1. Home
  2. Docs
  3. Portal
  4. Threat Protection
  5. XML Document Structure

XML Document Structure

The Protect Against Document Structure Threats assertion allows you to specify size limits for incoming XML requests to protect against XDoS (XML Denial of Service) attacks using oversized files. When the text or attributes of an incoming request exceed the specified limits, the API Gateway rejects the message and blocks further processing of the policy.

Configure the properties as follows:

  • Reject if any XML contiguous text has length exceeding Select this check box to reject any incoming request with a text node (or CDATA section) containing more than the specified number of contiguous characters. Clear this check box to accept any contiguous length.”Contiguous” in this context refers to the characters between XML tags. For example: <tag>this is a string of contiguous characters</tag>. This check does not differentiate between start and end tags, so the following text is also considered contiguous characters: </endTag>blank spaces and return characters between tags are also contiguous text<startTag>.
  • Reject if any XML attribute value has length exceeding Select this check box to reject any incoming request with an attribute value longer than the specified number of characters. Clear this check box to accept attribute values of any length.The length of an attribute value is the number of characters between the quotes of any attribute, not including the attribute name itself. For example, the length of this attribute value is 12: <img src=”computer.gif”>.
  • Reject if any XML attribute name has length exceeding Select this check box to reject any incoming request with an attribute name longer than the specified number of characters. Clear this check box to accept attribute names of any length.
  • Reject if XML element nesting depth exceeds Select this check box to reject any incoming request that contains more than the specified number of nested levels. Clear this check box to accept requests with any number of nested levels.The nesting count begins at the top of the XML document. If it is a SOAP message, the envelope is level 1, the body is level 2, etc.
  • Reject if distinct namespace declarations exceeds Select this check box reject any incoming requests that contains more than the specified number of distinct namespace URI declarations. Clear this check box to accept requests with any number of namespace declarations. Note: A value of ‘0‘ (zero) means unlimited, which is the same as clearing the check box.
  • Reject if distinct namespace declarations exceeds Select this check box reject any incoming requests that contains more than the specified number of distinct namespace URI declarations. Clear this check box to accept requests with any number of namespace declarations. Note: A value of ‘0‘ (zero) means unlimited, which is the same as clearing the check box.
  • Reject if distinct namespace prefix declarations exceeds Select this check box reject any incoming requests that contains more than the specified number of distinct namespace prefix declarations. Clear this check box to accept requests with any number of namespace prefix declarations. Note: A value of ‘0‘ (zero) means unlimited, which is the same as clearing the check box.
  • Reject SOAP request that contain more than select this check box to reject any SOAP requests with more than the specified number of payload elements. Clear this check box to ignore the number of payload elements in a request.A SOAP envelope requires one body section but may contain multiple payload elements. Multiple payloads are uncommon and an attack may be launched using multiple payload elements to evade simplistic validity checks. For example, the XPath might match against payload #2, but the application ignores payload #2 and uses payload #1 instead box.
  • Require a valid SOAP envelope (one Body, no trailers) Select this check box to reject any requests that do not contain a valid SOAP envelope. Clear this check box to not check the validity of a SOAP envelope.A valid envelope contains exactly one Body section, optionally preceded by exactly one Header section, with no SOAP trailers.This setting guards against invalid SOAP envelopes that contain multiple body sections or trailers, which may be caused either by an attack or an error in the client application.
Was this article helpful to you? Yes No

How can we help?