XML Threat Protection
XML Threat Protection policy as the name suggests is a protection policy for the APIs to protect them from miscellaneous HTTP request which are inflated to bring down the APIs server. Request can contain an inflated request in which they can increase the XML depth, Element Child count, Text or Attribute length and Comment length. Dummy request will take more time to process and result into out of memory or performance issue. Such request should be denied at entry level only.
In this policy we usually define the right structure for the XML request we will receive e.g. XML depth, Element Child count, Text or Attribute length and Comment length
To Start with we will create a mule application and connect it with API manager – please see how we can connect the mulesoft application to API Manager
After deployment in Cloudhub the API manager configuration will come as Active
Now we will apply the XML Threat Protection policy
Select XML Threat Protection
Now update the policy configuration
We can see below properties
- Maximum Node Depth – Specifies the maximum node depth of an XML document.
- Maximum Attribute Count Per Element – Specifies the maximum number of attributes in an element. Note that attributes used for defining namespaces are not counted.
- Maximum Child Count – Specifies the maximum number of children of an element in the XML document.
- Maximum Text Length – Specifies the maximum length (in characters) of text nodes in the XML document.
- Maximum Attribute Length – Specifies the maximum length (in characters) of an attribute in the XML document.
- Maximum Comment Length – Specifies the maximum number of comment characters in the XML document.
So for below XML
<!-- comment --> <employees> <employee age="45"> <name>hrithik</name> <email>[email protected]</email> </employee> <employee age="45"> <name>Bob</name> <email>[email protected]</email> </employee> </employees>
We can have below value to make it a valid request
- Maximum Node Depth – 3 – employees -> employee -> (name, email)
- Maximum Attribute Count Per Element – 1 – as only employee is having age attribute
- Maximum Child Count – 2 – for employee -> (name and email)
- Maximum Text Length – 23 – max text – [email protected]
- Maximum Attribute Length – 2 – for age
- Maximum Comment Length – 9 – for comment length – <!– comment –> (count include spaces)
Lets populate the field as per our need
Now if we test this API in SOAP UI
For valid request
Increase Node Depth
Increase Attribute Count Per Element
Increase Child Count
Increase Text Length
Increase Attribute Length
Increase Comment Length
Sample application – sample-rest-service-xml-threat-protection
Sample SOAP UI project – sample-rest-service-xml-threat-protection-soapui-project