Sanitize 3rd party XSS post in Java API

Question

We have some RESTful API services that we have been using for several years. Recently we have started considering surfacing these to 3rd party clients so they can write their own UIs and we can work on building up this service layer. Unfortunately this would mean that we would not have control over enforcing that data is sanitized before posting, or before rendering which leaves a potential risk for XSS (for example if someone were to post data with JavaScript in a textarea that might be saved to the DB).

Our stack is Apache, Tomcat and Java.

Does anyone know of a way to put some kind of filter out in front of these existing API endpoints that could handle sanitizing data both inbound and outbound (altho inbound is probably most important)? As mentioned these are long standing APIs that weren't publicly accessible so we had been handling this at the UI layer, but we would like to avoid having to rewrite every existing endpoint to handle sanitization if possible.

Answer 1

This is a common need and the usual approach is to do 3 things:

1. develop a schema that describes acceptable inputs and optionally outputs for each endpoint

   If these APIs are using JSON or XML for their inputs and responses, and have consistent request and response formats per endpoint, there are schema languages for those formats.

   If not, or if the composition of acceptable requests- what fields may exist or not exist, what kinds of values may appear, etc- requires some context and can't necessarily be generically validated, then this may be challenging.

2. introduce an API gateway into the architecture

   API gateways are intended to live at the edge of the infrastructure, like a webserver, but to also provide for execution of complex logic, so they all include some runtime language integration.

   Some open source options are:

   • apiman http://www.apiman.io/latest/
   • zuul https://github.com/Netflix/zuul
   • kong https://getkong.org/
   • tyk https://tyk.io/
   • wso2 http://wso2.com/products/api-manager/

   Several of these have commercial support options.

3. Introduce validation logic utilizing the schema definitions into the api gateway for each endpoint.

   The API gateways offer many other benefits beyond request/response validation that matter when exposing APIs to - needs like authentication/authorization, rate limiting, metering, metrics, white/blacklisting, caching, transformation- are also available.