XML Threat Protection

 

XML Threat Protection policy as the name suggests is a protection policy for the APIs to protect them from miscellaneous HTTP request which are inflated to bring down the APIs server. Request can contain an inflated request in which they can increase the XML depth, Element Child count, Text or Attribute length and Comment length. Dummy request will take more time to process and result into out of memory or performance issue. Such request should be denied at entry level only.

In this policy we usually define the right structure for the XML request we will receive e.g. XML depth, Element Child count, Text or Attribute length and Comment length

To Start with we will create a mule application and connect it with API manager – please see how we can connect the mulesoft application to API Manager

After deployment in Cloudhub the API manager configuration will come as Active

XML Threat Protection

 

Now we will apply the XML Threat Protection policy

XML Threat Protection

 

Select XML Threat Protection

XML Threat Protection

 

Now update the policy configuration

XML Threat Protection

 

We can see below properties

  • Maximum Node Depth – Specifies the maximum node depth of an XML document.
  • Maximum Attribute Count Per Element – Specifies the maximum number of attributes in an element. Note that attributes used for defining namespaces are not counted.
  • Maximum Child Count – Specifies the maximum number of children of an element in the XML document.
  • Maximum Text Length – Specifies the maximum length (in characters) of text nodes in the XML document.
  • Maximum Attribute Length – Specifies the maximum length (in characters) of an attribute in the XML document.
  • Maximum Comment Length – Specifies the maximum number of comment characters in the XML document.

So for below XML

<!-- comment -->
<employees>
    <employee age="45">  
        <name>hrithik</name>   
        <email>[email protected]</email>  
    </employee>  
    <employee age="45">  
        <name>Bob</name>   
        <email>[email protected]</email>  
    </employee> 
</employees>

 

We can have below value to make it a valid request

  • Maximum Node Depth – 3 – employees -> employee -> (name, email)
  • Maximum Attribute Count Per Element – 1 – as only employee is having age attribute
  • Maximum Child Count – 2 – for employee -> (name and email)
  • Maximum Text Length – 23 – max text – [email protected]
  • Maximum Attribute Length – 2 – for age
  • Maximum Comment Length – 9 – for comment length – <!– comment –> (count include spaces)

Lets populate the field as per our need

 

Click apply

 

Now if we test this API in SOAP UI

For valid request

 

Increase Node Depth

 

Increase Attribute Count Per Element

 

Increase Child Count

 

Increase Text Length

 

Increase Attribute Length

 

Increase Comment Length

 

Sample application – sample-rest-service-xml-threat-protection

Sample SOAP UI project – sample-rest-service-xml-threat-protection-soapui-project

 

  
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
 
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.


Share this:
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments