Contents

Popular
 Contents

JavaScript object notation (JSON) is vulnerable to content-level attacks. Such attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.

The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling you to specify limits on various JSON structures such as arrays and strings. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.

Icon

If a limit is not specified, the system applies a default value '-1' (the system equates a negative value to no limit).

Configuration

The properties that have to be configured to use the policy are described below.


Figure 1: JSON Threat Protection Policy Configuration attributes

PropertyDescription
Container Depth

Maximum allowed nested depth.

Object Entry Count

Maximum number of entries allowed in an object.

Object Entry Name Length

Maximum string length allowed in an object's entry name.

Array Element CountMaximum number of elements allowed in an array.
String Value LengthMaximum length allowed for a string value.

Example

Configure JSON Threat policy with the below values and add it to Target Response:


Figure 2: JSON Threat Protection policy properties with values provided in the Example

Without JSON Threat policy, the output looks as below:

{"Envelope": {

    "@xmlns:soap": "http://schemas.xmlsoap.org/soap/envelope/",

    "@xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",

    "@xmlns:xsd": "http://www.w3.org/2001/XMLSchema",

    "Body": {"ConversionRateResponse":     {

        "@xmlns": "http://www.webserviceX.NET/",

        "ConversionRateResult": "0.0157"

    }}

}}

After JSON Threat Policy is set, below is the error output as Container Depth is beyond the set limit ‘2’:

{

  "ErrorMessage" : "Container depth limit exceeded",

  "ErrorCode" : "Threat Detected",

  "MoreInfo" : "Policy Name - jsonThreat, Type - JSON_THREAT"

}

Adaptavist ThemeBuilder EngineAtlassian Confluence