Skip to main content

What is Body Data?

Body data is the main content sent in POST, PUT, and PATCH requests. It contains the actual information being submitted - form data, JSON payloads, file uploads, or API commands.
MDN Web DocsRead more on HTTP message body.

Common Body Data Formats

JSON (application/json)

{
  "username": "user@example.com",
  "password": "secret123",
  "remember": true
}

Form Data (application/x-www-form-urlencoded)

username=user%40example.com&password=secret123&remember=true

Multipart (multipart/form-data)

------WebKitFormBoundary
Content-Disposition: form-data; name="file"
Content-Type: image/jpeg

[binary data]
------WebKitFormBoundary

XML (application/xml)

<request>
  <username>user@example.com</username>
  <password>secret123</password>
</request>

Plain Text (text/plain)

Simple text content

Using Body Data in Policies

Basic Examples

Check for specific field:
Field Type: Body Data Reference
Field Reference: email
Operator: contains
Value: @suspicious.com
Action: Challenge
Validate required fields:
Field Type: Body Data Reference
Field Reference: user.age
Operator: is not present
AND
Field Type: Request Path
Operator: equals
Value: /register
Action: Block

Advanced JSON Navigation

For nested JSON objects, use path notation:
{
  "user": {
    "profile": {
      "email": "test@example.com"
    }
  }
}
Access with: user.profile.email or user->profile->email

Array Access

{
  "items": [
    { "id": 1, "name": "First" },
    { "id": 2, "name": "Second" }
  ]
}
Access with:
  • items[0].name - First item’s name
  • items[].name - Any item’s name

Security Patterns

SQL Injection Detection

Field Type: Body Data Reference
Field Reference: search
Operator: matches regex
Value: (SELECT|UNION|DROP|INSERT|UPDATE|DELETE).*FROM
Action: Block

XSS Prevention

Field Type: Body Data Reference
Field Reference: comment
Operator: contains any
Values:
  - <script
  - javascript:
  - onerror=
  - onclick=
Action: Block

Command Injection

Field Type: Body Data Reference
Field Reference: filename
Operator: contains any
Values:
  - ../
  - ;
  - |
  - &&
  - $(
Action: Block
Security AlertNever trust body data! Always validate and sanitize on the server side, even with Esper policies in place.

Size and Content Validation

Prevent Large Payloads

Field Type: Body Size
Operator: greater than
Value: 10485760 # 10MB
Action: Block

Enforce Content Types

Field Type: Request Path
Operator: equals
Value: /api/upload
AND
Field Type: Header
Field Reference: Content-Type
Operator: not starts with
Value: multipart/form-data
Action: Block

Best Practices

DO:

  • Validate structure - Ensure expected fields exist
  • Check data types - Numbers should be numbers
  • Limit sizes - Prevent resource exhaustion
  • Sanitize inputs - Block dangerous characters
  • Log suspicious patterns - For security analysis
  • Use specific paths - Target exact fields in JSON

DON’T:

  • Parse complex formats in policies - Do that server-side
  • Store sensitive data in logs
  • Trust client validation - Always verify server-side
  • Block common words - Too many false positives
  • Ignore encoding - Base64 can hide attacks

Working with Different Content Types

JSON API Protection

# Ensure valid JSON structure
Field Type: Header
Field Reference: Content-Type
Operator: equals
Value: application/json
AND
Field Type: Body Data
Operator: is valid JSON
Action: Continue
ELSE
Action: Block

Form Submission Validation

# Check for required form fields
Field Type: Body Data Reference
Field Reference: email
Operator: matches regex
Value: ^[^@]+@[^@]+\.[^@]+$
AND
Field Type: Body Data Reference
Field Reference: terms_accepted
Operator: equals
Value: true

File Upload Security

# Restrict file types
Field Type: Body Data Reference
Field Reference: file.content_type
Operator: not in
Values:
  - image/jpeg
  - image/png
  - application/pdf
Action: Block

Common Attack Patterns

Password Spraying

# Many attempts, same password
Field Type: Body Data Reference
Field Reference: password
Operator: equals
Value: Password123
Window: 5 minutes
Threshold: 10
Action: Block

Credential Stuffing

# Rapid login attempts
Field Type: Request Path
Operator: equals
Value: /login
AND
Field Type: Body Data Reference
Field Reference: username
Operator: is present
Window: 1 minute
Threshold: 20
Action: Block

API Abuse

# Excessive data requests
Field Type: Body Data Reference
Field Reference: limit
Operator: greater than
Value: 1000
Action: Challenge

Encoding Challenges

Base64 Detection

Field Type: Body Data Reference
Field Reference: data
Operator: matches regex
Value: ^[A-Za-z0-9+/]+=*$
Action: Decode and inspect

URL Encoding

# Detect encoded attacks
Field Type: Body Data
Operator: contains
Value: %3Cscript
Action: Block # URL encoded <script

Troubleshooting

“Can’t access nested fields”
  • Check JSON structure
  • Verify path notation
  • Ensure proper parsing
  • Look for array vs object
“Policy not matching body content”
  • Confirm Content-Type header
  • Check encoding (UTF-8, etc.)
  • Verify body size limits
  • Test with exact payload

Advanced Patterns

Business Logic Validation

# Prevent price manipulation
Field Type: Body Data Reference
Field Reference: items[].price
Operator: any less than
Value: 0
Action: Block

Data Consistency Checks

# Email fields must match
Field Type: Body Data Reference
Field Reference: email
NOT EQUALS
Field Type: Body Data Reference
Field Reference: confirm_email
Action: Block