JSON Threat Protection

 

JSON Threat Protection policy as the name suggests is a protection policy for the APIs to protect them from miscellaneous HTTP request which are inflated to bring down the APIs server. Request can contain an inflated request in which they can increase the JSON depth, object name and values and array length. Dummy request will take more time to process and result into out of memory or performance issue. Such request should be denied at entry level only.

In this policy we usually define the right structure for the JSON request we will receive e.g. Depth, Object name and value length and Array size.

To Start with we will create a mule application and connect it with API manager – please see how we can connect the mulesoft application to API Manager

After deployment in Cloudhub the API manager configuration will come as Active

 

Now we will apply the JSON Threat Protection policy

 

Select JSON Threat Protection

 

Now update the policy configuration

 

We can see below properties

  • Maximum Container Depth – Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth
  • Maximum String Value Length – Specifies the maximum length of a string value
  • Maximum Object Entry Name Length – Specifies the maximum string length of an object’s entry name
  • Maximum Object Entry Count – Specifies the maximum number of entries in an object
  • Maximum Array Element Count – Specifies the maximum number of elements in an array

So for below JSON request

{
   "employees":[
      {
         "name":"hrithik",
         "email":"[email protected]"
      },
      {
         "name":"Bob",
         "email":"[email protected]"
      },
      {
         "name":"Jai",
         "email":"[email protected]"
      }
   ]
}

We can have below value to make it a valid request

  • Maximum Container Depth – 3 – which is root -> employee -> (name, email)
  • Maximum String Value Length – 23 – e.g. max length value in JSON – [email protected]
  • Maximum Object Entry Name Length – 9 – maximum string length of an object’s entry name in JSON – employees
  • Maximum Object Entry Count – 2 – Specifies the maximum number of entries in an object – employee – (name and email)
  • Maximum Array Element Count – 3 – employee array count

 

Lets populate the field as per our need

 

Click apply

 

Now if we test this API in SOAP UI

For valid request

 

Increase the container depth

JSON Threat Protection

 

Increase the String value length

JSON Threat Protection

 

Increase the object entry name

JSON Threat Protection

 

Increase the number of entries allowed in an object

JSON Threat Protection

 

Increase the array element count

JSON Threat Protection

 

Sample application – sample-rest-service-json-threat-protection

Sample SOAP UI project – sample-rest-service-json-threat-protection

 

  
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
 
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.


Share this:
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Aron de Jong
Aron de Jong
2 years ago

I have a question. Can this policy be applied to the response payload of GET requests as well?