How to handle Cross Site Scripting(XSS) and SQL Injection in API proxy level ? Is there custom policies exists to handle these 2 vulnerabilites ?

Yes, you can - there are already several articles on this topic, check it out

• API Vulnerabilities and their mitigation in Apigee Edge
• Regular Expression Protection
• How to protect your Micro-services
• Protecting Against SQL Injection

Nice answer!

@Mukundha Madhavan , Thank You !! I got answer how to handle for SQL Injection.

I believe little detail about policy for Cross Site Scripting(XSS). I see a thread for API Vulnerablities. But, would be great if have more details for XSS from Policy Perspective. Thank You for your help !!

Similar to the SQL injection – from an API perspective, it is important to sanitize the input parameters. Look here for - detecting script patterns in the policy, specifically the javascript injection. As mentioned in the other articles, there are several solutions to handle at different parts of the stack

Thanks @Mukundha Madhavan.

I see this Java Script Pattern : <\sscript\b[^>]>[^<]+<\s*/\sscript\s> here. But how i use in tag in “Regular Expression Protection” Policy. Am I referring Right Policy ? if use either <\sscript\b[^>]>[^<]+<\s*/\sscript\s> or <\sscript\b[^>]>[^<]+<\s*/\sscript\s> Pattern tag does not accept this java script pattern. Can you guide on this ?

Thank you for this, the fourth link appears to be broken.. any chance you got the updated link?

I do understand it has been more than 2 years, just checking