Was this helpful?

Like XML-based services, APIs that support JavaScript object notation (JSON) are vulnerable to content-level attacks. Simple JSON attacks attempt to use structures that overwhelm JSON parsers to crash a service and induce application-level denial-of-service attacks.

The JSONThreatProtection policy minimizes the risk posed by such attacks by enabling you to specify limits on various JSON structures, such as arrays and strings. All settings are optional and should be tuned to optimize your service requirements against potential vulnerabilities.

Note: If a limit is not specified, the system applies a default value of -1 (the system equates a negative value to no limit).

Configuring the JSON Threat Protection policy

Configure the JSON Threat Protection policy using the following elements.

The name attribute for this policy is restricted to these characters: A-Z0-9._\-$ %. However, the Management UI enforces additional restrictions, such as automatically removing characters that are not alphanumeric.

Field Name Description
Source Request that needs to be validated for JSON payload attacks.
Container depth Specifies the maximum allowed nested depth.
JSON allows you to nest the containers (object and array) in any order to any depth.
Object entry count Specifies the maximum number of entries allowed in an object.
Object entry name length Specifies the maximum string length allowed for an object's entry name.
Array element count Specifies the maximum number of elements allowed in an array.
String value length Specifies the maximum length allowed for a string value.

Example - JSON Threat Protection policy

<JSONThreatProtection name="mypolicy">
    <Source>request</Source>
    <ContainerDepth>10</ContainerDepth>
    <ObjectEntryCount>15</ObjectEntryCount>
    <ArrayElementCount>20</ArrayElementCount>
    <ObjectEntryNameLength>50</ObjectEntryNameLength>
    <StringValueLength>100</StringValueLength>
</JSONThreatProtection>

Policy-specific error codes

The default format for error codes returned by Policies is:

{
  "code" : " {ErrorCode} ",
  "message" : " {Error message} ",
  "contexts" : [ ]
}

The JSOThreatProtection Policy types defines the following error codes:

Error Code Message
ExceededContainerDepth JSONThreatProtection[{0}]: Exceeded container depth at line {1}
ExceededObjectEntryCount JSONThreatProtection[{0}]: Exceeded object entry count at line {1}
ExceededArrayElementCount JSONThreatProtection[{0}]: Exceeded array element count at line {1}
ExceededObjectEntryNameLength JSONThreatProtection[{0}]: Exceeded object entry name length at line {1}
ExceededStringValueLength JSONThreatProtection[{0}]: Exceeded string value length at line {1}
SourceUnavailable JSONThreatProtection[{0}]:: Source {1} is not available
NonMessageVariable JSONThreatProtection[{0}]: Variable {1} does not resolve to a Message
ExecutionFailed JSONThreatProtection[{0}]: Execution failed. reason: {1}

Policy schema

Each policy type is defined by an XML schema (.xsd). For reference, policy schemas are available on GitHub.

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)