Injection Protection

​

Technical Overview

The Injection Protection plugin implements a multi-layered defense system to detect and block various injection attacks. It operates in the pre-request stage and analyzes all parts of incoming HTTP requests.

​

Core Components

The detection system is composed of several core components designed to ensure high performance and accuracy in identifying malicious requests.

​

1. Pattern Detection Engine

This component is responsible for identifying malicious patterns using optimized matching techniques.

• Pre-compiled regular expressions for faster performance.
• Case-insensitive pattern matching to detect variations.
• Support for complex attack patterns that span multiple tokens or formats.
• Custom pattern registration to allow user-defined detection logic.

​

2. Request Analyzer

The Request Analyzer dissects incoming HTTP requests and prepares them for pattern inspection.

• Multi-part request analysis, including headers, query parameters, and body content.
• JSON and form-data parsing to normalize structured payloads.
• Recursive object traversal for deeply nested content.
• UTF-8 encoding support to handle all standard web formats.

​

3. Attack Detection System

This system evaluates parsed requests against all registered patterns and coordinates the response logic.

• Real-time pattern matching to immediately detect threats.
• Concurrent request processing for scalability under load.
• Early termination on detection to prevent further processing of malicious requests.
• Detailed attack logging for observability and forensic analysis.

​

SQL Injection Detection

​

Command Injection Detection

Command injection occurs when untrusted input is used to build and execute system-level commands. This plugin detects several patterns commonly associated with command injection attempts.

• Shell Commands

  The plugin can identify execution of typical shell commands that indicate a potential attack:

  • System command execution
  • Process spawning
  • Command chaining

• Shell Shock Patterns

  The following patterns associated with Shellshock vulnerabilities are detected:

  • Environment variables
  • Function definitions
  • Command substitution

• Command Separators

  Special characters used to chain or separate commands are monitored, including:

  • Semicolons (;)
  • Pipes (|)
  • Backticks (`)

​

Path Traversal Detection

Path Traversal vulnerabilities allow attackers to access files and directories outside the intended scope. This plugin detects such attempts using multiple strategies.

• Directory Navigation

  Technique	Description
  Parent directory references	Usage of ../ or ..\\ to move up in the file system hierarchy
  Absolute paths	Direct access to system paths like /etc/passwd or C:\\Windows\\System32
  Symbolic links	Use of symlinks to bypass file access restrictions

• Encoding Variations

  Technique	Description
  URL encoding	Obfuscation using %2e%2e%2f (../) or similar
  Double encoding	Nested encoding such as %252e%252e%252f
  Unicode variants	Alternate character representations like ￭￭/

​

SSRF Detection

Server-Side Request Forgery (SSRF) occurs when an attacker tricks the server into making requests to unintended locations. The plugin detects SSRF attempts through URL patterns and internal access indicators.

• URL Schemes

  Technique	Description
  File protocol	Attempts to access local files using file://
  HTTP/HTTPS	Redirection or access to potentially unsafe endpoints
  Data URIs	Embedding data payloads using data: scheme

• Internal Access

  Technique	Description
  Localhost references	Targets like 127.0.0.1, ::1, or localhost
  Private IP ranges	Access to internal network IPs (e.g., 192.168.x.x, 10.x.x.x)
  DNS rebinding	Manipulating DNS resolution to redirect to internal services

​

Processing Pipeline

The processing pipeline defines the sequence of operations performed on each incoming request, from parsing to final response generation.

• Request Parsing

  Step	Description
  Header extraction	Collect and normalize request headers
  Query parameter parsing	Extract and decode query string values
  Body deserialization	Parse request body (e.g., JSON, form-data)
  Content type handling	Determine how to interpret the body based on Content-Type

• Pattern Matching

  Step	Description
  Regular expression evaluation	Match request content against known attack patterns
  Custom pattern checking	Apply user-defined rules and patterns
  Threshold validation	Evaluate if pattern matches exceed configured limits
  Attack categorization	Classify the type of detected threat

• Decision Making

  Step	Description
  Threat scoring	Assign severity score based on matches and context
  Action determination	Decide whether to block, log, or allow the request
  Response generation	Prepare appropriate HTTP response
  Error handling	Capture and respond to internal processing issues

• Response Generation

  Step	Description
  Status code selection	Return appropriate HTTP status (e.g., 403, 422)
  Error message formatting	Include meaningful messages for blocked requests
  Header modification	Add or modify headers (e.g., for CORS, security)
  Logging and metrics	Record processing outcomes for observability

​

Configuration Details

The plugin allows for flexible configuration of pattern types to adapt to various security needs.

​

Pattern Types

​

Content Analysis

​

Performance Optimization

​

Pattern Matching

• Pre-compiled patterns
• Early termination
• Memory efficient
• CPU optimized

​

Request Processing

• Concurrent handling
• Buffered reading
• Streaming support
• Resource limits

​

Memory Management

• Zero-copy where possible
• Buffer pooling
• Garbage collection friendly
• Memory limits

​

Features

​

Attack Types

The plugin detects the following types of attacks:

​

Configuration

{
  "name": "injection_protection",
  "enabled": true,
  "stage": "pre_request",
  "settings": {
    "content_to_check": ["headers", "path_and_query", "body"],
    "action": "block",
    "status_code": 400,
    "error_message": "Potential security threat detected",
    "predefined_injections": [
      {
        "type": "sql",
        "enabled": true
      },
      {
        "type": "command",
        "enabled": true
      }
    ],
    "custom_patterns": [
      {
        "name": "custom_pattern",
        "pattern": "malicious.*pattern",
        "description": "Custom malicious pattern"
      }
    ]
  }
}

​

Configuration Parameters

​

Usage Example

curl -X POST "http://localhost:8080/api/v1/gateways" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Protected Gateway",
    "subdomain": "protected",
    "required_plugins": [
      {
        "name": "injection_protection",
        "enabled": true,
        "stage": "pre_request",
        "settings": {
          "content_to_check": ["headers", "path_and_query", "body"],
          "action": "block",
          "status_code": 400,
          "predefined_injections": [
            {
              "type": "sql",
              "enabled": true
            },
            {
              "type": "command",
              "enabled": true
            }
          ]
        }
      }
    ]
  }'

​

Best Practices

1. Enable Multiple Attack Types

• Enable relevant attack types for your application
• Consider your application’s attack surface
• Balance security vs false positives

2. Content Selection

• Check all relevant request parts
• Consider performance impact
• Monitor for false positives

3. Custom Patterns

• Keep patterns specific and targeted
• Test thoroughly before deployment
• Document pattern purposes

4. Error Messages

• Use informative but safe messages
• Avoid revealing system details
• Log detailed information internally

​

Performance Considerations

• Uses pre-compiled regex patterns
• Efficient request parsing
• Minimal memory footprint
• Linear scaling with request size
• Concurrent processing support