XML Threat Protection

Contents

Configuration
Examples
- Example 1
- Example 2

This policy protects API from any possible XML Threats by setting limits to various attributes present in the XML structure.

Configuration

The properties that have to be configured to use the policy are described below.

Figure 1: XML Threat Protection Policy Configuration attributes

Property	Description
Node Depth	Maximum number of nodes allowed in the XML.
Attribute Count Per Element	Maximum number of attributes allowed within an element in the XML. The attribute “category” is checked for the specified limit. Icon Attributes used for defining namespaces are not counted.
Namespace Count Per Element	Maximum number of characters allowed in a namespace within an element in the XML. Icon Attributes used for defining namespaces are not counted.
Child Count	Maximum number of child elements allowed per element in the XML document.
Text length	Character limit for text nodes present in the XML document. Icon The text nodes Learning XML, Erik T. Ray, and 2003 are checked for the specified limit.
Attribute Value Length	Character limit for attribute values present in the XML document. Icon The attribute node category is checked for the specified limit.
Comment Length	Character limit for comments present in the XML document.
Namespaceuri Length	Maximum number of characters allowed in a namespace URI within an element in the XML file.
Processing Instruction Data Length	Maximum number of characters for the Processing Instruction Text present in the XML file. ( A Pocessing Instruction starts with a special tag <? and ends with ?> ) Example: <?xml-stylesheet href = "/style.xsl“ type = "text/xsl"?> Here, length of type and href values are checked.
Element Length	Maximum number of characters allowed in an element name in the XML file.
Attribute Name Length	Maximum number of characters allowed in an attribute name in the XML file. Icon The attribute category is checked for the specified limit.
Namespace Prefix Length	Maximum number of characters allowed in a Namespace Prefix within an element in the XML file.
Processing Instruction Target Length	Maximum number of characters for the target of any processing instruction text present in the XML file. Icon The value of processing instruction target XML-stylesheet is checked for the specified limit. Example: <?xml-stylesheet href = "tpstyle.css" type = "text/css"?> Here, the target is "xml-stylesheet". href="tpstyle.css" and type="text/css" are data or instructions the target application will use at the time of processing the given XML document.

Icon

The valid value for the attributes specified can be any integer.

Icon

Edit button helps to rename the policy ID (the policy name appearing under Policies).

Examples

Below are a couple of examples illustrating sample configurations.

Example 1

Configure XML Threat policy with the values shown in the below figure and set it to the scope 'Target Response'.

Figure 2: XML Threat policy properties with values provided in Example 1

In the above figure, Namespace Prefix Length property is set to ‘2’.

Below is the output when a request is processed without XML Threat Policy.

When the request is sent after setting XML Threat Policy, the error below is displayed as namespace prefix length is beyond the set value ‘2’.

{

"ErrorMessage" : "NameSpace prefix length limit exceeded for prefix - soap",

"ErrorCode" : "Threat Detected",

"MoreInfo" : "Policy Name - xmlThreat, Type - XML_THREAT"

}

Example 2

Edit the configured XML Threat policy and set the Node Depth to ‘3’.

Figure 3: XML Threat policy properties with values provided in Example 2

Below is the output when a request is processed without XML Threat Policy:

When the request is sent after setting XML Threat Policy, the error below is displayed as the node depth is beyond the set value 3.

{

"ErrorMessage" : "Node depth limit exceeded",

"ErrorCode" : "Threat Detected",

"MoreInfo" : "Policy Nerted from JSON format to XML format. The attributes available are as shown in the figure.ame - xmlThreat, Type - XML_THREAT"

}