XML threat protection Policy

NainazNainaz
3 min read

This policy detects XML payload attacks based on the configured limits on XML message parts.
When the message is received from the client or other system, Content-Type should be application/XML, if it is not, a policy is not enforced on that message.
Scenario:
- To destabilize the system, hackers may send Large and complex XML messages to the service.
- It uses more memory and CPU, and XML parsers cannot handle this kind of message.
- This results in the termination of the service.
These attacks can be mitigated if the service uses XML Threat protection policy.

XML Configuration file - XML Threat Protection Policy

<XMLThreatProtection continueOnError="false" enabled="true" name="XML-Threat-Protection-1">
<DisplayName>XML Threat Protection-1</DisplayName>
<Properties/>
<NameLimits><!-- it will specify Element length, Attribute length, NamespacePrefix
length, ProcessingInstructionTarget should be 10 or within 10-->
    <Element>10</Element>
    <Attribute>10</Attribute>
    <NamespacePrefix>10</NamespacePrefix>
    <ProcessingInstructionTarget>18</ProcessingInstructionTarget>
</NameLimits>
<!-- Source: from where we are getting the XML message. ie request-->
<Source>request</Source>
<StructureLimits>
    <!-- length of the node structure should not excceed 5-->
    <NodeDepth>5</NodeDepth> 
    <!-- Attribute Count Per Element should be 2 or less than 2.  
    similarly,Namespace Count Per Element -->
    <AttributeCountPerElement>2</AttributeCountPerElement>
    <NamespaceCountPerElement>3</NamespaceCountPerElement>
    <ChildCount includeComment="true" includeElement="true" includeProcessingInstruction="true" includeText="true">3</ChildCount>
</StructureLimits>
<ValueLimits>
    <!-- it will check the size of values inside Text, Attribute, NamespaceURI
    , Comment, ProcessingInstructionData-->
    <Text>15</Text> <!-- element value shlould be 15 or within 15-->
    <Attribute>10</Attribute>
    <NamespaceURI>40</NamespaceURI>
    <Comment>10</Comment>
    <ProcessingInstructionData>40</ProcessingInstructionData>
</ValueLimits>
</XMLThreatProtection>

Sample XML data:


<BillInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <BillNumber>8888</BillNumber>
    <BillDate>2022-07-28</BillDate>
    <BillTime>10:36:55.03</BillTime>
    <BillerDetails code="9836" name="string">Jane</BillerDetails>
    <Customer>
        <Name>abc</Name>
        <Phone>7483824106</Phone>
        <Mail>nkptech@gmail.com</Mail>
        <Address>
            <Street_Addr1>Bay area</Street_Addr1>
            <Street_Addr2>5th cross</Street_Addr2>
            <PostCode>A84HJK</PostCode>
            <Country>USA</Country>
        </Address>
    </Customer>
</BillInfo>

<!-- <BillInfo>, <BillNumber>, <BillDate>,.... are all Elements
      code="9836", name="string", .. Attributes 
      xmlns:xsi  .. NamespacePrefix
      href="xsl_for_each.xsl" .. ProcessingInstructionTarget-->

<!-- NodeDepth: length of the node structure -->
<!-- AttributeCountPerElement: <BillerDetails code="9836" name="string"> is 2  -->
<!-- NamespaceCountPerElement: <BillInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- ChildCount(number of child nodes inside noded): including Comments including Elements inside it -->

Implement policy in Apigee.

Create no target API proxy.

create and deploy - edit proxy - develop
we need to validate when the request will come.
proxy endpoint - preflow - request - add XML threat protection policy.

XML threat protection policy code should look like below. save and deploy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<XMLThreatProtection continueOnError="false" enabled="true" name="XML-Threat-Protection-1">
    <DisplayName>XML Threat Protection-1</DisplayName>
    <Properties/>
    <NameLimits>
        <Element>10</Element>
        <Attribute>10</Attribute>
        <NamespacePrefix>10</NamespacePrefix>
        <ProcessingInstructionTarget>18</ProcessingInstructionTarget>
    </NameLimits>
    <Source>request</Source>
    <StructureLimits>
        <NodeDepth>5</NodeDepth>
        <AttributeCountPerElement>2</AttributeCountPerElement>
        <NamespaceCountPerElement>3</NamespaceCountPerElement>
        <ChildCount includeComment="true" includeElement="true" includeProcessingInstruction="true" includeText="true">3</ChildCount>
    </StructureLimits>
    <ValueLimits>
        <Text>15</Text>
        <Attribute>10</Attribute>
        <NamespaceURI>40</NamespaceURI>
        <Comment>10</Comment>
        <ProcessingInstructionData>40</ProcessingInstructionData>
    </ValueLimits>
</XMLThreatProtection>

See the output
Send POST request with sample XML data.

<!--  sample XML data -->

<?xml-stylesheet type="text/xsl "href="xsl_for_each.xsl" ?>
<BillInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BillNumber>8888</BillNumber>
<BillDate>2022-07-28</BillDate>
<BillTime>10:36:55.03</BillTime>
<BillerDetails code="9836" name="string">Jane</BillerDetails>
<Customer>
<Name>abc</Name>
<Phone>7483824106</Phone>
<Mail>nkptech@gmail.com</Mail>
<Address>
<Street_Addr1>Bay area</Street_Addr1>
<Street_Addr2>5th cross</Street_Addr2>
<PostCode>A84HJK</PostCode>
<Country>USA</Country>
</Address>
</Customer>
</BillInfo>

we are getting errors.

Because: Namespace uri length exceeded 40 at line 1(possibly around char 64)
So, the length of the namespace URI should be less than 40. modify it
<BillInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
TO
<BillInfo xmlns:xsi="http://www.w3.org/2001/XML">
send the request again.
Got the error:

Execution failed. reason: Children's count exceeded 3
delete some child elements.
<BillNumber>8888</BillNumber> <BillDate>2022-07-28</BillDate>
Code looks like

<BillInfo xmlns:xsi="http://www.w3.org/2001/XML">

    <BillTime>10:36:55.03</BillTime>
    <BillerDetails code="9836" name="string">Jane</BillerDetails>
    <Customer>
        <Name>abc</Name>
        <Phone>7483824106</Phone>
        <Mail>nkptech@gmail.com</Mail>
        <Address>
            <Street_Addr1>Bay area</Street_Addr1>
            <Street_Addr2>5th cross</Street_Addr2>
            <PostCode>A84HJK</PostCode>
            <Country>USA</Country>
        </Address>
    </Customer>
</BillInfo>

After modifying the Sample XML code based on the XML threat protection needs.
Code looks like.

<BillInfo xmlns:xsi="http://www.w3.org/2001/XML">


    <BillTime>10:36:55.03</BillTime>
    <Biller code="9836" name="string">Jane</Biller>
    <Customer>
        <Name>abc</Name>
        <Phone>7483824106</Phone>

        <Address>
            <Strdr1>Bay area</Strdr1>

            <PostCode>A84HJK</PostCode>
            <Country>USA</Country>
        </Address>
    </Customer>
</BillInfo>

Output is.

0
Subscribe to my newsletter

Read articles from Nainaz directly inside your inbox. Subscribe to the newsletter, and don't miss out.

API management - google cloudAPIsapigeegoogle cloud

Written by

Nainaz
Nainaz