Looking for the plugin's configuration parameters? You can find them in the Injection Protection configuration reference doc.
You can use the Injection Protection plugin to detect and block known injection patterns consistent with SQL injection, server-side include injection, and more. This plugin can complement your existing firewall solution by adding a layer of customizable protection to prevent injection attacks, or it can eliminate some content-based attacks if you don’t have an existing firewall.
The Injection Protection plugin makes it easier to protect your APIs from SQL injection or other injection attacks by providing out-of-the box regex matching for common injection attacks. You can also configure custom regex matching.
The Injection Protection plugin helps you detect and block known injection patterns by doing the following:
- Extracts information from request headers, path/query parameters, or the payload body and evaluates that content against predefined regular expressions
- Rejects the requests that match the regular expressions with a configurable HTTP status code and error message
- Logs information about rejected requests for analytics and reporting
How does the Injection Protection plugin work?
Depending on what you have configured in the plugin’s config, the Injection Protection plugin functions in the following manner, in order of execution:
- The plugin extracts the specified content (headers, path/query parameters, payload body) from a client request.
- The plugin checks the extracted content for matches against the specified predefined or custom regex expressions. The regex expressions define patterns that would match well-known injection attacks.
- Depending on if the content matches, the plugin does one of the following:
-
Regex doesn’t match: The plugin allows the request and sends a
200
status code to the client. -
Regex match: The plugin blocks the request by sending a
400
status code to the client and sends Kong Gateway an error log that contains the name of the injection type, the content that matched the pattern, and the regex that matched the content. You can also configure the plugin to only log matches and allow requests that match to still be proxied.
-
Regex doesn’t match: The plugin allows the request and sends a
The following diagram shows how the Injection Protection plugin detects injections and is configured to block and log matches:
sequenceDiagram actor Consumer participant Injection Protection plugin participant Kong Gateway Consumer->>Injection Protection plugin: Sends a request alt No regex match Injection Protection plugin->>Consumer: 200 OK else Regex match Injection Protection plugin->>Consumer: 400 Bad Request Injection Protection plugin->>Kong Gateway: Logs injection end
Predefined regex patterns
The Injection Protection plugin comes with several pre-built regex patterns that match common injection attacks. You can enable or disable these patterns when you configure the plugin to easily block common attacks.
Injection type | Regex | Description |
---|---|---|
SQL | [\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b)) |
Detects injection of a SQL query using the input data from the client to the application. |
Server-side include | <!--#(include|exec|echo|config|printenv)\s+.* |
Detects scripts injected in HTML pages. |
XPath abbreviated | (/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+ |
Detects intentionally malformed information that is sent to a website with the intention of constructing an XPath query for XML data, specifically in abbreviated syntax. |
XPath extended | /?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling)) |
Detects intentionally malformed information that is sent to a website with the intention of constructing an XPath query for XML data, specifically in the full syntax. |
JavaScript | <\s*script\b[^>]*>[^<]+<\s*/\s*script\s*> |
Detects abritrarily injected JavaScript that is part of a cross site scripting attack and will execute in the browser. |
Java exception | .*?Exception in thread.* |
Detects denial-of-service (DoS) attacks that match Java exception messages. |
How do I create a custom regex for matching?
You can specify a custom regex for matching by using the custom_injections
parameter in the Injection Protection plugin config.
To create a custom regex, you must define the following:
- The name of the regex (used in Kong Gateway logs)
- The regex string you want to check for a match
- The content you want to check for a regex match (such as headers, path and query, and body)
How do I collect and read the logs?
Logs are automatically collected when you enable the Injection Protection plugin. You can view the logs with the following options:
- Kong Gateway error log
- Log serializer. You can view these logs with the following plugins:
- Konnect Advanced Analytics
Here’s a sample log entry created by the Injection Protection plugin.
threat detected: 'sql', action taken: log_only, found in path_and_query, query param value: foo: insert into test
Where:
- The plugin detected a SQL injection threat
- It created a log entry but took no other actions
- The threat was found in the request path or query
- The inserted snippet is
foo: insert into test