Hi There,
We are trying to solve one security defects on TYK apigateway level i.e
if we request API using postman
https://xyz.com/pdd/xxx/d4/Location?city=xyz<script>alert(1)</script>
we are still getting the response for the records do we have any security configuration on TYK gateway level so that we can blacklist <script>alert(1)</script> ?
Regards
Rohit Thakur
I did it with this definition:
/.<script>alert(1)</script>.
API call:
$ curl --globoff -X GET “http://tyk-gateway.localhost:8080/httpcodes/anything/Location=xyz”
{
“customErrorTemplate”: “This is a custom error response template for HTTP 403 responses using JSON”,
“error”: “Requested endpoint is forbidden”
}
The definition:
Correct API is like this if I wants to block <script>alert(1)</script> then how should I do it in TYK community edition ?
Hi
Sorry, missed your message. Hope you managed, but in general, it’s the same.
You can check it in this doc
"url_rewrites": [{
"path": "match/me",
"method": "GET",
"match_pattern": "(\w+)/(\w+)",
"rewrite_to": "my/service?value1=$1&value2=$2"
}],
match_pattern: This is the actual capture group to generate. This is a pure regex, in this case we are capturing two-word groups.