Hey, Apigee community 
This is a summary of an article from my blog where I discuss how to implement security for Apigee proxies. Check out the full article here where I share detailed vulnerability examples!
Apigee provides powerful tools like MatchesPath and others for defining conditional behaviour based on request variables such as the request path. However, using these operators can lead to unexpected behaviour, especially when it comes to URL path parameter separators like semicolons (;), commas (,), and equal signs (=).
Did you know? The MatchesPath operator handles these separators in a way that can lead to security vulnerabilities in your APIs.
Whatβs the Issue?
When using MatchesPath, Apigee ignores everything after a path parameter separator during pattern matching. This means that a request to /path;extra might be incorrectly matched to a condition expecting /path, potentially bypassing important security checks or routing logic.
Why Does This Matter?
- Access Control Bypasses: Attackers can manipulate URLs to access restricted resources.
- Misrouted Requests: Requests might be sent to unintended backends, exposing sensitive data.
- Inconsistent Validations: Security checks might be circumvented due to overlooked path segments.
Real-World Vulnerabilities
In practice, these quirks have led to significant security issues:
- Misconfigured Flows: Conditional flows matched unexpected paths, allowing requests to reach unintended endpoints.
- Authentication Bypasses: JavaScript-based access controls were circumvented using cleverly crafted URLs.
- Sensitive Data Exposure: Improper handling of paths led to leakage of JWT tokens and other confidential information.
How Can You Protect Your APIs?
- Use Precise Matching: Prefer strict equality (==) for static paths to eliminate ambiguity.
- Review Regular Expressions: Create regex patterns that accurately reflect the expected paths and take into account path separators.
- Conduct Sandbox Testing: Test various URL manipulations in a safe environment to identify potential issues before going live.
- Leverage Tools for Detection: Tools like CodeSent can detect when MatchesPath is applied to static paths, helping to quickly identify and fix potential vulnerabilities.