This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee XML Threat Protection against XML bombs

Posted on 12-28-2022 09:40 AM
chrisyanez
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I am developing an API proxy that takes a XML request payload and sends it through to a backend.
I am working on implementing a XML Threat Protection policy for this proxy but during testing I noticed that it does not protect against XML bomb attacks such as this example listed on https://www.soapui.org/docs/security-testing/security-scans/xml-bomb/

chrisyanez_1-1672248294896.png

I know one possible solution would be to implement java code in the form of a java callout to handle the protection. Is it possible to handle this using only Apigee policies?

Solved Solved
0 1 159
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

Hi!

You should be able to use theXMLThreatProtection policy to protect your backend from XML bombs. In your example, as the entity values get longer the policy will block values longer than 8 kB. If you want to limit the resolved entities values further, then configure more restrictive <ValueLimits> for <Text>.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

Hi!

You should be able to use theXMLThreatProtection policy to protect your backend from XML bombs. In your example, as the entity values get longer the policy will block values longer than 8 kB. If you want to limit the resolved entities values further, then configure more restrictive <ValueLimits> for <Text>.

Jump to Solution
0 Likes
Top Solution Authors
View all