Skip to main content
Skip table of contents

XML Threat Protection

This policy protects API from any possible XML Threats by setting limits to various attributes present in the XML structure.

Configuration

The properties that have to be configured to use the policy are described below.


Figure 1: XML Threat Protection Policy Configuration attributes

PropertyDescription
Node Depth

Maximum number of nodes allowed in the XML.

Attribute Count Per Element

Maximum number of attributes allowed within an element in the XML.

The attribute “category” is checked for the specified limit.

Attributes used for defining namespaces are not counted.

Namespace Count Per Element

Maximum number of characters allowed in a namespace within an element in the XML.

Attributes used for defining namespaces are not counted.


Child CountMaximum number of child elements allowed per element in the XML document.
Text length

Character limit for text nodes present in the XML document.

The text nodes Learning XML, Erik T. Ray, and 2003 are checked for the specified limit.

Attribute Value Length

Character limit for attribute values present in the XML document.

The attribute node category is checked for the specified limit.


Comment LengthCharacter limit for comments present in the XML document.
Namespaceuri Length

Maximum number of characters allowed in a namespace URI within an element in the XML file.

Processing Instruction Data Length

Maximum number of characters for the Processing Instruction Text present in the XML file.

( A Pocessing Instruction starts with a special tag <? and ends with ?> )

Example: <?xml-stylesheet href = "/style.xsl“ type = "text/xsl"?> Here, length of type and href values are checked.

Element LengthMaximum number of characters allowed in an element name in the XML file.
Attribute Name Length

Maximum number of characters allowed in an attribute name in the XML file.

The attribute category is checked for the specified limit.


Namespace Prefix Length

Maximum number of characters allowed in a Namespace Prefix within an element in the XML file.

Processing Instruction Target Length

Maximum number of characters for the target of any processing instruction text present in the XML file.

The value of processing instruction target XML-stylesheet is checked for the specified limit.

Example:  <?xml-stylesheet href = "tpstyle.css" type = "text/css"?>
Here, the target is "xml-stylesheet". href="tpstyle.css" and type="text/css" are data or instructions the target application will use at the time of processing the given XML document.

The valid value for the attributes specified can be any integer.

Edit button helps to rename the policy ID (the policy name appearing under Policies).

Examples

Below are a couple of examples illustrating sample configurations.

Example 1

Configure XML Threat policy with the values shown in the below figure and set it to the scope 'Target Response'.


Figure 2: XML Threat policy properties with values provided in Example 1

In the above figure, Namespace Prefix Length property is set to ‘2’.

Below is the output when a request is processed without XML Threat Policy.

XML 
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Body>
      <ConversionRateResponse xmlns="http://www.webserviceX.NET/">
         <ConversionRateResult>0.0157</ConversionRateResult>
      </ConversionRateResponse>
   </soap:Body>
</soap:Envelope> 

When the request is sent after setting XML Threat Policy, the error below is displayed as namespace prefix length is beyond the set value ‘2’.

{

  "ErrorMessage" : "NameSpace prefix length limit exceeded for prefix - soap",

  "ErrorCode" : "Threat Detected",

  "MoreInfo" : "Policy Name - xmlThreat, Type - XML_THREAT"

}

Example 2

Edit the configured XML Threat policy and set the Node Depth to ‘3’.


Figure 3: XML Threat policy properties with values provided in Example 2

Below is the output when a request is processed without XML Threat Policy:

XML 
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <soap:Body>
      <ConversionRateResponse xmlns="http://www.webserviceX.NET/">
         <ConversionRateResult>0.0157</ConversionRateResult>
      </ConversionRateResponse>
   </soap:Body>
</soap:Envelope> 

When the request is sent after setting XML Threat Policy, the error below is displayed as the node depth is beyond the set value 3.

{

  "ErrorMessage" : "Node depth limit exceeded",

  "ErrorCode" : "Threat Detected",

  "MoreInfo" : "Policy Nerted from JSON format to XML format. The attributes available are as shown in the figure.ame - xmlThreat, Type - XML_THREAT"

}


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close