This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Json threat protection on large payloads

Posted on 08-07-2020 02:57 AM
mehuljain
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

HI guys, what i'd like to know is that.....is there any way possible to use json protection policy on large JSON request payloads.....as i know how the policy works.....but what if the payloads has no. of different elements and array count on each different key and values pair .

As for now...i couldn't find any new way to look out for the answer

Solved Solved
0 1 289
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cjking
Staff
Reply posted on --/--/---- --:-- AM

You'll want to pick the maximum realistic for each category.

For example, if your json object has 3 arrays, with the following maximum sizes:

A) 10

B) 20

C) 30

Then you'll want to pick 30 (or 30 + headroom depending on your level of certainty) for ArrayElementCount.

JSONThreatProtection is not designed to type-check your JSON Payloads (you could do that in JS if you wanted though), but to protect the backend JSON parsing from resource exhaustion attacks. Your values should be sufficiently low that attackers can't DoS your backend.

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
cjking
Staff
Reply posted on --/--/---- --:-- AM

You'll want to pick the maximum realistic for each category.

For example, if your json object has 3 arrays, with the following maximum sizes:

A) 10

B) 20

C) 30

Then you'll want to pick 30 (or 30 + headroom depending on your level of certainty) for ArrayElementCount.

JSONThreatProtection is not designed to type-check your JSON Payloads (you could do that in JS if you wanted though), but to protect the backend JSON parsing from resource exhaustion attacks. Your values should be sufficiently low that attackers can't DoS your backend.

Jump to Solution
0 Likes