Contact Us 1-800-596-4880

XML Threat Protection Policy

Policy Name

XML Threat Protection

Summary

Protects against malicious XML in API requests

Category

Security

First Mule version available

v3.8.0

Returned Status Codes

400 - Bad Request

Summary

Applications processing XML requests are susceptible to attacks characterized by unusual inflation of elements, attributes, and nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic increases in the size of the application data often signal a security problem. The XML Threat Protection policy helps protect your applications from such intrusions.

If you find that attacks on your Anypoint Platform setup are difficult to detect, design your services architecture with layers of protection in addition to XML Threat Protection.

Configuring Policy Parameters

Flex Gateway Local Mode

The XML Threat Protection policy is not supported in Flex Gateway Local Mode.

Flex Gateway Connected Mode

The XML Threat Protection policy is not supported in Flex Gateway Connected Mode.

Mule Gateway

When you apply the XML Threat Protection policy to your API from the UI, the following parameters are displayed:

Field

Description

Default

Required

Maximum Node Depth

Specifies the maximum node depth of an XML document.

-1

false

Maximum Attribute Count Per Element

Specifies the maximum number of attributes in an element. Note that attributes used for defining namespaces are not counted.

-1

false

Maximum Child Count

Specifies the maximum number of children of an element in the XML document.

-1

false

Maximum Text Length

Specifies the maximum length (in characters) of text nodes in the XML document.

-1

false

Maximum Attribute Length

Specifies the maximum length (in characters) of an attribute in the XML document.

-1

false

Maximum Comment Length

Specifies the maximum number of comment characters in the XML document.

-1

false

A value of -1 indicates that the field value has no limits.

Example

The following screenshot shows an example of the parameters configured for the XML Threat Protection policy:

xml threat policy