bomb attack

banto_78
Participant III

Hi all,

i am wondering what mechanism Edge offers to protect against bomb attacks. Let's say i want to check that a REST payload is not bigger than 10MB. I have checked the different edge protection policies but none of them looks to answer my question. Any hint appreciated.

thanks lot

Solved Solved
0 4 281
2 ACCEPTED SOLUTIONS

Not applicable

We can do it by determining the length of message.content in a javascript, something like:

var clientRequestPayload = context.getVariable("message.content");
clientRequestPayloadSize =  clientRequestPayload.length;

View solution in original post

You can catch a lot of these by checking the content-length header. A conditional RaiseFault policy could be used like so:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="Throw413">
    <DisplayName>Throw413</DisplayName>
    <Properties/>
    <FaultResponse>
        <Set>
            <Headers/>
            <Payload contentType="text/plain"/>
            <StatusCode>413</StatusCode>
            <ReasonPhrase>Request Entity Too Large</ReasonPhrase>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

.. and applied ...

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>Throw413</Name>
                <Condition>request.header.Content-Length > 100</Condition>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
...

Adding a condition based on the variable created in Meghdeep's solution would give you the extra security of handling situations where you don't trust the clients to send accurate headers.

View solution in original post

4 REPLIES 4

Not applicable

We can do it by determining the length of message.content in a javascript, something like:

var clientRequestPayload = context.getVariable("message.content");
clientRequestPayloadSize =  clientRequestPayload.length;

You can catch a lot of these by checking the content-length header. A conditional RaiseFault policy could be used like so:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="Throw413">
    <DisplayName>Throw413</DisplayName>
    <Properties/>
    <FaultResponse>
        <Set>
            <Headers/>
            <Payload contentType="text/plain"/>
            <StatusCode>413</StatusCode>
            <ReasonPhrase>Request Entity Too Large</ReasonPhrase>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

.. and applied ...

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <Description/>
    <FaultRules/>
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>Throw413</Name>
                <Condition>request.header.Content-Length > 100</Condition>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
...

Adding a condition based on the variable created in Meghdeep's solution would give you the extra security of handling situations where you don't trust the clients to send accurate headers.

Hi @bantobanto,

If you want to skip JS callout, you can plug it into the step condition itself like below -

<Step>

<Name>Raisefault</Name>

<Condition>request.content.length > 10000000</Condition>

</Step>

Thanks,

Abhishek

banto_78
Participant III

thanks all for the valid answer. I also understand that the max message size for Edge Cloud is 10MB. So maybe the opposite issue would be what if i want to upload a file greater than 10MB? Should i chuncked it?