Nav

JSON and XML Threat Protection Policies

JSON and XML are prone to the same types of malicious injections, often characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic swings in the size of the application data often signal a security problem. The JSON and XML threat protection policies help protect your applications from such intrusions.

In the event API Gateway fails to detect an attack, you need to monitor and design your services architecture with layers of protection in addition to these policies.

Protecting JSON Applications

By its nature, JSON is vulnerable to JavaScript injection. When you parse the JSON object, the malicious code inflicts its damages. An inordinate increase in the size and depth of the JSON payload can indicate injection. Applying the JSON threat protection policy can limit the size of your JSON payload and thwart recursive additions to the JSON hierarchy.

Configure JSON threat protection using the Apply "JSON threat protection" policy dialog. Open this dialog, set limits, and click apply to start protecting your JSON code. The following example shows configuration of a JSON threat protection policy.

json-threat-policy

Configuring a value of -1, for example for node depth, specifies unlimited.

Protecting XML Applications

Malicious attacks on XML applications typically involve large, recursive payloads, XPath/XSLT or SQL injections, and CData. Using the XML Threat Protection policy, you can limit the size of things, such as maximum node depth and text node length, in your XML code to twart malicious attacks. You can limit the size of comments to prevent invasions through CData, for example.

Configure XML threat protection using the Apply "XML threat protection" policy dialog. Open this dialog, set limits, and click apply to start protecting your XML code. The following example shows configuration of an XML threat protection policy.

xml-threat-policy