JavaScript object notation (JSON) is vulnerable to content-level attacks. Such attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.
The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling you to specify limits on various JSON structures such as arrays and strings. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: JSON Threat Protection Policy Configuration attributes
Property | Description |
---|---|
Container Depth | Maximum allowed nested depth. |
Object Entry Count | Maximum number of entries allowed in an object. |
Object Entry Name Length | Maximum string length allowed in an object's entry name. |
Array Element Count | Maximum number of elements allowed in an array. |
String Value Length | Maximum length allowed for a string value. |
Example
Configure JSON Threat policy with the below values and add it to Target Response:
Figure 2: JSON Threat Protection policy properties with values provided in the Example
Without JSON Threat Protection policy, the output looks as below:
{"Envelope": { "@xmlns:soap": "http://schemas.xmlsoap.org/soap/envelope/", "@xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", "@xmlns:xsd": "http://www.w3.org/2001/XMLSchema", "Body": {"ConversionRateResponse": { "@xmlns": "http://www.webserviceX.NET/", "ConversionRateResult": "0.0157" }} }} |
After JSON Threat Policy is set, below is the error output as Container Depth is beyond the set limit ‘2’:
{ "ErrorMessage" : "Container depth limit exceeded", "ErrorCode" : "Threat Detected", "MoreInfo" : "Policy Name - jsonThreat, Type - JSON_THREAT" } |