JSON Threat Protection for API Gateway¶
The JSON threat protector in WSO2 API Manager validates the request body of the JSON message based on pre-configured to thwart payload attacks.
Detecting vulnerabilities before parsing the message¶
The json_validator sequence specifies the properties to be limited in the payload. A sample json_validator sequence is given below.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="json_validator">
<log level="custom">
<property name="IN_MESSAGE" value="json_validator"/>
</log>
<property name="maxPropertyCount" value = "100"/>
<property name="maxStringLength" value = "100"/>
<property name="maxArrayElementCount" value = "100"/>
<property name="maxKeyLength" value = "100"/>
<property name="maxJsonDepth" value = "100"/>
<property name="RequestMessageBufferSize" value="1024"/>
<class name="org.wso2.carbon.apimgt.gateway.mediators.JsonSchemaValidator"/>
</sequence>
Property | Default Value | Description |
---|---|---|
maxPropertyCount | 100 | Maximum number of properties |
maxStringLength | 100 | Maximum length of string |
maxArrayElementCount | 100 | Maximum number of elements in an array |
maxKeyLength | 100 | Maximum number length of key |
maxJsonDepth | 100 | Maximum length of JSON |
Editing the sequence through registry artifacts¶
To edit the existing sequence follow the steps below.
- Go to Policies section in the Publisher Portal.
- Add a new policy with the name JSON Validator and provide an newer version.
- Upload the Policy File with the required changes.
- Click Save to save the newer version of the policy.
- Apply the newly created policy to the API as per the below section.
Applying the JSON validator policy¶
You can apply the predefined JSON Policy through the UI. Follow the instructions below to apply the json_validator in sequence.
- Create an API or edit an existing API.
- Go to Policies under the API Configuration sub-section from the left hand panel.
- As required, drag and drop the JSON Validator from the Policy List tab into Request Flow.
-
Provide the required parameters for JSON validation.
-
Scroll down the page and click Save to save the changes (click Save and Deploy and deploy the API for the changes to take effect in the gateways).
Testing the JSON threat protector¶
You can edit the sequence to set the property values according to your requirements. A sample request and response for each property value set to 5 is given below.
Note that this exceeds the JSON property count
Warning
Performance impact
The JSON schema mediator builds the message at the mediation level. This impacts the performance of 10KB messages
for 300 concurrent users by 5.2 times than the normal flow.