L7 protection (XSS, SQL injection) policies


#1

Hello.

I’ve been trying to find a good way to implement L7 protection policies like XSS and SQL injection with Istio but haven’t had any luck so far. Something along the lines of modsecurity for nginx.

What’s a good way to do something like this in Istio?

I’ve looked at Envoy filters but none of the existing ones seem to fit here, so that would mean creating a custom one, not to mention the backward compatibility issue described here: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#EnvoyFilter

Traditional API gateways like Kong and Apigee provide policies and/or plugins to deal with these kind of scenarios:
https://docs.apigee.com/api-platform/reference/policies/regular-expression-protection#abouttheregularexpressionprotectionpolicy-exampleblacklistpatterns


#2

Currently there is no direct way to do this, you probably have to implement the code for detecting and preventing the XSS or SQL injection.

Looking at the link you provided, it seems you want to execute a regular expression against the payload (or header) of a request to detect and prevent the XSS/SQL injection, is that right?

One way is to use the EnvoyFilter with the Lua filter, I think this should be able to match the payload with regular expression.

The other way is to write your own mixer adapter to do this, but the latency may be a concern as it introduces another network round-trip between envoy and mixer server.

This is a good use case, could you provide some more information, like the way you’re wishing to use it and any aspects you care about for the policy? like supported Protoctol, performance and flexibility? Thanks!


#3

The use case is to have a generic enough way to prevent well-known attacks (e.g. OWASP’s Top Ten) without causing too much overhead, something like ModSecurity and it’s Apache and Nginx “connectors” do.

I guess ideally I’d like something like a Mixer Adapter that can be running in my mesh and then it would act like a quota or RBAC adapter by blocking requests that are deemed dangerous.

Currently the easiest and most reliable way to get something like this to work in a production environment would be to use ModSecurity via ModSecurity-Nginx but for that to work I would have to switch from Istio’s default Ingress controller to ingress-nginx (https://github.com/kubernetes/ingress-nginx), which would then bring about a whole new set of unknowns (e.g. is there any Istio functionality that requires the default Ingress controller from Istio?)

One other option I guess would be using a custom EnvoyFilter like you mentioned, and in fact I found something done along those lines (https://github.com/octarinesec/ModSecurity-envoy) but it’s very experimental, so any work along these lines would require extensive tests and hardening before it’s production-ready.