JSON Threat Protection Policy

Policy Name

JSON Threat Protection

Summary

Protects against malicious JSON in API requests

Category

Security

First Mule version available

v3.8.0

Returned Status Codes

400 - Bad Request

Summary

The JSON Threat Protection policy does not support SOAP APIs.

Applications processing JSON requests are susceptible to attacks characterized by unusual inflation of elements and nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic swings in the size of the application data often signal a security problem. The JSON Threat Protection policy helps protect your applications from such intrusions.

If you find that attacks on your Anypoint Platform setup are difficult to detect, design your services architecture with layers of protection in addition to JSON Threat Protection.

Configuring Policy Parameters

Mule Gateway

When you apply the JSON Threat Protection policy to your API from the UI, the following parameters are displayed:

Field

Description

Default

Required

Maximum Container Depth

Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth

-1

false

Maximum String Value Length

Specifies the maximum length of a string value

-1

false

Maximum Object Entry Name Length

Specifies the maximum string length of an object’s entry name

-1

false

Maximum Object Entry Count

Specifies the maximum number of entries in an object

-1

false

Maximum Array Element Count

Specifies the maximum number of elements in an array

-1

false

A value of -1 indicates that the field value has no limits.

Payload Example

If your payload contains the following example JSON:

{
   "Players":[
      {
         "Name":"Sachin",
         "Email":"sachin.tendulkar@example.com"
      },
      {
         "Name":"Suryakumar",
         "email":"Surya@example.com"
      },
      {   "Name":"Bhuvi",
          "email":"bhuvi@example.com"
      },
      {
         "Name":"Jonty",
         "Email":"jonty@example.com"
      }
   ]
}

The policy defines the example parameter values as follows:

Parameter Value Explanation

Parameter	Value	Explanation
Maximum Container Depth	3	The depth of the `Name` and `Email` entries
Maximum String Value Length	28	The length of `sachin.tendulkar@example.com`
Maximum Object Entry Name Length	7	The length of the `Players` object entry name
Maximum Object Entry Count	2	The number of entries in each `Players` object
Maximum Array Element Count	4	The number of elements in the `Players` array

Maximum Container Depth

The depth of the Name and Email entries

Maximum String Value Length

The length of sachin.tendulkar@example.com

Maximum Object Entry Name Length

The length of the Players object entry name

Maximum Object Entry Count

The number of entries in each Players object

Maximum Array Element Count

The number of elements in the Players array