</Pattern>
         <Pattern>REGEX PATTERN</Pattern>
     </Variable>
</RegularExpressionProtection>

    The JSONPayload element is most useful if you want to apply the regex test to a sub-selection of the JSON. You're not doing that here, so avoid the use of the element.

  2. write a simple Java callout to match the regex on the text. I don't know the extent to which the regex is cached by the built-in Policy. In your custom code, you could use a final static Pattern object, pre-compiled, to make sure you are getting the fastest performance. Here again, operate on the request.content, not on a JSON-de-serialized object.

View solution in original post

Jump to Solution
6 REPLIES 6