Contact Us 1-800-596-4880
  1. Homepage
  2. Flex Gateway (1.10)
  3. Securing Flex Gateway APIs with Policies
  4. Inbound Policies Directory

  5. XML Threat Protection

XML Threat Protection Policy

Policy Name

XML Threat Protection

Summary

Protects against malicious XML in API requests

Category

Security

First Flex Gateway version available

v1.10.0

Returned Status Codes

400 - Bad Request

Summary

Applications that process XML requests are susceptible to attacks characterized by unusual inflation of elements, attributes, and deep nesting levels. Attackers use recursive techniques to consume memory resources. Dramatic increases in the size of the application data often signal a security risk. Use the XML Threat Protection policy to reject unusual requests that exceed the defined expected size.

Configuring Policy Parameters

Flex Gateway Local Mode

In Local Mode, you apply the policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:

- policyRef:
    name: xml-threat-protection
  config:
    maxNodeDepth: <number> // OPTIONAL, default: -1
    maxAttributeCountPerElement: <number> // OPTIONAL, default: -1
    maxChildCount: <number> // OPTIONAL, default: -1
    maxTextLength: <number> // OPTIONAL, default: -1
    maxAttributeLength: <number> // OPTIONAL, default: -1
    maxCommentLength: <number> // OPTIONAL, default: -1
Defining a parameter as -1 means the parameter has no limit.
Parameter Required Default Value Description

maxNodeDepth

No

-1

Specifies the maximum node depth of an XML document.

maxAttributeCountPerElement

No

-1

Specifies the maximum number of attributes in an element. Attributes used for defining namespaces are not counted.

maxChildCount

No

-1

Specifies the maximum number of children of an element in the XML document.

maxTextLength

No

-1

Specifies the maximum length in characters of text nodes in the XML document.

maxAttributeLength

No

-1

Specifies the maximum length in characters of an attribute in the XML document.

maxCommentLength

No

-1

Specifies the maximum number of comment characters in the XML document.

Resource Configuration Example

- policyRef:
    name: xml-threat-protection
  config:
    maxNodeDepth: 1
    maxAttributeCountPerElement: 1
    maxChildCount: 2
    maxTextLength: 20
    maxAttributeLength: 20
    maxCommentLength: 20

Managed Flex Gateway and Flex Gateway Connected Mode

When you apply the policy to your API instance from the UI, the following parameters are displayed:

Field Description

Maximum Node Depth

Specifies the maximum node depth of an XML document.

Maximum Attribute Count Per Element

Specifies the maximum number of attributes in an element. Attributes used for defining namespaces are not counted.

Maximum Child Count

Specifies the maximum number of children of an element in the XML document.

Maximum Text Length

Specifies the maximum length in characters of text nodes in the XML document.

Maximum Attribute Length

Specifies the maximum length in characters of an attribute in the XML document.

Maximum Comment Length

Specifies the maximum number of comment characters in the XML document.