In much the same way as XML-based services, APIs that support JavaScript object notation (JSON) are vulnerable to content-level attacks. Simple JSON attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.
The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.
Note: If a limit is not specified, the system applies a default value of -1 (the system equates a negative value to no limit).
Configuring the JSON Threat Protection policy
Configure the JSON Threat Protection policy using the following elements.
| Field Name | Description |
|---|---|
| Source | Request that needs to be validated for JSON payload attacks. |
| Container depth | Specifies the maximum allowed nested depth. JSON allows you to nest the containers (object and array) in any order to any depth. |
| Object entry count | Specifies the maximum number of entries allowed in an object. |
| Object entry name length | Specifies the maximum string length allowed for an object's entry name. |
| Array element count | Specifies the maximum number of elements allowed in an array. |
| String value length | Specifies the maximum length allowed for a string value. |
Policy schema
Each policy must conform to a policy schema. All policy constructs, such as elements and attributes mentioned above, are defined in a schema. To download the schema, click here.
