XML Threat Protection

XML Threat Protection is an interceptor that validates the contents of an XML, following pre-defined limits for a range of components. Thus, it avoids malicious attacks which send information outside the expected pattern.

To configure the interceptor, we have to fill in the fields of the image below with the desired values. You can read about all the pieces of information along this page.

xml threat protection

Field: Name Limits

Element

It specifies the maximum name size for any element in the XML.

<Customers>
<Customer CustomerID="6s695dp84">
  <CompanyName>Sensedia</CompanyName>
  <ContactName>Howard Snyder</ContactName>
  <ContactTitle>Marketing Manager</ContactTitle>
  <Phone>(19) 555-7555</Phone>
  <FullAddress>
    <Address>Rua Dr. Ricardo Benetton Martins.</Address>
    <City>Campinas</City>
    <Region>SP</Region>
    <PostalCode>13086-902</PostalCode>
    <Country>BR</Country>
  </FullAddress>
</Customer>
</Customers>

In the example above, we can set it to 12. Then, the interceptor will check if no name exceeds 12 characters.

Attribute

It specifies the maximum size for any attribute in the XML.

<Customer CustomerID="6s695dp84">
  <CompanyName>Sensedia</CompanyName>
  <ContactName>Howard Snyder</ContactName>
  <ContactTitle>Marketing Manager</ContactTitle>
  <Phone>(19) 555-7555</Phone>
</Customer>

In this example, the interceptor will verify if the size of the attribute CustomerID is under the limit of characters defined in the settings.

Namespace prefix

It specifies the maximum number of characters for any prefix.

<sensedia:gateway xmlns:sensedia="http://sensedia.com" xmlns:manager="http:sensedia.com/api-manager"

In this example, it will check the number of characters of the namespace sensedia, which is 8 characters.

Processing Instruction Target

It specifies the maximum number of characters for processing instruction targets.

<?xml-sensedia version="1.0" encoding="utf-8"?>

In this example, it will check if xml-sensedia is under the maximum number of characters. In this case, xml-sensedia has 12 characters.

Field: Structure Limits

Node depth

It specifies the maximum depth allowed.

<Customers>
   <Customer CustomerID="6s695dp84">
     <CompanyName>Sensedia</CompanyName>
     <ContactName>Howard Snyder</ContactName>
     <ContactTitle>Marketing Manager</ContactTitle>
     <Phone>(19) 555-7555</Phone>
     <FullAddress>
       <Address>Rua Dr. Ricardo Benetton Martins.</Address>
       <City>Campinas</City>
       <Region>SP</Region>
       <PostalCode>13086-902</PostalCode>
       <Country>BR</Country>
     </FullAddress>
   </Customer>
 </Customers>

In the example above, the depth is 4.

Attribute count per element

It specifies the amount of attributes per element.

<Customer CustomerID="3" CustomerID_web="s3ko05456sdsl">

In this example,there are two attributes: customerID and CustomerID_web.

Namespace count per element

It specifies the number of namespaces per element.

<sensedia:gateway xmlns:sensedia="http://sensedia.com" xmlns:manager="http:sensedia.com/api-manager"
             manager:sensedia="sensedia">

In this example, there are three: xmlns:sensedia, xmlns:manager and manager:sensedia.

Child count

It specifies the number of children of any element.

<Customers>
    <Customer CustomerID="6s695dp84">
      <CompanyName>Sensedia</CompanyName>
      <ContactName>Howard Snyder</ContactName>
      <ContactTitle>Marketing Manager</ContactTitle>
      <Phone>(19) 555-7555</Phone>
      <FullAddress>
        <Address>Rua Dr. Ricardo Benetton Martins.</Address>
        <City>Campinas</City>
        <Region>SP</Region>
        <PostalCode>13086-902</PostalCode>
        <Country>BR</Country>
      </FullAddress>
    </Customer>
  </Customers>

In the case above, the element Customer has five children: CompanyName, ContactName, ContactTitle, Phone and FullAddress

Field: Value Limits

Text

It specifies the maximum number of characters in the value of any element.

<ContactTitle>Marketing Manager</ContactTitle>

In this example, the value Marketing Manager has 17 characters.

Attribute

It specifies the maximum number of characters of the value of anyattribute.

<Customer CustomerID="6s695dp84">

In the example above, the value 6s695dp84 of the attribute CustomerID has nine characters.

Namespace URI

It specifies the maximum number of characters in the value of any namespace.

 <sensedia:gateway xmlns:sensedia="http://sensedia.com">

In this example, http://sensedia.com has 19 characters.

Comment

It specifies the maximum number of characters in the value of any comment.

<!--comment-->

In this example, the comment has seven characters.

Processing Instruction Data

It specifies the maximum number of characters in the value of any processing instruction data.

<?xml-sensedia version="1.0" encoding="utf-8"?>

In this example, utf-8 has five characters and 1.0 has two characters.

Errors

Here are the errors that can be returned when the interceptor finds any irregularity regarding the specifications above.

Error HTTP Code Request HTTP Code Response

XML

XML format invalid

400

500

Name Limits/Element

Name limits element exceeds the maximum allowed for this API (n)

400

500

Name Limits/Attribute

Name limits attribute exceeds the maximum allowed for this API (n)

400

500

Name Limits/Namespace prefix

Name limits namespace prefix exceeds the maximum allowed for this API (n)

400

500

Name Limits/Processing Instruction Target

Name limits processing instruction target exceeds the maximum allowed for this API (n)

400

500

Structure Limits/Node depth

Structure limits node depth element exceeds the maximum allowed for this API (n)

400

500

Structure Limits/Attribute count per element

Structure limits attribute count per element exceeds the maximum allowed for this API (n)

400

500

Structure Limits/Namespace count per element

Structure limits namespace count per element exceeds the maximum allowed for this API (n)

400

500

Structure Limits/Child count

Structure limits child count exceeds the maximum allowed for this API (n)

400

500

Value Limits/Text

Value limits text exceeds the maximum allowed for this API (n)

400

500

Value Limits/Attribute

Value limits attribute exceeds the maximum allowed for this API (n)

400

500

Value Limits/Namespace URI

Value limits namespace URI exceeds the maximum allowed for this API (n)

400

500

Value Limits/Comment

Value limits comment exceeds the maximum allowed for this API (n)

400

500

Value Limits/Processing Instruction Data

Value limits processing instruction data exceeds the maximum allowed for this API (n)

400

500

Invalid Content-Type

XML threat protection validation failed: Invalid Content-Type in Header → (Content type)

415

415

Content-Type not found

XML threat protection validation failed: Content-Type not found in Header

415

415

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]