JavaScript object notation (JSON) is vulnerable to content-level attacks. Such attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.
The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling specific limits on various JSON structures such as arrays and strings. All settings are optional and should be tuned to optimize service requirements against potential vulnerabilities.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: JSON Threat Protection Policy Configuration attributes
Property | Description |
Container Depth | Maximum allowed nested depth. |
Object Entry Count | Maximum number of entries allowed in an object. |
Object Entry Name Length | Maximum string length allowed in an object's entry name. |
Array Element Count | Maximum number of elements allowed in an array. |
String Value Length | Maximum length allowed for a string value. |
Example
Configure JSON Threat policy with the values below and add it to Target Response:
Figure 2: JSON Threat Protection policy properties with values provided in the Example
Without JSON Threat Protection policy, below is the error output that is displayed :
{"Envelope": { "@xmlns:soap": "http://schemas.xmlsoap.org/soap/envelope/", "@xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", "@xmlns:xsd": "http://www.w3.org/2001/XMLSchema", "Body": {"ConversionRateResponse": { "@xmlns": "http://www.webserviceX.NET/", "ConversionRateResult": "0.0157" }} }} |
After JSON Threat Policy is set, below is the error output that is displayed as the Container Depth is beyond the set limit ‘2’:
{ "ErrorMessage" : "Container depth limit exceeded", "ErrorCode" : "Threat Detected", "MoreInfo" : "Policy Name - jsonThreat, Type - JSON_THREAT" } |