What is Body Data?
Body data is the main content sent in POST, PUT, and PATCH requests. It contains the actual information being submitted - form data, JSON payloads, file uploads, or API commands.
Common Body Data Formats
JSON (application/json)
{
"username": "user@example.com",
"password": "secret123",
"remember": true
}
username=user%40example.com&password=secret123&remember=true
------WebKitFormBoundary
Content-Disposition: form-data; name="file"
Content-Type: image/jpeg
[binary data]
------WebKitFormBoundary
XML (application/xml)
<request>
<username>user@example.com</username>
<password>secret123</password>
</request>
Plain Text (text/plain)
Using Body Data in Policies
Basic Examples
Check for specific field:
Field Type: Body Data Reference
Field Reference: email
Operator: contains
Value: @suspicious.com
Action: Challenge
Validate required fields:
Field Type: Body Data Reference
Field Reference: user.age
Operator: is not present
AND
Field Type: Request Path
Operator: equals
Value: /register
Action: Block
Advanced JSON Navigation
For nested JSON objects, use path notation:
{
"user": {
"profile": {
"email": "test@example.com"
}
}
}
Access with: user.profile.email or user->profile->email
Array Access
{
"items": [
{ "id": 1, "name": "First" },
{ "id": 2, "name": "Second" }
]
}
Access with:
items[0].name - First item’s name
items[].name - Any item’s name
Security Patterns
SQL Injection Detection
Field Type: Body Data Reference
Field Reference: search
Operator: matches regex
Value: (SELECT|UNION|DROP|INSERT|UPDATE|DELETE).*FROM
Action: Block
XSS Prevention
Field Type: Body Data Reference
Field Reference: comment
Operator: contains any
Values:
- <script
- javascript:
- onerror=
- onclick=
Action: Block
Command Injection
Field Type: Body Data Reference
Field Reference: filename
Operator: contains any
Values:
- ../
- ;
- |
- &&
- $(
Action: Block
Security AlertNever trust body data! Always validate and sanitize on the server side, even with Esper policies in place.
Size and Content Validation
Prevent Large Payloads
Field Type: Body Size
Operator: greater than
Value: 10485760 # 10MB
Action: Block
Enforce Content Types
Field Type: Request Path
Operator: equals
Value: /api/upload
AND
Field Type: Header
Field Reference: Content-Type
Operator: not starts with
Value: multipart/form-data
Action: Block
Best Practices
DO:
- Validate structure - Ensure expected fields exist
- Check data types - Numbers should be numbers
- Limit sizes - Prevent resource exhaustion
- Sanitize inputs - Block dangerous characters
- Log suspicious patterns - For security analysis
- Use specific paths - Target exact fields in JSON
DON’T:
- Parse complex formats in policies - Do that server-side
- Store sensitive data in logs
- Trust client validation - Always verify server-side
- Block common words - Too many false positives
- Ignore encoding - Base64 can hide attacks
Working with Different Content Types
JSON API Protection
# Ensure valid JSON structure
Field Type: Header
Field Reference: Content-Type
Operator: equals
Value: application/json
AND
Field Type: Body Data
Operator: is valid JSON
Action: Continue
ELSE
Action: Block
# Check for required form fields
Field Type: Body Data Reference
Field Reference: email
Operator: matches regex
Value: ^[^@]+@[^@]+\.[^@]+$
AND
Field Type: Body Data Reference
Field Reference: terms_accepted
Operator: equals
Value: true
File Upload Security
# Restrict file types
Field Type: Body Data Reference
Field Reference: file.content_type
Operator: not in
Values:
- image/jpeg
- image/png
- application/pdf
Action: Block
Common Attack Patterns
Password Spraying
# Many attempts, same password
Field Type: Body Data Reference
Field Reference: password
Operator: equals
Value: Password123
Window: 5 minutes
Threshold: 10
Action: Block
Credential Stuffing
# Rapid login attempts
Field Type: Request Path
Operator: equals
Value: /login
AND
Field Type: Body Data Reference
Field Reference: username
Operator: is present
Window: 1 minute
Threshold: 20
Action: Block
API Abuse
# Excessive data requests
Field Type: Body Data Reference
Field Reference: limit
Operator: greater than
Value: 1000
Action: Challenge
Encoding Challenges
Base64 Detection
Field Type: Body Data Reference
Field Reference: data
Operator: matches regex
Value: ^[A-Za-z0-9+/]+=*$
Action: Decode and inspect
URL Encoding
# Detect encoded attacks
Field Type: Body Data
Operator: contains
Value: %3Cscript
Action: Block # URL encoded <script
Troubleshooting
“Can’t access nested fields”
- Check JSON structure
- Verify path notation
- Ensure proper parsing
- Look for array vs object
“Policy not matching body content”
- Confirm Content-Type header
- Check encoding (UTF-8, etc.)
- Verify body size limits
- Test with exact payload
Advanced Patterns
Business Logic Validation
# Prevent price manipulation
Field Type: Body Data Reference
Field Reference: items[].price
Operator: any less than
Value: 0
Action: Block
Data Consistency Checks
# Email fields must match
Field Type: Body Data Reference
Field Reference: email
NOT EQUALS
Field Type: Body Data Reference
Field Reference: confirm_email
Action: Block