Was this helpful?

Any server that receives online data is subject to attack, whether malicious or unintentional. Some attacks take advantage of the flexibility of XML by constructing invalid documents that have the potential to compromise back-end systems. Corrupt or extremely complex XML documents can cause servers to allocate more memory than is available, tying up CPU and memory resources, crashing parsers, and generally disabling message processing and creating application-level denial-of-service attacks.

Apigee Edge enables you to enforce XMLThreatProtection policies that address XML vulnerabilities and minimize attacks on your API.

You can screen against XML threats using the following approaches:

  • Validate messages against an XML schema (.xsd)
  • Evaluate message content for specific black-listed keywords or patterns
  • Detect corrupt or malformed messages before those messages are parsed

The XMLThreatProtection policy can detect XML payload attacks based on configured limits.

Note: All limits are optional. If a limit is not specified, the system applies a default value of -1 (the system equates a negative value to no limit).

Configuring the XMLThreatProtection policy

Configure the Threat Protection policy using the following elements.

Field Name Description
Source
Message to be screened for XML payload attacks. This is most commonly set to request, as you will typically need to validate inbound requests from client apps. Set this to request or response. When set to message, this element will automatically evaluate the request message when attached to the request Flow, and the response message when attached to the response Flow.
StructuralLimits (Optional) NodeDepth
Specifies the maximum node depth allowed in the XML.
Valid value: Any integer
AttributeCountPerElement
Specifies the maximum number of attributes allowed for any element.
Valid value: Any integer
Example:
<book category="WEB">
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The attribute category is checked for the specified limit.
Note that attributes used for defining namespaces are not counted.
NamespaceCountPerElement
Specifies the maximum number of namespace definitions allowed in an element.
Valid value: Any integer
Example:
<e1 attr1="val1" attr2="val2">
    <e2 xmlns="http://apigee.com" xmlns:yahoo="http://yahoo.com" one="1" yahoo:two="2"/>
</e1>
Here <e1> has 0 namespace definitions and <e2> has 2 namespace definitions. Note that attributes used for defining namespaces are not counted.
ChildCount
Specifies a limit on the maximum number of children allowed for any element in the XML documemnt.
Valid value: Any integer
ValueLimits(Optional) Text
Specifies a limit on the maximum length, in characters, of any text nodes present in the XML document.
Valid value: Any integer
Example:
<book category="WEB">
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The text nodes Learning XML, Erik T. Ray, and 2003 are checked for the specified limit.
Attribute
Specifies a limit on the maximum length, in characters, of any attributes for any element in the XML document.
Valid value: Any integer
Example:
<book category="WEB">
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The attribute node category is checked for the specified limit.
NamespaceURI
Specifies a limit on the maximum number of namespaces in the XML document.
Valid value: Any integer
Example:
<ns1:myelem xmlns:ns1="http://ns1.com"/>
The namespace value http://ns1.com is checked for the specified limit.
Comment
Specifies a limit on the maximum number of comment characters in the XML document.
Valid value: Any integer
Example:
<book category="WEB">
  <!-- This is a comment -->
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The comment text <!-- This is a comment --> is checked for the specified limit.
ProcessingInstructionData
Specifies a limit on the maximum number of characters for any processing instructions content in the XML document.
Valid value: Any integer
Example:
<?xml-stylesheet type="text/xsl" href="style.xsl"?>
The value of processing instruction content type="text/xsl" href="style.xsl" is checked for the specified limit.
NameLimits (Optional) Element
Specifies a limit on the maximum number of characters permitted in any element name in the XML document.
Valid value: Any integer
Example:
<book category="WEB">
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The elements title, author, and year are checked for the specified limit.
Attribute
Specifies a limit on the maximum number of characters in any name for any attribute in the XML document.
Valid value: Any integer
Example:
<book category="WEB">
  <title>Learning XML</title>
  <author>Erik T. Ray</author>
  <year>2003</year>
</book>
The attribute category is checked for the specified limit.
NamespacePrefix
Specifies a limit on the maximum number of characters in the namespace prefix.
Valid value: Any integer
Example:
<ns1:myelem xmlns:ns1="http://ns1.com"/>
The prefix ns1 is check for the specified limit.
ProcessingInstructionTarget
Specifies a limit on the maximum number of characters in the target of any processing instructions in the XML document.
Valid value: Any integer
Example:
<?xml-stylesheet type="text/xsl" href="style.xsl"?>
The value of processing instruction target xml-stylesheet is checked for the specified limit.

Example - XMLThreatProtection policy

<XMLThreatProtection name="mypolicy">
    <Source>request</Source>
    <StructureLimits>
        <NodeDepth>5</NodeDepth>
        <AttributeCountPerElement>3</AttributeCountPerElement>
        <NamespaceCountPerElement>2</NamespaceCountPerElement>
        <ChildCount includeText="true"
                    includeComment="true"
                    includeProcessingInstruction="true"
                    includeElement="true">3</ChildCount>
    </StructureLimits>
    <ValueLimits>
         <Text>15</Text>
         <Attribute>10</Attribute>
         <Namespace>10</Namespace>
         <Comment>10</Comment>
         <ProcessingInstructionData>10</ProcessingInstructionData>
    </ValueLimits>
    <NameLimits>
          <Element>10</Element>
          <Attribute>10</Attribute>
          <Prefix>10</Prefix>
          <ProcessingInstructionTarget>10</ProcessingInstructionTarget>
    </NameLimits>
</XMLThreatProtection>

Policy-specific error codes

The default format for error codes returned by Policies is:

{
  "code" : " {ErrorCode} ",
  "message" : " {Error message} ",
  "contexts" : [ ]
}

The XMLThreatProtection Policy type defines the following error codes:

Error Code Message
NodeDepthExceeded XMLThreatProtection stepDefinition {0}: Node depth exceeded {1}
AttrCountExceeded XMLThreatProtection stepDefinition {0}: Attribute count exceeded {1}
ChildCountExceeded XMLThreatProtection stepDefinition {0}: Children count exceeded {1}
NSCountExceeded XMLThreatProtection stepDefinition {0}: Namespace count exceeded {1}
ElemNameExceeded XMLThreatProtection stepDefinition {0}: Element name length exceeded {1}
AttrNameExceeded XMLThreatProtection stepDefinition {0}: Attribute name length exceeded {1}
AttrValueExceeded XMLThreatProtection stepDefinition {0}: Attribute value length exceeded {1}
NSPrefixExceeded XMLThreatProtection stepDefinition {0}: Namespace prefix length exceeded {1}
NSURIExceeded XMLThreatProtection stepDefinition {0}: Namespace uri length exceeded {1}
PITargetExceeded XMLThreatProtection stepDefinition {0}: Processing Instruction target length exceeded {1}
PIDataExceeded XMLThreatProtection stepDefinition {0}: Processing Instruction data length exceeded {1}
CommentExceeded XMLThreatProtection stepDefinition {0}: Comment length exceeded {1}
TextExceeded XMLThreatProtection stepDefinition {0}: Text length exceeded {1}
SourceUnavailable XMLThreatProtection stepDefinition {0}: Source {1} is not available
NonMessageVariable Variable {0} does not resolve to a Message
ExecutionFailed XMLThreatProtection stepDefinition {0}: Execution failed. reason: {1}

Policy schema

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Comments

I tried this option.
Added XML threat Protection.
And while putting the xml Request in body part I am violating all the policies like NodeDepth,ChildCount,AttrValue...
But getting the 200 OK successful response.

Hi Sonesh,

I recommend that you post your question to http://stackoverflow.com/questions/tagged/apigee. We'll monitor the responses and update the doc if necessary. Thanks! --Will

Add new comment

Provide your email address if you wish to be contacted offline about your comment.
We will not display your email address as part of your comment.

We'd love your feedback and perspective! Please be as specific as possible.
Type the characters you see in this picture. (verify using audio)

Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.