> ## Documentation Index
> Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Body Data

> Analyzing request body content in Esper policies.

## What is Body Data?

Body data is the main content sent in POST, PUT, and PATCH requests. It contains the actual information being submitted - form data, JSON payloads, file uploads, or API commands.

<Info>
  **MDN Web Docs**

  Read more on [HTTP message body](https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages#body).
</Info>

## Common Body Data Formats

### JSON (application/json)

```json theme={null}
{
  "username": "user@example.com",
  "password": "secret123",
  "remember": true
}
```

### Form Data (application/x-www-form-urlencoded)

```
username=user%40example.com&password=secret123&remember=true
```

### Multipart (multipart/form-data)

```
------WebKitFormBoundary
Content-Disposition: form-data; name="file"
Content-Type: image/jpeg

[binary data]
------WebKitFormBoundary
```

### XML (application/xml)

```xml theme={null}
<request>
  <username>user@example.com</username>
  <password>secret123</password>
</request>
```

### Plain Text (text/plain)

```
Simple text content
```

## Using Body Data in Policies

### Basic Examples

**Check for specific field:**

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: email
Operator: contains
Value: @suspicious.com
Action: Challenge
```

**Validate required fields:**

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: user.age
Operator: is not present
AND
Field Type: Request Path
Operator: equals
Value: /register
Action: Block
```

### Advanced JSON Navigation

For nested JSON objects, use path notation:

```json theme={null}
{
  "user": {
    "profile": {
      "email": "test@example.com"
    }
  }
}
```

Access with: `user.profile.email` or `user->profile->email`

### Array Access

```json theme={null}
{
  "items": [
    { "id": 1, "name": "First" },
    { "id": 2, "name": "Second" }
  ]
}
```

Access with:

* `items[0].name` - First item's name
* `items[].name` - Any item's name

## Security Patterns

### SQL Injection Detection

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: search
Operator: matches regex
Value: (SELECT|UNION|DROP|INSERT|UPDATE|DELETE).*FROM
Action: Block
```

### XSS Prevention

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: comment
Operator: contains any
Values:
  - <script
  - javascript:
  - onerror=
  - onclick=
Action: Block
```

### Command Injection

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: filename
Operator: contains any
Values:
  - ../
  - ;
  - |
  - &&
  - $(
Action: Block
```

<Warning>
  **Security Alert**

  Never trust body data! Always validate and sanitize on the server side, even with Esper policies in place.
</Warning>

## Size and Content Validation

### Prevent Large Payloads

```yaml theme={null}
Field Type: Body Size
Operator: greater than
Value: 10485760 # 10MB
Action: Block
```

### Enforce Content Types

```yaml theme={null}
Field Type: Request Path
Operator: equals
Value: /api/upload
AND
Field Type: Header
Field Reference: Content-Type
Operator: not starts with
Value: multipart/form-data
Action: Block
```

## Best Practices

### DO:

* **Validate structure** - Ensure expected fields exist
* **Check data types** - Numbers should be numbers
* **Limit sizes** - Prevent resource exhaustion
* **Sanitize inputs** - Block dangerous characters
* **Log suspicious patterns** - For security analysis
* **Use specific paths** - Target exact fields in JSON

### DON'T:

* **Parse complex formats** in policies - Do that server-side
* **Store sensitive data** in logs
* **Trust client validation** - Always verify server-side
* **Block common words** - Too many false positives
* **Ignore encoding** - Base64 can hide attacks

## Working with Different Content Types

### JSON API Protection

```yaml theme={null}
# Ensure valid JSON structure
Field Type: Header
Field Reference: Content-Type
Operator: equals
Value: application/json
AND
Field Type: Body Data
Operator: is valid JSON
Action: Continue
ELSE
Action: Block
```

### Form Submission Validation

```yaml theme={null}
# Check for required form fields
Field Type: Body Data Reference
Field Reference: email
Operator: matches regex
Value: ^[^@]+@[^@]+\.[^@]+$
AND
Field Type: Body Data Reference
Field Reference: terms_accepted
Operator: equals
Value: true
```

### File Upload Security

```yaml theme={null}
# Restrict file types
Field Type: Body Data Reference
Field Reference: file.content_type
Operator: not in
Values:
  - image/jpeg
  - image/png
  - application/pdf
Action: Block
```

## Common Attack Patterns

### Password Spraying

```yaml theme={null}
# Many attempts, same password
Field Type: Body Data Reference
Field Reference: password
Operator: equals
Value: Password123
Window: 5 minutes
Threshold: 10
Action: Block
```

### Credential Stuffing

```yaml theme={null}
# Rapid login attempts
Field Type: Request Path
Operator: equals
Value: /login
AND
Field Type: Body Data Reference
Field Reference: username
Operator: is present
Window: 1 minute
Threshold: 20
Action: Block
```

### API Abuse

```yaml theme={null}
# Excessive data requests
Field Type: Body Data Reference
Field Reference: limit
Operator: greater than
Value: 1000
Action: Challenge
```

## Encoding Challenges

### Base64 Detection

```yaml theme={null}
Field Type: Body Data Reference
Field Reference: data
Operator: matches regex
Value: ^[A-Za-z0-9+/]+=*$
Action: Decode and inspect
```

### URL Encoding

```yaml theme={null}
# Detect encoded attacks
Field Type: Body Data
Operator: contains
Value: %3Cscript
Action: Block # URL encoded <script
```

## Troubleshooting

**"Can't access nested fields"**

* Check JSON structure
* Verify path notation
* Ensure proper parsing
* Look for array vs object

**"Policy not matching body content"**

* Confirm Content-Type header
* Check encoding (UTF-8, etc.)
* Verify body size limits
* Test with exact payload

## Advanced Patterns

### Business Logic Validation

```yaml theme={null}
# Prevent price manipulation
Field Type: Body Data Reference
Field Reference: items[].price
Operator: any less than
Value: 0
Action: Block
```

### Data Consistency Checks

```yaml theme={null}
# Email fields must match
Field Type: Body Data Reference
Field Reference: email
NOT EQUALS
Field Type: Body Data Reference
Field Reference: confirm_email
Action: Block
```

## Related Fields

* [Request Method](./request-method) - Only some methods have bodies
* [Headers](./headers) - Content-Type describes body format
* [Request Path](./request-path) - Different endpoints expect different bodies
* [Query Parameters](./query-parameters) - Alternative to body for GET requests
